{ "$ref": "#/definitions/INetworkConfig", "$schema": "http://json-schema.org/draft-07/schema#", "definitions": { "AlbListenerProtocolEnum": { "enum": [ "HTTP", "HTTPS" ], "type": "string" }, "AlbListenerTypeEnum": { "enum": [ "fixed-response", "forward", "redirect" ], "type": "string" }, "AlbRoutingHttpConfigMitigationModeEnum": { "enum": [ "monitor", "defensive", "strictest" ], "type": "string" }, "AlbSchemeEnum": { "enum": [ "internet-facing", "internal" ], "type": "string" }, "AllowDeny": { "description": "## Allow/Deny Type\n\nRepresents permission states for access control and policy configurations. Used throughout the Landing Zone Accelerator for defining access permissions.\n\n### Values\n- **allow**: Grant permission or enable access\n- **deny**: Deny permission or block access", "enum": [ "allow", "deny" ], "type": "string" }, "AlpnPolicyEnum": { "enum": [ "HTTP1Only", "HTTP2Only", "HTTP2Optional", "HTTP2Preferred", "None" ], "type": "string" }, "CertificateConfigType": { "enum": [ "import", "request" ], "type": "string" }, "CertificateValidationType": { "enum": [ "EMAIL", "DNS" ], "type": "string" }, "DnsFirewallBlockResponseType": { "enum": [ "NODATA", "NXDOMAIN", "OVERRIDE" ], "type": "string" }, "DnsFirewallManagedDomainListsType": { "enum": [ "AWSManagedDomainsAggregateThreatList", "AWSManagedDomainsBotnetCommandandControl", "AWSManagedDomainsMalwareDomainList" ], "type": "string" }, "DnsFirewallRuleActionType": { "enum": [ "ALLOW", "ALERT", "BLOCK" ], "type": "string" }, "DpdTimeoutActionType": { "enum": [ "clear", "none", "restart" ], "type": "string" }, "DxVirtualInterfaceType": { "enum": [ "private", "transit" ], "type": "string" }, "EnableDisable": { "description": "## Enable/Disable Type\n\nRepresents activation states for features and services throughout the Landing Zone Accelerator configuration.\n\n### Values\n- **enable**: Activate the feature or service\n- **disable**: Deactivate the feature or service", "enum": [ "enable", "disable" ], "type": "string" }, "EncryptionAlgorithmType": { "enum": [ "AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16" ], "type": "string" }, "GatewayEndpointType": { "enum": [ "s3", "dynamodb" ], "type": "string" }, "GatewayRouteTableType": { "enum": [ "internetGateway", "virtualPrivateGateway" ], "type": "string" }, "IAlbAttributesConfig": { "additionalProperties": false, "description": "Application Load Balancer attributes config.", "properties": { "deletionProtection": { "description": "Enable or disable deletion protection.", "type": "boolean" }, "http2Enabled": { "description": "Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.", "type": "boolean" }, "idleTimeout": { "description": "The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.", "type": "number" }, "routingHttpDesyncMitigationMode": { "$ref": "#/definitions/AlbRoutingHttpConfigMitigationModeEnum", "description": "Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive`." }, "routingHttpDropInvalidHeader": { "description": "Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.", "type": "boolean" }, "routingHttpXAmznTlsCipherEnable": { "description": "Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.", "type": "boolean" }, "routingHttpXffClientPort": { "description": "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.", "type": "boolean" }, "routingHttpXffHeaderProcessingMode": { "$ref": "#/definitions/RoutingHttpXffHeaderProcessingModeEnum", "description": "Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are append, preserve, and remove. The default is append." }, "wafFailOpen": { "description": "Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.", "type": "boolean" } }, "type": "object" }, "IAlbListenerConfig": { "additionalProperties": false, "description": "Application Load Balancer listener config. Currently only action type of `forward`, `redirect` and `fixed-response` is allowed.", "properties": { "certificate": { "$ref": "#/definitions/NonEmptyString", "description": "Applies to HTTPS listeners. The default certificate for the listener. You must provide exactly one certificate arn or a certificate name which was created by LZA" }, "fixedResponseConfig": { "$ref": "#/definitions/IAlbListenerFixedResponseConfig", "description": "Information for creating an action that returns a custom HTTP response. Specify only when type is `fixed-response`." }, "forwardConfig": { "$ref": "#/definitions/IAlbListenerForwardConfig", "description": "Information for creating an action that distributes requests to targetGroup. Stickiness for targetGroup can be set here." