# API Reference
## Constructs
### Firewall
- *Implements:* IFirewall
Defines a Network Firewall in the Stack.
#### Initializers
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
new Firewall(scope: Construct, id: string, props: FirewallProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | FirewallProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Required
- *Type:* FirewallProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
| addLoggingConfigurations | Add a Logging Configuration to the Firewall. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
##### `addLoggingConfigurations`
```typescript
public addLoggingConfigurations(configurationName: string, logLocations: ILogLocation[]): LoggingConfiguration
```
Add a Logging Configuration to the Firewall.
###### `configurationName`Required
- *Type:* string
The Name of the Logging configuration type.
---
###### `logLocations`Required
- *Type:* ILogLocation[]
An array of Log Locations.
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromFirewallArn | Reference an existing Network Firewall, defined outside of the CDK code, by arn. |
| fromFirewallName | Reference an existing Network Firewall, defined outside of the CDK code, by name. |
---
##### ~~`isConstruct`~~
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
Firewall.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
Firewall.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
Firewall.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromFirewallArn`
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
Firewall.fromFirewallArn(scope: Construct, id: string, firewallArn: string)
```
Reference an existing Network Firewall, defined outside of the CDK code, by arn.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `firewallArn`Required
- *Type:* string
---
##### `fromFirewallName`
```typescript
import { Firewall } from '@durkinza/cdk-networkfirewall-l2'
Firewall.fromFirewallName(scope: Construct, id: string, firewallName: string)
```
Reference an existing Network Firewall, defined outside of the CDK code, by name.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `firewallName`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| endpointIds | string[] | The unique IDs of the firewall endpoints for all of the subnets that you attached to the firewall. |
| firewallArn | string | The Arn of the Firewall. |
| firewallId | string | The physical name of the Firewall. |
| policy | IFirewallPolicy | The associated firewall Policy. |
| loggingCloudWatchLogGroups | CloudWatchLogLocationProps[] | The Cloud Watch Log Groups to send logs to. |
| loggingConfigurations | ILoggingConfiguration[] | The list of references to the generated logging configurations. |
| loggingKinesisDataStreams | KinesisDataFirehoseLogLocationProps[] | The Kinesis Data Stream locations. |
| loggingS3Buckets | S3LogLocationProps[] | The S3 Buckets to send logs to. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `endpointIds`Required
```typescript
public readonly endpointIds: string[];
```
- *Type:* string[]
The unique IDs of the firewall endpoints for all of the subnets that you attached to the firewall.
The subnets are not listed in any particular order.
---
##### `firewallArn`Required
```typescript
public readonly firewallArn: string;
```
- *Type:* string
The Arn of the Firewall.
---
##### `firewallId`Required
```typescript
public readonly firewallId: string;
```
- *Type:* string
The physical name of the Firewall.
---
##### `policy`Required
```typescript
public readonly policy: IFirewallPolicy;
```
- *Type:* IFirewallPolicy
The associated firewall Policy.
---
##### `loggingCloudWatchLogGroups`Required
```typescript
public readonly loggingCloudWatchLogGroups: CloudWatchLogLocationProps[];
```
- *Type:* CloudWatchLogLocationProps[]
The Cloud Watch Log Groups to send logs to.
---
##### `loggingConfigurations`Required
```typescript
public readonly loggingConfigurations: ILoggingConfiguration[];
```
- *Type:* ILoggingConfiguration[]
The list of references to the generated logging configurations.
---
##### `loggingKinesisDataStreams`Required
```typescript
public readonly loggingKinesisDataStreams: KinesisDataFirehoseLogLocationProps[];
```
- *Type:* KinesisDataFirehoseLogLocationProps[]
The Kinesis Data Stream locations.
---
##### `loggingS3Buckets`Required
```typescript
public readonly loggingS3Buckets: S3LogLocationProps[];
```
- *Type:* S3LogLocationProps[]
The S3 Buckets to send logs to.
---
### FirewallPolicy
- *Implements:* IFirewallPolicy
Defines a Firewall Policy in the stack.
#### Initializers
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
new FirewallPolicy(scope: Construct, id: string, props: FirewallPolicyProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | FirewallPolicyProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Required
- *Type:* FirewallPolicyProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
| addStatefulRuleGroup | Add a stateful rule group to the policy. |
| addStatelessRuleGroup | Add a stateless rule group to the policy. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
##### `addStatefulRuleGroup`
```typescript
public addStatefulRuleGroup(ruleGroup: StatefulRuleGroupList): void
```
Add a stateful rule group to the policy.
###### `ruleGroup`Required
- *Type:* StatefulRuleGroupList
The stateful rule group to add to the policy.
---
##### `addStatelessRuleGroup`
```typescript
public addStatelessRuleGroup(ruleGroup: StatelessRuleGroupList): void
```
Add a stateless rule group to the policy.
###### `ruleGroup`Required
- *Type:* StatelessRuleGroupList
The stateless rule group to add to the policy.
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromFirewallPolicyArn | Reference existing firewall policy by Arn. |
| fromFirewallPolicyName | Reference existing firewall policy name. |
---
##### ~~`isConstruct`~~
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
FirewallPolicy.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
FirewallPolicy.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
FirewallPolicy.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromFirewallPolicyArn`
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
FirewallPolicy.fromFirewallPolicyArn(scope: Construct, id: string, firewallPolicyArn: string)
```
Reference existing firewall policy by Arn.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `firewallPolicyArn`Required
- *Type:* string
the ARN of the existing firewall policy.
---
##### `fromFirewallPolicyName`
```typescript
import { FirewallPolicy } from '@durkinza/cdk-networkfirewall-l2'
FirewallPolicy.fromFirewallPolicyName(scope: Construct, id: string, firewallPolicyName: string)
```
Reference existing firewall policy name.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `firewallPolicyName`Required
- *Type:* string
The name of the existing firewall policy.
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| firewallPolicyArn | string | The Arn of the policy. |
| firewallPolicyId | string | The physical name of the firewall policy. |
| statefulDefaultActions | string[] | The Default actions for packets that don't match a stateful rule. |
| statefulRuleGroups | StatefulRuleGroupList[] | The stateful rule groups in this policy. |
| statelessDefaultActions | string[] | The Default actions for packets that don't match a stateless rule. |
| statelessFragmentDefaultActions | string[] | The Default actions for fragment packets that don't match a stateless rule. |
| statelessRuleGroups | StatelessRuleGroupList[] | The stateless rule groups in this policy. |
| tags | aws-cdk-lib.Tag[] | Tags to be added to the policy. |
| tlsInspectionConfiguration | ITLSInspectionConfiguration | The TLS Inspection Configuration. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `firewallPolicyArn`Required
```typescript
public readonly firewallPolicyArn: string;
```
- *Type:* string
The Arn of the policy.
---
##### `firewallPolicyId`Required
```typescript
public readonly firewallPolicyId: string;
```
- *Type:* string
The physical name of the firewall policy.
---
##### `statefulDefaultActions`Required
```typescript
public readonly statefulDefaultActions: string[];
```
- *Type:* string[]
The Default actions for packets that don't match a stateful rule.
---
##### `statefulRuleGroups`Required
```typescript
public readonly statefulRuleGroups: StatefulRuleGroupList[];
```
- *Type:* StatefulRuleGroupList[]
The stateful rule groups in this policy.
---
##### `statelessDefaultActions`Required
```typescript
public readonly statelessDefaultActions: string[];
```
- *Type:* string[]
The Default actions for packets that don't match a stateless rule.
---
##### `statelessFragmentDefaultActions`Required
```typescript
public readonly statelessFragmentDefaultActions: string[];
```
- *Type:* string[]
The Default actions for fragment packets that don't match a stateless rule.
---
##### `statelessRuleGroups`Required
```typescript
public readonly statelessRuleGroups: StatelessRuleGroupList[];
```
- *Type:* StatelessRuleGroupList[]
The stateless rule groups in this policy.