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the application load balancer listener" }, "order": { "description": "The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first", "type": "number" }, "port": { "description": "Port of the application load balancer listener", "type": "number" }, "protocol": { "$ref": "#/definitions/AlbListenerProtocolEnum", "description": "Protocol of the application load balancer listener. The supported protocols are HTTP and HTTPS" }, "redirectConfig": { "$ref": "#/definitions/IAlbListenerRedirectConfig", "description": "Information for creating a redirect action. Specify only when type is `redirect`." }, "sslPolicy": { "$ref": "#/definitions/SslPolicyAlbEnum", "description": "The security policy that defines which protocols and ciphers are supported." }, "targetGroup": { "$ref": "#/definitions/NonEmptyString", "description": "Target Group name to which traffic will be forwarded to. This name should be same as {@link ApplicationLoadBalancerTargetGroupConfig targetGroup } name." }, "type": { "$ref": "#/definitions/AlbListenerTypeEnum", "description": "Type of the application load balancer listener" } }, "required": [ "name", "port", "protocol", "type", "targetGroup" ], "type": "object" }, "IAlbListenerFixedResponseConfig": { "additionalProperties": false, "description": "Application load balancer listener fixed response config\nIt returns a custom HTTP response.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `fixed-response`.", "properties": { "contentType": { "$ref": "#/definitions/NonEmptyString", "description": "The message to send back." }, "messageBody": { "$ref": "#/definitions/NonEmptyString", "description": "The HTTP response code (2XX, 4XX, or 5XX)." }, "statusCode": { "$ref": "#/definitions/NonEmptyString", "description": "The content type. Valid Values: text/plain | text/css | text/html | application/javascript | application/json" } }, "required": [ "statusCode" ], "type": "object" }, "IAlbListenerForwardConfig": { "additionalProperties": false, "description": "Application Load balancer listener forward config. Used to define forward action.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `forward`.", "properties": { "targetGroupStickinessConfig": { "$ref": "#/definitions/IAlbListenerTargetGroupStickinessConfig" } }, "type": "object" }, "IAlbListenerRedirectConfig": { "additionalProperties": false, "description": "Application Load balancer listener redirect config. Used to define redirect action.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `redirect`.", "properties": { "host": { "$ref": "#/definitions/NonEmptyString" }, "path": { "$ref": "#/definitions/NonEmptyString" }, "port": { "type": "number" }, "protocol": { "$ref": "#/definitions/NonEmptyString" }, "query": { "$ref": "#/definitions/NonEmptyString" }, "statusCode": { "$ref": "#/definitions/NonEmptyString" } }, "type": "object" }, "IAlbListenerTargetGroupStickinessConfig": { "additionalProperties": false, "description": "Application Load balancer listener forward config target group stickiness config\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `forward`.", "properties": { "durationSeconds": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", "type": "number" }, "enabled": { "description": "Indicates whether target group stickiness is enabled.", "type": "boolean" } }, "type": "object" }, "IApplicationLoadBalancerConfig": { "additionalProperties": false, "description": "Used to define Application Load Balancer configurations for the accelerator.", "properties": { "attributes": { "$ref": "#/definitions/IAlbAttributesConfig", "description": "Attributes for Application Load Balancer." }, "listeners": { "description": "Listeners for Application Load Balancer.", "items": { "$ref": "#/definitions/IAlbListenerConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the application load balancer" }, "scheme": { "$ref": "#/definitions/AlbSchemeEnum", "description": "Internal or internet facing scheme for Application Load Balancer." }, "securityGroups": { "description": "Security Groups to attach to the Application Load Balancer.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "The location where the Application Load Balancer(s) will be deployed to.\n*" }, "subnets": { "description": "Subnets to launch the Application Load Balancer in.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "name", "subnets", "securityGroups" ], "type": "object" }, "ICentralNetworkServicesConfig": { "additionalProperties": false, "description": "Central network services configuration.\nUse this configuration to define centralized networking services for your environment.\nCentral network services enables you to easily designate a central account that owns your\ncore network infrastructure. These network resources can be shared with other\naccounts in your organization so that workload accounts can consume them.", "properties": { "delegatedAdminAccount": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the delegated administrator account for network services. Resources configured under `centralNetworkServices` will be created in this account." }, "gatewayLoadBalancers": { "description": "An array of Gateway Load Balancer configurations.", "items": { "$ref": "#/definitions/IGwlbConfig" }, "type": "array" }, "ipams": { "description": "An array of IPAM configurations.", "items": { "$ref": "#/definitions/IIpamConfig" }, "type": "array" }, "networkFirewall": { "$ref": "#/definitions/INfwConfig", "description": "A Network Firewall configuration." }, "route53Resolver": { "$ref": "#/definitions/IResolverConfig", "description": "A Route 53 resolver configuration." } }, "required": [ "delegatedAdminAccount" ], "type": "object" }, "ICertificateConfig": { "additionalProperties": false, "description": "Amazon Certificate Manager (ACM) Configuration\n\n{@link