---
##### `tags`Required
```typescript
public readonly tags: Tag[];
```
- *Type:* aws-cdk-lib.Tag[]
Tags to be added to the policy.
---
##### `tlsInspectionConfiguration`Optional
```typescript
public readonly tlsInspectionConfiguration: ITLSInspectionConfiguration;
```
- *Type:* ITLSInspectionConfiguration
The TLS Inspection Configuration.
---
### LoggingConfiguration
- *Implements:* ILoggingConfiguration
Defines a Logging Configuration in the Stack.
#### Initializers
```typescript
import { LoggingConfiguration } from '@durkinza/cdk-networkfirewall-l2'
new LoggingConfiguration(scope: Construct, id: string, props: LoggingConfigurationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | LoggingConfigurationProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Required
- *Type:* LoggingConfigurationProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
| iLogLocationsToLogDestinationConfigProperty | Convert ILogLocation array to L1 LogDestinationConfigProperty array. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
##### `iLogLocationsToLogDestinationConfigProperty`
```typescript
public iLogLocationsToLogDestinationConfigProperty(logLocations: ILogLocation[]): LogDestinationConfigProperty[]
```
Convert ILogLocation array to L1 LogDestinationConfigProperty array.
###### `logLocations`Required
- *Type:* ILogLocation[]
An array of assorted Log Locations.
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
---
##### ~~`isConstruct`~~
```typescript
import { LoggingConfiguration } from '@durkinza/cdk-networkfirewall-l2'
LoggingConfiguration.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { LoggingConfiguration } from '@durkinza/cdk-networkfirewall-l2'
LoggingConfiguration.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { LoggingConfiguration } from '@durkinza/cdk-networkfirewall-l2'
LoggingConfiguration.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| firewallRef | string | The associated firewall Arn. |
| firewallName | string | The associated firewall Name. |
| loggingLocations | ILogLocation[] | Defines how AWS Network Firewall performs logging for a Firewall. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `firewallRef`Required
```typescript
public readonly firewallRef: string;
```
- *Type:* string
The associated firewall Arn.
---
##### `firewallName`Optional
```typescript
public readonly firewallName: string;
```
- *Type:* string
The associated firewall Name.
---
##### `loggingLocations`Required
```typescript
public readonly loggingLocations: ILogLocation[];
```
- *Type:* ILogLocation[]
Defines how AWS Network Firewall performs logging for a Firewall.
---
### Stateful5TupleRuleGroup
- *Implements:* IStatefulRuleGroup
A Stateful Rule group that holds 5Tuple Rules.
#### Initializers
```typescript
import { Stateful5TupleRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
new Stateful5TupleRuleGroup(scope: Construct, id: string, props?: Stateful5TupleRuleGroupProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | Stateful5TupleRuleGroupProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Optional
- *Type:* Stateful5TupleRuleGroupProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromRuleGroupArn | Reference existing Rule Group. |
---
##### ~~`isConstruct`~~
```typescript
import { Stateful5TupleRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
Stateful5TupleRuleGroup.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { Stateful5TupleRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
Stateful5TupleRuleGroup.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { Stateful5TupleRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
Stateful5TupleRuleGroup.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromRuleGroupArn`
```typescript
import { Stateful5TupleRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
Stateful5TupleRuleGroup.fromRuleGroupArn(scope: Construct, id: string, ruleGroupArn: string)
```
Reference existing Rule Group.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `ruleGroupArn`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### StatefulDomainListRuleGroup
- *Implements:* IStatefulRuleGroup
A Stateful Rule group that holds Domain List Rules.
#### Initializers
```typescript
import { StatefulDomainListRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
new StatefulDomainListRuleGroup(scope: Construct, id: string, props?: StatefulDomainListRuleGroupProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | StatefulDomainListRuleGroupProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Optional
- *Type:* StatefulDomainListRuleGroupProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromRuleGroupArn | Reference existing Rule Group. |
---
##### ~~`isConstruct`~~
```typescript
import { StatefulDomainListRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulDomainListRuleGroup.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { StatefulDomainListRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulDomainListRuleGroup.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { StatefulDomainListRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulDomainListRuleGroup.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromRuleGroupArn`
```typescript
import { StatefulDomainListRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulDomainListRuleGroup.fromRuleGroupArn(scope: Construct, id: string, ruleGroupArn: string)
```
Reference existing Rule Group.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `ruleGroupArn`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### StatefulSuricataRuleGroup
- *Implements:* IStatefulRuleGroup
A Stateful Rule group that holds Suricata Rules.
#### Initializers
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
new StatefulSuricataRuleGroup(scope: Construct, id: string, props?: StatefulSuricataRuleGroupProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | StatefulSuricataRuleGroupProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Optional
- *Type:* StatefulSuricataRuleGroupProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromFile | Reference Suricata rules from a file,. |
| fromRuleGroupArn | Reference existing Rule Group. |
---
##### ~~`isConstruct`~~
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulSuricataRuleGroup.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulSuricataRuleGroup.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulSuricataRuleGroup.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromFile`
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulSuricataRuleGroup.fromFile(scope: Construct, id: string, props: StatefulSuricataRuleGroupFromFileProps)
```
Reference Suricata rules from a file,.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `props`Required
- *Type:* StatefulSuricataRuleGroupFromFileProps
---
##### `fromRuleGroupArn`
```typescript
import { StatefulSuricataRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatefulSuricataRuleGroup.fromRuleGroupArn(scope: Construct, id: string, ruleGroupArn: string)
```
Reference existing Rule Group.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `ruleGroupArn`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### StatelessRuleGroup
- *Implements:* IStatelessRuleGroup
A Stateless Rule group that holds Stateless Rules.
#### Initializers
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
new StatelessRuleGroup(scope: Construct, id: string, props?: StatelessRuleGroupProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | StatelessRuleGroupProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Optional
- *Type:* StatelessRuleGroupProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
| calculateCapacity | Calculates the expected capacity required for all applied stateful rules. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
##### `calculateCapacity`
```typescript
public calculateCapacity(): number
```
Calculates the expected capacity required for all applied stateful rules.
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromStatelessRuleGroupArn | Reference existing Rule Group by Arn. |
| fromStatelessRuleGroupName | Reference existing Rule Group by Name. |
---
##### ~~`isConstruct`~~
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatelessRuleGroup.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatelessRuleGroup.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatelessRuleGroup.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromStatelessRuleGroupArn`
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatelessRuleGroup.fromStatelessRuleGroupArn(scope: Construct, id: string, statelessRuleGroupArn: string)
```
Reference existing Rule Group by Arn.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `statelessRuleGroupArn`Required
- *Type:* string
---
##### `fromStatelessRuleGroupName`
```typescript
import { StatelessRuleGroup } from '@durkinza/cdk-networkfirewall-l2'
StatelessRuleGroup.fromStatelessRuleGroupName(scope: Construct, id: string, statelessRuleGroupName: string)
```
Reference existing Rule Group by Name.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `statelessRuleGroupName`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### TLSInspectionConfiguration
- *Implements:* ITLSInspectionConfiguration
Defines a Network Firewall TLS Inspection Configuration in the Stack.
#### Initializers
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
new TLSInspectionConfiguration(scope: Construct, id: string, props: TLSInspectionConfigurationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.Construct | *No description.* |
| id | string | *No description.* |
| props | TLSInspectionConfigurationProps | *No description.* |
---
##### `scope`Required
- *Type:* constructs.Construct
---
##### `id`Required
- *Type:* string
---
##### `props`Required
- *Type:* TLSInspectionConfigurationProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| toString | Returns a string representation of this construct. |
| applyRemovalPolicy | Apply the given removal policy to this resource. |
---
##### `toString`
```typescript
public toString(): string
```
Returns a string representation of this construct.
##### `applyRemovalPolicy`
```typescript
public applyRemovalPolicy(policy: RemovalPolicy): void
```
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops
being managed by CloudFormation, either because you've removed it from the
CDK application or because you've made a change that requires the resource
to be replaced.