https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html Import certificate} or {@link https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html Request certificate} from ACM", "properties": { "cert": { "$ref": "#/definitions/NonEmptyString", "description": "Path to certificate in S3 assets bucket. The bucket value is in the outputs of Pipeline stack in home region. Path should be given relative to the bucket. The certificate to import. This value should be provided when type is set to import or else validation fails." }, "chain": { "$ref": "#/definitions/NonEmptyString", "description": "Path to the PEM encoded certificate chain in S3 assets bucket. The bucket value is in the outputs of Pipeline stack in home region. Path should be given relative to the bucket. This value is optional when type is set to import." }, "deploymentTargets": { "$ref": "#/definitions/IDeploymentTargets", "description": "ACM deployment target. This should be provided to deploy ACM into OUs or account." }, "domain": { "$ref": "#/definitions/NonEmptyString", "description": "Fully qualified domain name (FQDN), such as www.example.com, that you want to secure with an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, *.example.com protects www.example.com, site.example.com, and images.example.com. In compliance with RFC 5280, the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length. This value should be provided when type is set to request or else validation fails." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "Name of the certificate. This should be unique in the certificates array. Duplicate names will fail the validation." }, "privKey": { "$ref": "#/definitions/NonEmptyString", "description": "Path to the private key in S3 assets bucket. The bucket value is in the outputs of Pipeline stack in home region. Path should be given relative to the bucket. The private key that matches the public key in the certificate. This value should be provided when type is set to import or else validation fails." }, "san": { "description": "Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, add the name www.example.net to a certificate for which the DomainName field is www.example.com if users can reach your site by using either name.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "type": { "$ref": "#/definitions/CertificateConfigType", "description": "Type of ACM cert. Valid values are `import` or `request`" }, "validation": { "$ref": "#/definitions/CertificateValidationType", "description": "The method you want to use if you are requesting a public certificate to validate that you own or control domain. You can validate with DNS or validate with email. Valid values are 'DNS' or 'EMAIL'. This value should be provided when type is set to request or else validation fails." } }, "required": [ "name", "type" ], "type": "object" }, "ICustomerGatewayConfig": { "additionalProperties": false, "description": "Use this configuration to define Customer Gateways and site-to-site VPN connections.\nA customer gateway device is a physical or software appliance that you own or manage in\nyour on-premises network (on your side of a Site-to-Site VPN connection).\nA VPN connection refers to the connection between your VPC and your own on-premises network.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The logical name of the account to deploy the Customer Gateway to. This value should match the name of the account recorded in the accounts-config.yaml file." }, "asn": { "description": "Define the ASN used for the Customer Gateway", "type": "number" }, "ipAddress": { "$ref": "#/definitions/NonEmptyString", "description": "Defines the IP address of the Customer Gateway" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the CGW.\n\nThe value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value." }, "region": { "description": "The AWS region to provision the customer gateway in", "type": "string" }, "tags": { "description": "Define tags for the Customer Gateway", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "vpnConnections": { "description": "Define the optional VPN Connection configuration", "items": { "$ref": "#/definitions/IVpnConnectionConfig" }, "type": "array" } }, "required": [ "name", "account", "region", "ipAddress", "asn" ], "type": "object" }, "IDefaultVpcsConfig": { "additionalProperties": false, "description": "Use this configuration to delete default VPCs in your environment.", "properties": { "delete": { "description": "Enable to delete default VPCs.", "type": "boolean" }, "excludeAccounts": { "description": "(OPTIONAL) Include an array of friendly account names to exclude from default VPC deletion.", "items": { "type": "string" }, "type": "array" }, "excludeRegions": { "description": "(OPTIONAL) Include an array of AWS regions to exclude from default VPC deletion.", "items": { "type": "string" }, "type": "array" } }, "required": [ "delete" ], "type": "object" }, "IDeploymentTargets": { "additionalProperties": false, "description": "## Deployment Targets Interface\n\nDefines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.