The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
###### `policy`Required
- *Type:* aws-cdk-lib.RemovalPolicy
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| isConstruct | Checks if `x` is a construct. |
| isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. |
| isResource | Check whether the given construct is a Resource. |
| fromConfigurationArn | Reference an existing TLS Inspection Configuration, defined outside of the CDK code, by arn. |
| fromConfigurationName | Reference an existing TLS Inspection Configuration, defined outside of the CDK code, by name. |
---
##### ~~`isConstruct`~~
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
TLSInspectionConfiguration.isConstruct(x: any)
```
Checks if `x` is a construct.
###### `x`Required
- *Type:* any
Any object.
---
##### `isOwnedResource`
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
TLSInspectionConfiguration.isOwnedResource(construct: IConstruct)
```
Returns true if the construct was created by CDK, and false otherwise.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `isResource`
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
TLSInspectionConfiguration.isResource(construct: IConstruct)
```
Check whether the given construct is a Resource.
###### `construct`Required
- *Type:* constructs.IConstruct
---
##### `fromConfigurationArn`
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
TLSInspectionConfiguration.fromConfigurationArn(scope: Construct, id: string, configurationArn: string)
```
Reference an existing TLS Inspection Configuration, defined outside of the CDK code, by arn.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `configurationArn`Required
- *Type:* string
---
##### `fromConfigurationName`
```typescript
import { TLSInspectionConfiguration } from '@durkinza/cdk-networkfirewall-l2'
TLSInspectionConfiguration.fromConfigurationName(scope: Construct, id: string, TLSInspectionConfigurationName: string)
```
Reference an existing TLS Inspection Configuration, defined outside of the CDK code, by name.
###### `scope`Required
- *Type:* constructs.Construct
---
###### `id`Required
- *Type:* string
---
###### `TLSInspectionConfigurationName`Required
- *Type:* string
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| tlsInspectionConfigurationArn | string | The Arn of the TLS Inspection Configuration. |
| tlsInspectionConfigurationId | string | The physical name of the TLS Inspection Configuration. |
| description | string | The Description of the TLS Inspection Configuration. |
| tags | aws-cdk-lib.Tag[] | Tags to be added to the TLS Inspection Configuration. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `tlsInspectionConfigurationArn`Required
```typescript
public readonly tlsInspectionConfigurationArn: string;
```
- *Type:* string
The Arn of the TLS Inspection Configuration.
---
##### `tlsInspectionConfigurationId`Required
```typescript
public readonly tlsInspectionConfigurationId: string;
```
- *Type:* string
The physical name of the TLS Inspection Configuration.
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
The Description of the TLS Inspection Configuration.
---
##### `tags`Optional
```typescript
public readonly tags: Tag[];
```
- *Type:* aws-cdk-lib.Tag[]
Tags to be added to the TLS Inspection Configuration.
---
## Structs
### CloudWatchLogLocationProps
Defines a Cloud Watch Log Group Logging Option.
#### Initializer
```typescript
import { CloudWatchLogLocationProps } from '@durkinza/cdk-networkfirewall-l2'
const cloudWatchLogLocationProps: CloudWatchLogLocationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logType | string | The type of log to send. |
| logGroup | string | The name of the CloudWatch Log Group to send logs to. |
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
##### `logGroup`Required
```typescript
public readonly logGroup: string;
```
- *Type:* string
The name of the CloudWatch Log Group to send logs to.
---
### FirewallPolicyProps
The Properties for defining a Firewall policy.
#### Initializer
```typescript
import { FirewallPolicyProps } from '@durkinza/cdk-networkfirewall-l2'
const firewallPolicyProps: FirewallPolicyProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| statelessDefaultActions | string[] | The actions to take on a packet if it doesn't match any of the stateless rules in the policy. |
| statelessFragmentDefaultActions | string[] | The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. |
| description | string | The description of the policy. |
| firewallPolicyName | string | The descriptive name of the firewall policy. |
| statefulDefaultActions | string[] | The default actions to take on a packet that doesn't match any stateful rules. |
| statefulEngineOptions | aws-cdk-lib.aws_networkfirewall.CfnFirewallPolicy.StatefulEngineOptionsProperty | Additional options governing how Network Firewall handles stateful rules. |
| statefulRuleGroups | StatefulRuleGroupList[] | The stateful rule groups that are used in the policy. |
| statelessCustomActions | aws-cdk-lib.aws_networkfirewall.CfnFirewallPolicy.CustomActionProperty[] | The custom action definitions that are available for use in the firewall policy's statelessDefaultActions setting. |
| statelessRuleGroups | StatelessRuleGroupList[] | References to the stateless rule groups that are used in the policy. |
| tags | aws-cdk-lib.Tag[] | Tags to be added to the policy. |
| tlsInspectionConfiguration | ITLSInspectionConfiguration | AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. |
---
##### `statelessDefaultActions`Required
```typescript
public readonly statelessDefaultActions: string[];
```
- *Type:* string[]
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
---
##### `statelessFragmentDefaultActions`Required
```typescript
public readonly statelessFragmentDefaultActions: string[];
```
- *Type:* string[]
The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
The description of the policy.
---
##### `firewallPolicyName`Optional
```typescript
public readonly firewallPolicyName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the firewall policy.
You can't change the name of a firewall policy after you create it.
---
##### `statefulDefaultActions`Optional
```typescript
public readonly statefulDefaultActions: string[];
```
- *Type:* string[]
- *Default:* undefined
The default actions to take on a packet that doesn't match any stateful rules.
The stateful default action is optional, and is only valid when using the strict rule order
---
##### `statefulEngineOptions`Optional
```typescript
public readonly statefulEngineOptions: StatefulEngineOptionsProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnFirewallPolicy.StatefulEngineOptionsProperty
- *Default:* undefined
Additional options governing how Network Firewall handles stateful rules.
The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings
---
##### `statefulRuleGroups`Optional
```typescript
public readonly statefulRuleGroups: StatefulRuleGroupList[];
```
- *Type:* StatefulRuleGroupList[]
- *Default:* undefined
The stateful rule groups that are used in the policy.
---
##### `statelessCustomActions`Optional
```typescript
public readonly statelessCustomActions: CustomActionProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnFirewallPolicy.CustomActionProperty[]
- *Default:* undefined
The custom action definitions that are available for use in the firewall policy's statelessDefaultActions setting.
---
##### `statelessRuleGroups`Optional
```typescript
public readonly statelessRuleGroups: StatelessRuleGroupList[];
```
- *Type:* StatelessRuleGroupList[]
- *Default:* undefined
References to the stateless rule groups that are used in the policy.
---
##### `tags`Optional
```typescript
public readonly tags: Tag[];
```
- *Type:* aws-cdk-lib.Tag[]
- *Default:* No tags applied
Tags to be added to the policy.
---
##### `tlsInspectionConfiguration`Optional
```typescript
public readonly tlsInspectionConfiguration: ITLSInspectionConfiguration;
```
- *Type:* ITLSInspectionConfiguration
- *Default:* No TLS Inspection performed.
AWS Network Firewall uses a TLS inspection configuration to decrypt traffic.
Network Firewall re-encrypts the traffic before sending it to its destination.
---
### FirewallProps
The Properties for defining a Firewall Resource.
#### Initializer
```typescript
import { FirewallProps } from '@durkinza/cdk-networkfirewall-l2'
const firewallProps: FirewallProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| policy | IFirewallPolicy | Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls. |
| vpc | aws-cdk-lib.aws_ec2.IVpc | The unique identifier of the VPC where the firewall is in use. |
| deleteProtection | boolean | A flag indicating whether it is possible to delete the firewall. |
| description | string | The description of the Firewall. |
| firewallName | string | The descriptive name of the firewall. |
| firewallPolicyChangeProtection | boolean | A setting indicating whether the firewall is protected against a change to the firewall policy association. |
| loggingCloudWatchLogGroups | CloudWatchLogLocationProps[] | A list of CloudWatch LogGroups to send logs to. |
| loggingKinesisDataStreams | KinesisDataFirehoseLogLocationProps[] | A list of Kinesis Data Firehose to send logs to. |
| loggingS3Buckets | S3LogLocationProps[] | A list of S3 Buckets to send logs to. |
| subnetChangeProtection | boolean | A setting indicating whether the firewall is protected against changes to the subnet associations. |
| subnetMappings | aws-cdk-lib.aws_ec2.SubnetSelection | The public subnets that Network Firewall is using for the firewall. |
| tags | aws-cdk-lib.Tag[] | Tags to be added to the firewall. |
---
##### `policy`Required
```typescript
public readonly policy: IFirewallPolicy;
```
- *Type:* IFirewallPolicy
Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
---
##### `vpc`Required
```typescript
public readonly vpc: IVpc;
```
- *Type:* aws-cdk-lib.aws_ec2.IVpc
The unique identifier of the VPC where the firewall is in use.
You can't change the VPC of a firewall after you create the firewall.
---
##### `deleteProtection`Optional
```typescript
public readonly deleteProtection: boolean;
```
- *Type:* boolean
- *Default:* true
A flag indicating whether it is possible to delete the firewall.
A setting of TRUE indicates that the firewall is protected against deletion
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
The description of the Firewall.
---
##### `firewallName`Optional
```typescript
public readonly firewallName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the firewall.
You can't change the name of a firewall after you create it.
---
##### `firewallPolicyChangeProtection`Optional
```typescript
public readonly firewallPolicyChangeProtection: boolean;
```
- *Type:* boolean
- *Default:* true
A setting indicating whether the firewall is protected against a change to the firewall policy association.
Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use.
---
##### `loggingCloudWatchLogGroups`Optional
```typescript
public readonly loggingCloudWatchLogGroups: CloudWatchLogLocationProps[];
```
- *Type:* CloudWatchLogLocationProps[]
- *Default:* Logs will not be sent to a cloudwatch group.
A list of CloudWatch LogGroups to send logs to.
---
##### `loggingKinesisDataStreams`Optional
```typescript
public readonly loggingKinesisDataStreams: KinesisDataFirehoseLogLocationProps[];
```
- *Type:* KinesisDataFirehoseLogLocationProps[]
- *Default:* Logs will not be sent to a Kinesis DataFirehose.
A list of Kinesis Data Firehose to send logs to.
---
##### `loggingS3Buckets`Optional
```typescript
public readonly loggingS3Buckets: S3LogLocationProps[];
```
- *Type:* S3LogLocationProps[]
- *Default:* Logs will not be sent to an S3 bucket.
A list of S3 Buckets to send logs to.
---
##### `subnetChangeProtection`Optional
```typescript
public readonly subnetChangeProtection: boolean;
```
- *Type:* boolean
- *Default:* true
A setting indicating whether the firewall is protected against changes to the subnet associations.
Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use.
---
##### `subnetMappings`Optional
```typescript
public readonly subnetMappings: SubnetSelection;
```
- *Type:* aws-cdk-lib.aws_ec2.SubnetSelection
- *Default:* All public subnets of the VPC
The public subnets that Network Firewall is using for the firewall.
Each subnet must belong to a different Availability Zone.
---
##### `tags`Optional
```typescript
public readonly tags: Tag[];
```
- *Type:* aws-cdk-lib.Tag[]
- *Default:* No tags applied
Tags to be added to the firewall.
---
### KinesisDataFirehoseLogLocationProps
Defines a Kinesis Delivery Stream Logging Option.
#### Initializer
```typescript
import { KinesisDataFirehoseLogLocationProps } from '@durkinza/cdk-networkfirewall-l2'
const kinesisDataFirehoseLogLocationProps: KinesisDataFirehoseLogLocationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logType | string | The type of log to send. |
| deliveryStream | string | The name of the Kinesis Data Firehose delivery stream to send logs to. |
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
##### `deliveryStream`Required
```typescript
public readonly deliveryStream: string;
```
- *Type:* string
The name of the Kinesis Data Firehose delivery stream to send logs to.
---
### LoggingConfigurationProps
The Properties for defining a Logging Configuration.
#### Initializer
```typescript
import { LoggingConfigurationProps } from '@durkinza/cdk-networkfirewall-l2'
const loggingConfigurationProps: LoggingConfigurationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| firewallRef | string | The Amazon Resource Name (ARN) of the Firewall that the logging configuration is associated with. |
| firewallName | string | The name of the firewall that the logging configuration is associated with. |
| loggingConfigurationName | string | The physical name of this logging configuration. |
| loggingLocations | ILogLocation[] | Defines how AWS Network Firewall performs logging for a Firewall. |
---
##### `firewallRef`Required
```typescript
public readonly firewallRef: string;
```
- *Type:* string
The Amazon Resource Name (ARN) of the Firewall that the logging configuration is associated with.
You can't change the firewall specification after you create the logging configuration.
---
##### `firewallName`Optional
```typescript
public readonly firewallName: string;
```
- *Type:* string
- *Default:* No firewall name is logged.
The name of the firewall that the logging configuration is associated with.
You can't change the firewall specification after you create the logging configuration.
---
##### `loggingConfigurationName`Optional
```typescript
public readonly loggingConfigurationName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The physical name of this logging configuration.
---
##### `loggingLocations`Optional
```typescript
public readonly loggingLocations: ILogLocation[];
```
- *Type:* ILogLocation[]
- *Default:* No logging locations are configured, no logs will be sent.
Defines how AWS Network Firewall performs logging for a Firewall.
---
### LogLocationProps
Base Log Location structure.
#### Initializer
```typescript
import { LogLocationProps } from '@durkinza/cdk-networkfirewall-l2'
const logLocationProps: LogLocationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logType | string | The type of log to send. |
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### S3LogLocationProps
Defines a S3 Bucket Logging Option.
#### Initializer
```typescript
import { S3LogLocationProps } from '@durkinza/cdk-networkfirewall-l2'
const s3LogLocationProps: S3LogLocationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logType | string | The type of log to send. |
| bucketName | string | The name of the S3 bucket to send logs to. |
| prefix | string | The location prefix to use. |
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
##### `bucketName`Required
```typescript
public readonly bucketName: string;
```
- *Type:* string
The name of the S3 bucket to send logs to.
---
##### `prefix`Optional
```typescript
public readonly prefix: string;
```
- *Type:* string
- *Default:* no prefix is used.
The location prefix to use.
---
### Stateful5TupleRuleGroupProps
Properties for defining a Stateful 5 Tuple Rule Group.
#### Initializer
```typescript
import { Stateful5TupleRuleGroupProps } from '@durkinza/cdk-networkfirewall-l2'
const stateful5TupleRuleGroupProps: Stateful5TupleRuleGroupProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| capacity | number | The maximum operating resources that this rule group can use. |
| description | string | Description of the rule group. |
| ruleGroupName | string | The descriptive name of the stateful rule group. |
| ruleOrder | StatefulRuleOptions | Rule Order. |
| rules | Stateful5TupleRule[] | The rule group rules. |
| variables | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty | Settings that are available for use in the rules. |
---
##### `capacity`Optional
```typescript
public readonly capacity: number;
```
- *Type:* number
- *Default:* 200
The maximum operating resources that this rule group can use.
Estimate a stateful rule group's capacity as the number of rules that you expect to have in it during its lifetime.
You can't change this setting after you create the rule group
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
Description of the rule group.
---
##### `ruleGroupName`Optional
```typescript
public readonly ruleGroupName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the stateful rule group.
---
##### `ruleOrder`Optional
```typescript
public readonly ruleOrder: StatefulRuleOptions;
```
- *Type:* StatefulRuleOptions
- *Default:* STRICT_ORDER
Rule Order.