\n\n### Key Features\n\n- **Account-level targeting**: Deploy to specific AWS accounts\n- **OU-level targeting**: Deploy to all accounts within organizational units\n- **Regional exclusions**: Skip specific AWS regions for compliance or cost optimization\n- **Account exclusions**: Exclude specific accounts from broader deployments\n\n### Example\n\n```yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1 ```", "properties": { "accounts": { "description": "**Target Accounts** *(Optional)*\n\nList of specific account names where resources should be deployed. Use for precise account-level targeting.", "items": { "type": "string" }, "type": "array" }, "excludedAccounts": { "description": "**Excluded Accounts** *(Optional)*\n\nList of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.", "items": { "type": "string" }, "type": "array" }, "excludedRegions": { "description": "**Excluded Regions** *(Optional)*\n\nList of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.", "items": { "type": "string" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.", "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "IDhcpOptsConfig": { "additionalProperties": false, "description": "Use this configuration to define custom DHCP options sets for your VPCs.\nCustom DHCP option sets give you control over the DNS servers, domain names,\nor Network Time Protocol (NTP) servers used by the devices in your VPC.\n\nThe following example creates a DHCP option set named `accelerator-dhcp-opts`\nin the `Network` account in the `us-east-1` region. The options set assigns\na domain name of `example.com` to hosts in the VPC and configures the DNS\nserver to `1.1.1.1`.", "properties": { "accounts": { "description": "An array of friendly account names to deploy the options set.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "domainName": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A domain name to assign to hosts using the options set." }, "domainNameServers": { "description": "(OPTIONAL) An array of IP addresses for domain name servers.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the DHCP options set." }, "netbiosNameServers": { "description": "(OPTIONAL An array of IP addresses for NetBIOS servers.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "netbiosNodeType": { "$ref": "#/definitions/NetbiosNodeType", "description": "(OPTIONAL) The NetBIOS node type number." }, "ntpServers": { "description": "(OPTIONAL) An array of IP addresses for NTP servers.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "regions": { "description": "An array of regions to deploy the options set.", "items": { "type": "string" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tags for the options set.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "accounts", "regions" ], "type": "object" }, "IDnsFirewallRuleGroupConfig": { "additionalProperties": false, "description": "Use this configuration to define a group of rules for your DNS firewall.\nRule groups contain one to many rules that can be associated with VPCs in your environment.\nThese rules allow you to define the behavior of your DNS firewall.\n\nThe following example creates a rule group that contains one rule entry.\nThe rule blocks a list of custom domains contained in a file in the accelerator\nconfiguration repository. The rule group is shared to the entire organization.", "properties": { "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the DNS firewall rule group." }, "regions": { "description": "The regions to deploy the rule group to.", "items": { "type": "string" }, "type": "array" }, "rules": { "description": "An array of DNS firewall rule configurations.", "items": { "$ref": "#/definitions/IDnsFirewallRulesConfig" }, "type": "array" }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "An array of tags for the rule group.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "regions", "rules" ], "type": "object" }, "IDnsFirewallRulesConfig": { "additionalProperties": false, "description": "Use this configuration to define individual rules for your DNS firewall.\nThis allows you to define the DNS firewall behavior for your VPCs.", "properties": { "action": { "$ref": "#/definitions/DnsFirewallRuleActionType", "description": "An action for the DNS firewall rule to take on matching requests." }, "blockOverrideDomain": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Configure an override domain for BLOCK actions. This is a custom DNS record to send back in response to the query." }, "blockOverrideTtl": { "description": "(OPTIONAL) Configure a time-to-live (TTL) for the override domain. This is the recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.", "type": "number" }, "blockResponse": { "$ref": "#/definitions/DnsFirewallBlockResponseType", "description": "Configure a specific response type for BLOCK actions. Block response types are defined here: {@link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html }" }, "customDomainList": { "$ref": "#/definitions/NonEmptyString", "description": "A file containing a custom domain list in TXT format." }, "managedDomainList": { "$ref": "#/definitions/DnsFirewallManagedDomainListsType", "description": "Configure a rule that uses an AWS-managed domain list. AWS-managed domain lists are defined here: {@link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html } ." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the DNS firewall rule." }, "priority": { "description": "The priority of the DNS firewall rule.", "type": "number" } }, "required": [ "name", "action", "priority" ], "type": "object" }, "IDnsQueryLogsConfig": { "additionalProperties": false, "description": "Use this configuration to define a centralized query logging configuration that can\nbe associated with VPCs in your environment.\nYou can use this configuration to log queries that originate from your VPCs,\nqueries to your inbound and outbound resolver endpoints,\nand queries that use Route 53 Resolver DNS firewall to allow, block, or monitor\ndomain lists.\n\nThe following example creates a query logging configuration that logs to both\nS3 and a CloudWatch Logs log group. It is shared with the entire organization.", "properties": { "destinations": { "description": "An array of destination services used to store the logs.", "items": { "$ref": "#/definitions/LogDestinationType" }, "type": "array" }, "excludedRegions": { "items": { "type": "string" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the query logging config." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "Resource Access Manager (RAM) share targets." } }, "required": [ "name", "destinations" ], "type": "object" }, "IDxGatewayConfig": { "additionalProperties": false, "description": "A DXGW is a globally-available resource than can be used to connect your VPCs to your on-premise infrastructure.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account to deploy the DX Gateway." }, "asn": { "description": "A Border Gateway Protocol (BGP) Autonomous System Number (ASN).", "type": "number" }, "gatewayName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the Direct Connect Gateway. This name will show as the name of the resource in the AWS console and API." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the DX Gateway. This name is used as a logical reference for the resource in the accelerator." }, "transitGatewayAssociations": { "description": "(OPTIONAL) An array of transit gateway association configurations. Creates transit gateway attachments for this DX gateway.", "items": { "$ref": "#/definitions/IDxTransitGatewayAssociationConfig" }, "type": "array" }, "virtualInterfaces": { "description": "(OPTIONAL) An array of virtual interface configurations. Creates virtual interfaces on the DX gateway.", "items": { "$ref": "#/definitions/IDxVirtualInterfaceConfig" }, "type": "array" } }, "required": [ "name", "account", "asn", "gatewayName" ], "type": "object" }, "IDxTransitGatewayAssociationConfig": { "additionalProperties": false, "description": "Use this configuration to define transit gateway attachments for a DX gateway.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account the transit gateway is deployed to." }, "allowedPrefixes": { "description": "An array of CIDR prefixes that are allowed to advertise over this transit gateway association.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the transit gateway to associate." }, "routeTableAssociations": { "description": "(OPTIONAL) The friendly name of TGW route table(s) to associate with this attachment.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "routeTablePropagations": { "description": "(OPTIONAL) The friendly name of TGW route table(s) to propagate routes from this attachment.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "name", "account", "allowedPrefixes" ], "type": "object" }, "IDxVirtualInterfaceConfig": { "additionalProperties": false, "description": "Use this configuration to create a virtual interface to a DX Gateway. Virtual interfaces\nenable access to your AWS services from your on-premises environment.\n\nThe following example creates a transit VIF called Accelerator-VIF in the Network account\non a DX connection with resource ID dxcon-example:", "properties": { "addressFamily": { "$ref": "#/definitions/IpVersionType", "description": "(OPTIONAL) The address family to use for this virtual interface.\n\nDefault - ipv4" }, "amazonAddress": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The peer IP address to use for Amazon's side of the virtual interface.\n\nDefault - randomly-generated by Amazon" }, "authKey": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL): The Secrets Manager name that stores the BGP Authentication Key, that exists in the same account and region that the Direct Connect Virtual Interface will be created in." }, "connectionId": { "$ref": "#/definitions/NonEmptyString", "description": "The resource ID of the {@link https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html#overview-components DX connection } the virtual interface will be created on" }, "customerAddress": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The peer IP address to use for customer's side of the virtual interface.\n\nDefault - randomly-generated by Amazon" }, "customerAsn": { "description": "A Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the customer side of the connection.", "type": "number" }, "enableSiteLink": { "description": "(OPTIONAL) Enable SiteLink for this virtual interface.