---
##### `rules`Optional
```typescript
public readonly rules: Stateful5TupleRule[];
```
- *Type:* Stateful5TupleRule[]
- *Default:* undefined
The rule group rules.
---
##### `variables`Optional
```typescript
public readonly variables: RuleVariablesProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty
- *Default:* undefined
Settings that are available for use in the rules.
---
### Stateful5TupleRuleProps
Properties for defining a 5 Tuple rule.
#### Initializer
```typescript
import { Stateful5TupleRuleProps } from '@durkinza/cdk-networkfirewall-l2'
const stateful5TupleRuleProps: Stateful5TupleRuleProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| action | string | The action to perform when a rule is matched. |
| destination | string | Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. |
| destinationPort | string | The destination port to inspect for. |
| direction | string | The direction of traffic flow to inspect. |
| protocol | string | The protocol to inspect for. |
| ruleOptions | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleOptionProperty[] | Additional settings for a stateful rule, provided as keywords and settings. |
| source | string | Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. |
| sourcePort | string | The source IP address or address range to inspect for, in CIDR notation. |
---
##### `action`Required
```typescript
public readonly action: string;
```
- *Type:* string
The action to perform when a rule is matched.
---
##### `destination`Optional
```typescript
public readonly destination: string;
```
- *Type:* string
- *Default:* = ANY
Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
---
##### `destinationPort`Optional
```typescript
public readonly destinationPort: string;
```
- *Type:* string
- *Default:* ANY
The destination port to inspect for.
You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994 .
To match with any port, specify ANY
---
##### `direction`Optional
```typescript
public readonly direction: string;
```
- *Type:* string
- *Default:* ANY
The direction of traffic flow to inspect.
If set to ANY, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source.
If set to FORWARD , the inspection only matches traffic going from the source to the destination.
---
##### `protocol`Optional
```typescript
public readonly protocol: string;
```
- *Type:* string
- *Default:* IP
The protocol to inspect for.
To specify all, you can use IP , because all traffic on AWS and on the internet is IP.
---
##### `ruleOptions`Optional
```typescript
public readonly ruleOptions: RuleOptionProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleOptionProperty[]
- *Default:* undefined
Additional settings for a stateful rule, provided as keywords and settings.
---
##### `source`Optional
```typescript
public readonly source: string;
```
- *Type:* string
- *Default:* = ANY
Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
---
##### `sourcePort`Optional
```typescript
public readonly sourcePort: string;
```
- *Type:* string
- *Default:* ANY
The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY.
---
### StatefulDomainListRuleGroupProps
Defines a Stateful Domain List Rule group in the stack.
#### Initializer
```typescript
import { StatefulDomainListRuleGroupProps } from '@durkinza/cdk-networkfirewall-l2'
const statefulDomainListRuleGroupProps: StatefulDomainListRuleGroupProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| capacity | number | The maximum operating resources that this rule group can use. |
| description | string | Description of the rule group. |
| rule | StatefulDomainListRule | The Domain List rule. |
| ruleGroupName | string | The descriptive name of the stateful rule group. |
| ruleOrder | StatefulRuleOptions | Rule Order. |
| variables | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty | Settings that are available for use in the rules. |
---
##### `capacity`Optional
```typescript
public readonly capacity: number;
```
- *Type:* number
- *Default:* 200
The maximum operating resources that this rule group can use.
Estimate a stateful rule group's capacity as the number of rules that you expect to have in it during its lifetime.
You can't change this setting after you create the rule group
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
Description of the rule group.
---
##### `rule`Optional
```typescript
public readonly rule: StatefulDomainListRule;
```
- *Type:* StatefulDomainListRule
- *Default:* undefined
The Domain List rule.
---
##### `ruleGroupName`Optional
```typescript
public readonly ruleGroupName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the stateful rule group.
---
##### `ruleOrder`Optional
```typescript
public readonly ruleOrder: StatefulRuleOptions;
```
- *Type:* StatefulRuleOptions
- *Default:* STRICT_ORDER
Rule Order.
---
##### `variables`Optional
```typescript
public readonly variables: RuleVariablesProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty
- *Default:* undefined
Settings that are available for use in the rules.
---
### StatefulDomainListRuleProps
The properties for defining a Stateful Domain List Rule.
#### Initializer
```typescript
import { StatefulDomainListRuleProps } from '@durkinza/cdk-networkfirewall-l2'
const statefulDomainListRuleProps: StatefulDomainListRuleProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| targets | string[] | The domains that you want to inspect for in your traffic flows. |
| targetTypes | string[] | The types of targets to inspect for. |
| type | string | Whether you want to allow or deny access to the domains in your target list. |
---
##### `targets`Required
```typescript
public readonly targets: string[];
```
- *Type:* string[]
The domains that you want to inspect for in your traffic flows.
---
##### `targetTypes`Required
```typescript
public readonly targetTypes: string[];
```
- *Type:* string[]
The types of targets to inspect for.
---
##### `type`Required
```typescript
public readonly type: string;
```
- *Type:* string
Whether you want to allow or deny access to the domains in your target list.
---
### StatefulRuleBaseProps
The properties for defining a generic Stateful Rule.
#### Initializer
```typescript
import { StatefulRuleBaseProps } from '@durkinza/cdk-networkfirewall-l2'
const statefulRuleBaseProps: StatefulRuleBaseProps = { ... }
```
### StatefulRuleGroupList
Maps a priority to a stateful rule group item.
#### Initializer
```typescript
import { StatefulRuleGroupList } from '@durkinza/cdk-networkfirewall-l2'
const statefulRuleGroupList: StatefulRuleGroupList = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| ruleGroup | IStatefulRuleGroup | The stateful rule group. |
| priority | number | The priority of the rule group in the policy. |
---
##### `ruleGroup`Required
```typescript
public readonly ruleGroup: IStatefulRuleGroup;
```
- *Type:* IStatefulRuleGroup
The stateful rule group.
---
##### `priority`Optional
```typescript
public readonly priority: number;
```
- *Type:* number
- *Default:* Priority is only used when Strict order is set.
The priority of the rule group in the policy.
---
### StatefulSuricataRuleGroupFromFileProps
Properties for defining a Stateful Suricata Rule Group from a file.
#### Initializer
```typescript
import { StatefulSuricataRuleGroupFromFileProps } from '@durkinza/cdk-networkfirewall-l2'
const statefulSuricataRuleGroupFromFileProps: StatefulSuricataRuleGroupFromFileProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| path | string | The suricata rules file location. |
| capacity | number | The maximum operating resources that this rule group can use. |
| description | string | Description of the rule group. |
| encoding | string | The encoding to use for the file. |
| ruleGroupName | string | The descriptive name of the stateful rule group. |
| ruleOrder | StatefulRuleOptions | Rule Order. |
| variables | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty | Settings that are available for use in the rules. |
---
##### `path`Required
```typescript
public readonly path: string;
```
- *Type:* string
The suricata rules file location.
---
##### `capacity`Optional
```typescript
public readonly capacity: number;
```
- *Type:* number
- *Default:* 200
The maximum operating resources that this rule group can use.
Estimate a stateful rule group's capacity as the number of rules that you expect to have in it during its lifetime.
You can't change this setting after you create the rule group
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
Description of the rule group.
---
##### `encoding`Optional
```typescript
public readonly encoding: string;
```
- *Type:* string
- *Default:* uft-8
The encoding to use for the file.
---
##### `ruleGroupName`Optional
```typescript
public readonly ruleGroupName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the stateful rule group.
---
##### `ruleOrder`Optional
```typescript
public readonly ruleOrder: StatefulRuleOptions;
```
- *Type:* StatefulRuleOptions
- *Default:* STRICT_ORDER
Rule Order.
---
##### `variables`Optional
```typescript
public readonly variables: RuleVariablesProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty
- *Default:* undefined
Settings that are available for use in the rules.
---
### StatefulSuricataRuleGroupProps
Properties for defining a Stateful Suricata Rule Group.
#### Initializer
```typescript
import { StatefulSuricataRuleGroupProps } from '@durkinza/cdk-networkfirewall-l2'
const statefulSuricataRuleGroupProps: StatefulSuricataRuleGroupProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| capacity | number | The maximum operating resources that this rule group can use. |
| description | string | Description of the rule group. |
| ruleGroupName | string | The descriptive name of the stateful rule group. |
| ruleOrder | StatefulRuleOptions | Rule Order. |
| rules | string | The suricata rules. |
| variables | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty | Settings that are available for use in the rules. |
---
##### `capacity`Optional
```typescript
public readonly capacity: number;
```
- *Type:* number
- *Default:* 200
The maximum operating resources that this rule group can use.
Estimate a stateful rule group's capacity as the number of rules that you expect to have in it during its lifetime.
You can't change this setting after you create the rule group
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
Description of the rule group.
---
##### `ruleGroupName`Optional
```typescript
public readonly ruleGroupName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the stateful rule group.
---
##### `ruleOrder`Optional
```typescript
public readonly ruleOrder: StatefulRuleOptions;
```
- *Type:* StatefulRuleOptions
- *Default:* STRICT_ORDER
Rule Order.
---
##### `rules`Optional
```typescript
public readonly rules: string;
```
- *Type:* string
- *Default:* undefined
The suricata rules.
---
##### `variables`Optional
```typescript
public readonly variables: RuleVariablesProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty
- *Default:* undefined
Settings that are available for use in the rules.
---
### StatelessRuleGroupList
Maps a priority to a stateless rule group item.
#### Initializer
```typescript
import { StatelessRuleGroupList } from '@durkinza/cdk-networkfirewall-l2'
const statelessRuleGroupList: StatelessRuleGroupList = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| priority | number | The priority of the rule group in the policy. |
| ruleGroup | IStatelessRuleGroup | The stateless rule. |
---
##### `priority`Required
```typescript
public readonly priority: number;
```
- *Type:* number
The priority of the rule group in the policy.
---
##### `ruleGroup`Required
```typescript
public readonly ruleGroup: IStatelessRuleGroup;
```
- *Type:* IStatelessRuleGroup
The stateless rule.
---
### StatelessRuleGroupProps
The properties for defining a Stateless Rule Group.
#### Initializer
```typescript
import { StatelessRuleGroupProps } from '@durkinza/cdk-networkfirewall-l2'
const statelessRuleGroupProps: StatelessRuleGroupProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| capacity | number | The maximum operating resources that this rule group can use. |
| customActions | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.CustomActionProperty[] | An optional Non-standard action to use. |
| description | string | Description of the rule group. |
| ruleGroupName | string | The descriptive name of the stateless rule group. |
| rules | StatelessRuleList[] | The rule group rules. |
| variables | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty | Settings that are available for use in the rules. |
---
##### `capacity`Optional
```typescript
public readonly capacity: number;
```
- *Type:* number
- *Default:* Capacity is Calculated from rule requirements.
The maximum operating resources that this rule group can use.
---
##### `customActions`Optional
```typescript
public readonly customActions: CustomActionProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.CustomActionProperty[]
- *Default:* undefined
An optional Non-standard action to use.
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* undefined
Description of the rule group.
---
##### `ruleGroupName`Optional
```typescript
public readonly ruleGroupName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the stateless rule group.
---
##### `rules`Optional
```typescript
public readonly rules: StatelessRuleList[];
```
- *Type:* StatelessRuleList[]
- *Default:* undefined
The rule group rules.
---
##### `variables`Optional
```typescript
public readonly variables: RuleVariablesProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty
- *Default:* undefined
Settings that are available for use in the rules.
---
### StatelessRuleList
Maps a priority to a stateless rule.
#### Initializer
```typescript
import { StatelessRuleList } from '@durkinza/cdk-networkfirewall-l2'
const statelessRuleList: StatelessRuleList = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| priority | number | The priority of the rule in the rule group. |
| rule | StatelessRule | The stateless rule. |
---
##### `priority`Required
```typescript
public readonly priority: number;
```
- *Type:* number
The priority of the rule in the rule group.
---
##### `rule`Required
```typescript
public readonly rule: StatelessRule;
```
- *Type:* StatelessRule
The stateless rule.
---
### StatelessRuleProps
Properties for defining a stateless rule.
#### Initializer
```typescript
import { StatelessRuleProps } from '@durkinza/cdk-networkfirewall-l2'
const statelessRuleProps: StatelessRuleProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| actions | string[] | Rule Actions. |
| destinationPorts | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.PortRangeProperty[] | The destination port to inspect for. |
| destinations | string[] | Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. |
| protocols | number[] | The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA). |
| sourcePorts | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.PortRangeProperty[] | The source ports to inspect for. |
| sources | string[] | Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. |
| tcpFlags | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.TCPFlagFieldProperty[] | TCP flags and masks to inspect packets for. |
---
##### `actions`Required
```typescript
public readonly actions: string[];
```
- *Type:* string[]
Rule Actions.
The actions to take on a packet that matches one of the stateless rule definition's match attributes.
---
##### `destinationPorts`Optional
```typescript
public readonly destinationPorts: PortRangeProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.PortRangeProperty[]
- *Default:* ANY
The destination port to inspect for.
You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994.
To match with any port, specify ANY.
---
##### `destinations`Optional
```typescript
public readonly destinations: string[];
```
- *Type:* string[]
- *Default:* ANY
Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
---
##### `protocols`Optional
```typescript
public readonly protocols: number[];
```
- *Type:* number[]
- *Default:* ANY
The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA).
---
##### `sourcePorts`Optional
```typescript
public readonly sourcePorts: PortRangeProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.PortRangeProperty[]
- *Default:* ANY
The source ports to inspect for.
---
##### `sources`Optional
```typescript
public readonly sources: string[];
```
- *Type:* string[]
- *Default:* ANY
Specify an array of IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
---
##### `tcpFlags`Optional
```typescript
public readonly tcpFlags: TCPFlagFieldProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.TCPFlagFieldProperty[]
- *Default:* undefined
TCP flags and masks to inspect packets for.
---
### TLSInspectionConfigurationProps
The Properties for defining a Firewall TLS Inspection Configuration.
#### Initializer
```typescript
import { TLSInspectionConfigurationProps } from '@durkinza/cdk-networkfirewall-l2'
const tLSInspectionConfigurationProps: TLSInspectionConfigurationProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| serverCertificateConfigurations | aws-cdk-lib.aws_networkfirewall.CfnTLSInspectionConfiguration.ServerCertificateConfigurationProperty[] | The TLS Server Certificate Configuration Property. |
| configurationName | string | The descriptive name of the TLS inspection configuration. |
| description | string | The Description of the TLS Inspection Configuration. |
| tags | aws-cdk-lib.Tag[] | Tags to be added to the configuration. |
---
##### `serverCertificateConfigurations`Required
```typescript
public readonly serverCertificateConfigurations: ServerCertificateConfigurationProperty[];
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnTLSInspectionConfiguration.ServerCertificateConfigurationProperty[]
The TLS Server Certificate Configuration Property.
---
##### `configurationName`Optional
```typescript
public readonly configurationName: string;
```
- *Type:* string
- *Default:* CloudFormation-generated name
The descriptive name of the TLS inspection configuration.
You can't change the name of a TLS inspection configuration after you create it.
---
##### `description`Optional
```typescript
public readonly description: string;
```
- *Type:* string
- *Default:* No Description
The Description of the TLS Inspection Configuration.
---
##### `tags`Optional
```typescript
public readonly tags: Tag[];
```
- *Type:* aws-cdk-lib.Tag[]
- *Default:* No tags applied
Tags to be added to the configuration.
---
## Classes
### CloudWatchLogLocation
Defines a Cloud Watch Log Group Logging Configuration.
#### Initializers
```typescript
import { CloudWatchLogLocation } from '@durkinza/cdk-networkfirewall-l2'
new CloudWatchLogLocation(props: CloudWatchLogLocationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | CloudWatchLogLocationProps | *No description.* |
---
##### `props`Required
- *Type:* CloudWatchLogLocationProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestination | {[ key: string ]: string} | The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. |
| logDestinationType | string | The type of storage destination to send these logs to. |
| logType | string | The type of log to send. |
---
##### `logDestination`Required
```typescript
public readonly logDestination: {[ key: string ]: string};
```
- *Type:* {[ key: string ]: string}
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
---
##### `logDestinationType`Required
```typescript
public readonly logDestinationType: string;
```
- *Type:* string
The type of storage destination to send these logs to.
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### KinesisDataFirehoseLogLocation
Defines a Kinesis Delivery Stream Logging Configuration.
#### Initializers
```typescript
import { KinesisDataFirehoseLogLocation } from '@durkinza/cdk-networkfirewall-l2'
new KinesisDataFirehoseLogLocation(props: KinesisDataFirehoseLogLocationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | KinesisDataFirehoseLogLocationProps | *No description.* |
---
##### `props`Required
- *Type:* KinesisDataFirehoseLogLocationProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestination | {[ key: string ]: string} | The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. |
| logDestinationType | string | The type of storage destination to send these logs to. |
| logType | string | The type of log to send. |
---
##### `logDestination`Required
```typescript
public readonly logDestination: {[ key: string ]: string};
```
- *Type:* {[ key: string ]: string}
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
---
##### `logDestinationType`Required
```typescript
public readonly logDestinationType: string;
```
- *Type:* string
The type of storage destination to send these logs to.
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### LogLocationBase
- *Implements:* ILogLocation
Base Log Location class.
#### Initializers
```typescript
import { LogLocationBase } from '@durkinza/cdk-networkfirewall-l2'
new LogLocationBase(logDestinationType: LogDestinationType, props: LogLocationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestinationType | LogDestinationType | The type of storage destination to send these logs to. |
| props | LogLocationProps | *No description.* |
---
##### `logDestinationType`Required
- *Type:* LogDestinationType
The type of storage destination to send these logs to.
---
##### `props`Required
- *Type:* LogLocationProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestination | {[ key: string ]: string} | The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. |
| logDestinationType | string | The type of storage destination to send these logs to. |
| logType | string | The type of log to send. |
---
##### `logDestination`Required
```typescript
public readonly logDestination: {[ key: string ]: string};
```
- *Type:* {[ key: string ]: string}
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
---
##### `logDestinationType`Required
```typescript
public readonly logDestinationType: string;
```
- *Type:* string
The type of storage destination to send these logs to.
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### S3LogLocation
Defines a S3 Bucket Logging configuration.
#### Initializers
```typescript
import { S3LogLocation } from '@durkinza/cdk-networkfirewall-l2'
new S3LogLocation(props: S3LogLocationProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | S3LogLocationProps | *No description.* |
---
##### `props`Required
- *Type:* S3LogLocationProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestination | {[ key: string ]: string} | The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. |
| logDestinationType | string | The type of storage destination to send these logs to. |
| logType | string | The type of log to send. |
---
##### `logDestination`Required
```typescript
public readonly logDestination: {[ key: string ]: string};
```
- *Type:* {[ key: string ]: string}
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
---
##### `logDestinationType`Required
```typescript
public readonly logDestinationType: string;
```
- *Type:* string
The type of storage destination to send these logs to.
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### Stateful5TupleRule
Generates a Stateful Rule from a 5 Tuple.
#### Initializers
```typescript
import { Stateful5TupleRule } from '@durkinza/cdk-networkfirewall-l2'
new Stateful5TupleRule(props: Stateful5TupleRuleProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | Stateful5TupleRuleProps | *No description.* |
---
##### `props`Required
- *Type:* Stateful5TupleRuleProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| resource | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.StatefulRuleProperty | The L1 Stateful Rule Property. |
---
##### `resource`Required
```typescript
public readonly resource: StatefulRuleProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.StatefulRuleProperty
The L1 Stateful Rule Property.
---
### StatefulDomainListRule
Generates a Stateful Rule from a Domain List.
#### Initializers
```typescript
import { StatefulDomainListRule } from '@durkinza/cdk-networkfirewall-l2'
new StatefulDomainListRule(props: StatefulDomainListRuleProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | StatefulDomainListRuleProps | *No description.* |
---
##### `props`Required
- *Type:* StatefulDomainListRuleProps
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| resource | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RulesSourceListProperty | The L1 Stateful Rule Property. |
---
##### `resource`Required
```typescript
public readonly resource: RulesSourceListProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RulesSourceListProperty
The L1 Stateful Rule Property.
---
### StatefulRuleBase
- *Implements:* IStatefulRule
The shared base class of stateful rules.
#### Initializers
```typescript
import { StatefulRuleBase } from '@durkinza/cdk-networkfirewall-l2'
new StatefulRuleBase()
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
---
### StatelessRule
- *Implements:* IStatelessRule
Defines a Network Firewall Stateless Rule.
#### Initializers
```typescript
import { StatelessRule } from '@durkinza/cdk-networkfirewall-l2'
new StatelessRule(props: StatelessRuleProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| props | StatelessRuleProps | *No description.* |
---
##### `props`Required
- *Type:* StatelessRuleProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| calculateCapacity | Calculate Rule Capacity Requirements. |
---
##### `calculateCapacity`
```typescript
public calculateCapacity(): number
```
Calculate Rule Capacity Requirements.
https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-group-managing.html#nwfw-rule-group-capacity
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| resource | aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleDefinitionProperty | The L1 Stateless Rule Property. |
---
##### `resource`Required
```typescript
public readonly resource: RuleDefinitionProperty;
```
- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleDefinitionProperty
The L1 Stateless Rule Property.
---
## Protocols
### IFirewall
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* Firewall, IFirewall
Defines a Network Firewall in the stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| firewallArn | string | The Arn of the Firewall. |
| firewallId | string | The physical name of the Firewall. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `firewallArn`Required
```typescript
public readonly firewallArn: string;
```
- *Type:* string
The Arn of the Firewall.
---
##### `firewallId`Required
```typescript
public readonly firewallId: string;
```
- *Type:* string
The physical name of the Firewall.
---
### IFirewallPolicy
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* FirewallPolicy, IFirewallPolicy
Defines a Network Firewall Policy in the stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| firewallPolicyArn | string | The Arn of the policy. |
| firewallPolicyId | string | The physical name of the firewall policy. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `firewallPolicyArn`Required
```typescript
public readonly firewallPolicyArn: string;
```
- *Type:* string
The Arn of the policy.
---
##### `firewallPolicyId`Required
```typescript
public readonly firewallPolicyId: string;
```
- *Type:* string
The physical name of the firewall policy.
---
### ILoggingConfiguration
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* LoggingConfiguration, ILoggingConfiguration
Defines a Network Firewall Logging Configuration in the stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| firewallRef | string | The Amazon Resource Name (ARN) of the Firewall that the logging configuration is associated with. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `firewallRef`Required
```typescript
public readonly firewallRef: string;
```
- *Type:* string
The Amazon Resource Name (ARN) of the Firewall that the logging configuration is associated with.
You can't change the firewall specification after you create the logging configuration.
---
### ILogLocation
- *Implemented By:* CloudWatchLogLocation, KinesisDataFirehoseLogLocation, LogLocationBase, S3LogLocation, ILogLocation
Defines a Log Location in the Stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| logDestination | {[ key: string ]: string} | The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. |
| logDestinationType | string | The type of storage destination to send these logs to. |
| logType | string | The type of log to send. |
---
##### `logDestination`Required
```typescript
public readonly logDestination: {[ key: string ]: string};
```
- *Type:* {[ key: string ]: string}
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
---
##### `logDestinationType`Required
```typescript
public readonly logDestinationType: string;
```
- *Type:* string
The type of storage destination to send these logs to.
---
##### `logType`Required
```typescript
public readonly logType: string;
```
- *Type:* string
The type of log to send.
---
### IStatefulRule
- *Implemented By:* Stateful5TupleRule, StatefulDomainListRule, StatefulRuleBase, IStatefulRule
The interface that represents the shared values of the StatefulRules.
### IStatefulRuleGroup
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* Stateful5TupleRuleGroup, StatefulDomainListRuleGroup, StatefulSuricataRuleGroup, IStatefulRuleGroup
The Interface that represents a Stateful Rule Group.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### IStatelessRule
- *Implemented By:* StatelessRule, IStatelessRule
The interface that represents the values of a StatelessRule.
### IStatelessRuleGroup
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* StatelessRuleGroup, IStatelessRuleGroup
Defines a Stateless rule Group in the stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| ruleGroupArn | string | The Arn of the rule group. |
| ruleGroupId | string | the physical name of the rule group. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `ruleGroupArn`Required
```typescript
public readonly ruleGroupArn: string;
```
- *Type:* string
The Arn of the rule group.
---
##### `ruleGroupId`Required
```typescript
public readonly ruleGroupId: string;
```
- *Type:* string
the physical name of the rule group.
---
### ITLSInspectionConfiguration
- *Extends:* aws-cdk-lib.IResource
- *Implemented By:* TLSInspectionConfiguration, ITLSInspectionConfiguration
Defines a TLS Inspection Configuration Resource in the stack.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| node | constructs.Node | The tree node. |
| env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. |
| stack | aws-cdk-lib.Stack | The stack in which this resource is defined. |
| tlsInspectionConfigurationArn | string | The Arn of the TLS Inspection Configuration. |
| tlsInspectionConfigurationId | string | The name of the TLS Inspection Configuration. |
---
##### `node`Required
```typescript
public readonly node: Node;
```
- *Type:* constructs.Node
The tree node.
---
##### `env`Required
```typescript
public readonly env: ResourceEnvironment;
```
- *Type:* aws-cdk-lib.ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK
(generally, those created by creating new class instances like Role, Bucket, etc.),
this is always the same as the environment of the stack they belong to;
however, for imported resources
(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
that might be different than the stack they were imported into.
---
##### `stack`Required
```typescript
public readonly stack: Stack;
```
- *Type:* aws-cdk-lib.Stack
The stack in which this resource is defined.
---
##### `tlsInspectionConfigurationArn`Required
```typescript
public readonly tlsInspectionConfigurationArn: string;
```
- *Type:* string
The Arn of the TLS Inspection Configuration.
---
##### `tlsInspectionConfigurationId`Required
```typescript
public readonly tlsInspectionConfigurationId: string;
```
- *Type:* string
The name of the TLS Inspection Configuration.
---
## Enums
### LogDestinationType
The type of storage destination to send these logs to.
#### Members
| **Name** | **Description** |
| --- | --- |
| CLOUDWATCH | Store logs to CloudWatch log group. |
| KINESISDATAFIREHOSE | Store logs to a Kinesis Data Firehose delivery stream. |
| S3 | Store logs to an S3 bucket. |
---
##### `CLOUDWATCH`
Store logs to CloudWatch log group.
---
##### `KINESISDATAFIREHOSE`
Store logs to a Kinesis Data Firehose delivery stream.
---
##### `S3`
Store logs to an S3 bucket.
---
### LogType
The type of log to send.
#### Members
| **Name** | **Description** |
| --- | --- |
| ALERT | Alert logs report traffic that matches a stateful rule with an action setting that sends an alert log message. |
| FLOW | Flow logs are standard network traffic flow logs. |
---
##### `ALERT`
Alert logs report traffic that matches a stateful rule with an action setting that sends an alert log message.
---
##### `FLOW`
Flow logs are standard network traffic flow logs.
---
### Stateful5TupleDirection
The direction of traffic flow to inspect.
#### Members
| **Name** | **Description** |
| --- | --- |
| ANY | Inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. |
| FORWARD | Inspection only matches traffic going from the source to the destination. |
---
##### `ANY`
Inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source.
---
##### `FORWARD`
Inspection only matches traffic going from the source to the destination.
---
### StatefulDomainListTargetType
The types of targets to inspect for.
You can inspect HTTP or HTTPS protocols, or both.
#### Members
| **Name** | **Description** |
| --- | --- |
| TLS_SNI | Target HTTPS traffic For HTTPS traffic, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname, or domain name, that the client is trying to connect to. |
| HTTP_HOST | Target HTTP traffic. |
---
##### `TLS_SNI`
Target HTTPS traffic For HTTPS traffic, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname, or domain name, that the client is trying to connect to.
---
##### `HTTP_HOST`
Target HTTP traffic.
---
### StatefulDomainListType
The type of domain list to generate.
#### Members
| **Name** | **Description** |
| --- | --- |
| DENYLIST | Deny domain(s) through. |
| ALLOWLIST | Allow domain(s) through. |
---
##### `DENYLIST`
Deny domain(s) through.
---
##### `ALLOWLIST`
Allow domain(s) through.
---
### StatefulRuleOptions
Indicates how to manage the order of the rule evaluation for the rule group.
#### Members
| **Name** | **Description** |
| --- | --- |
| ACTION_ORDER | Rules with a pass action are processed first, followed by drop, reject, and alert actions. |
| STRICT_ORDER | With strict ordering, the rule groups are evaluated by order of priority, starting from the lowest number, and the rules in each rule group are processed in the order in which they're defined. |
---
##### `ACTION_ORDER`
Rules with a pass action are processed first, followed by drop, reject, and alert actions.
This option was previously named Default Acton Order.
---
##### `STRICT_ORDER`
With strict ordering, the rule groups are evaluated by order of priority, starting from the lowest number, and the rules in each rule group are processed in the order in which they're defined.
Recommended Order
---
### StatefulStandardAction
Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria.
#### Members
| **Name** | **Description** |
| --- | --- |
| PASS | Permits the packets to go to the intended destination. |
| DROP | Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the firewall. |
| ALERT | Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the firewall. |
---
##### `PASS`
Permits the packets to go to the intended destination.
---
##### `DROP`
Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the firewall.
---
##### `ALERT`
Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the firewall.
---
### StatefulStrictAction
The default actions to take on a packet that doesn't match any stateful rules.
#### Members
| **Name** | **Description** |
| --- | --- |
| DROP_STRICT | Drops all packets. |
| DROP_ESTABLISHED | Drops only the packets that are in established connections. |
| ALERT_STRICT | Logs an ALERT message on all packets. |
| ALERT_ESTABLISHED | Logs an ALERT message on only the packets that are in established connections. |
---
##### `DROP_STRICT`
Drops all packets.
---
##### `DROP_ESTABLISHED`
Drops only the packets that are in established connections.
This allows the layer 3 and 4 connection establishment packets that are needed for the upper-layer connections to be established, while dropping the packets for connections that are already established.
This allows application-layer pass rules to be written in a default-deny setup without the need to write additional rules to allow the lower-layer handshaking parts of the underlying protocols.
---
##### `ALERT_STRICT`
Logs an ALERT message on all packets.
This does not drop packets, but alerts you to what would be dropped if you were to choose Drop all.
---
##### `ALERT_ESTABLISHED`
Logs an ALERT message on only the packets that are in established connections.
This does not drop packets, but alerts you to what would be dropped if you were to choose Drop established.
---
### StatelessStandardAction
The actions to take on a packet that matches one of the stateless rule definition's match attributes.
#### Members
| **Name** | **Description** |
| --- | --- |
| FORWARD | Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection. |
| PASS | Discontinues all inspection of the packet and permits it to go to its intended destination. |
| DROP | Discontinues all inspection of the packet and blocks it from going to its intended destination. |
---
##### `FORWARD`
Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
---
##### `PASS`
Discontinues all inspection of the packet and permits it to go to its intended destination.
---
##### `DROP`
Discontinues all inspection of the packet and blocks it from going to its intended destination.
---