\n\nDefault - false", "type": "boolean" }, "interfaceName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the virtual interface. This name will show as the name of the resource in the AWS console and API." }, "jumboFrames": { "description": "(OPTIONAL) Enable jumbo frames for the virtual interface.\n\nDefault - standard 1500 MTU frame size", "type": "boolean" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the virtual interface. This name is used as a logical reference for the resource in the accelerator." }, "ownerAccount": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the owning account of the DX connection." }, "region": { "description": "The region of the virtual interface.", "type": "string" }, "tags": { "description": "(OPTIONAL) An array of tags to apply to the virtual interface.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "type": { "$ref": "#/definitions/DxVirtualInterfaceType", "description": "The type of the virtual interface" }, "vlan": { "description": "The virtual local area network (VLAN) tag to use for this virtual interface.", "type": "number" } }, "required": [ "name", "connectionId", "customerAsn", "interfaceName", "ownerAccount", "region", "type", "vlan" ], "type": "object" }, "IElbAccountIdsConfig": { "additionalProperties": false, "description": "An optional ELB root account ID", "properties": { "accountId": { "$ref": "#/definitions/NonEmptyString" }, "region": { "$ref": "#/definitions/NonEmptyString" } }, "required": [ "region", "accountId" ], "type": "object" }, "IEndpointPolicyConfig": { "additionalProperties": false, "description": "Use this configuration to define VPC endpoint policies for your VPC gateway and interface endpoints.\nThe endpoint policy is a JSON policy document that controls which AWS principals can use the VPC\nendpoint to access the endpoint service.\n\nThe following example defines an endpoint policy named `Default` and references a path\nwhere a JSON policy document is stored:", "properties": { "document": { "$ref": "#/definitions/NonEmptyString", "description": "A file path for a JSON-formatted policy document." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the endpoint policy." } }, "required": [ "name", "document" ], "type": "object" }, "IFirewallManagerNotificationChannelConfig": { "additionalProperties": false, "description": "An optional Firewall Manager Service Config", "properties": { "region": { "$ref": "#/definitions/NonEmptyString", "description": "Enables the FMS notification channel. Defaults to enabled." }, "snsTopic": { "$ref": "#/definitions/NonEmptyString", "description": "The SNS Topic Name to publish to." } }, "required": [ "snsTopic", "region" ], "type": "object" }, "IFirewallManagerServiceConfig": { "additionalProperties": false, "description": "An optional Firewall Manager Service Config", "properties": { "delegatedAdminAccount": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly account name to deploy the FMS configuration" }, "notificationChannels": { "description": "The FMS Notification Channel Configuration", "items": { "$ref": "#/definitions/IFirewallManagerNotificationChannelConfig" }, "type": "array" } }, "required": [ "delegatedAdminAccount" ], "type": "object" }, "IGatewayEndpointConfig": { "additionalProperties": false, "description": "Use this configuration to define gateway endpoints for your VPC.\nA gateway endpoint targets specific IP routes in an Amazon VPC route table,\nin the form of a prefix-list, used for traffic destined to Amazon DynamoDB\nor Amazon Simple Storage Service (Amazon S3).", "properties": { "defaultPolicy": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the default policy for the gateway endpoints." }, "endpoints": { "description": "An array of endpoints to create.", "items": { "$ref": "#/definitions/IGatewayEndpointServiceConfig" }, "type": "array" } }, "required": [ "defaultPolicy", "endpoints" ], "type": "object" }, "IGatewayEndpointServiceConfig": { "additionalProperties": false, "description": "Use this configuration to define the service and endpoint policy for gateway endpoints.", "properties": { "applyPolicy": { "description": "(OPTIONAL) Specify whether or not a policy is applied to the endpoint. By default, if no policy is specified in the `policy` property, a default policy is applied. Specifying this option as `false` will ensure no policy is applied to the endpoint. This property defaults to `true` if not specified.", "type": "boolean" }, "policy": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of a policy for the gateway endpoint. If left undefined, the default policy will be used." }, "service": { "$ref": "#/definitions/GatewayEndpointType", "description": "The name of the service to create the endpoint for" }, "serviceName": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The full name of the service to create the endpoint for." } }, "required": [ "service" ], "type": "object" }, "IGwlbConfig": { "additionalProperties": false, "description": "Use to define Gateway Load Balancer configurations for the accelerator.\nGateway Load Balancers enable you to deploy, scale, and manage virtual appliances,\nsuch as firewalls, intrusion detection and prevention systems, and deep packet inspection\nsystems. It combines a transparent network gateway (that is, a single entry and exit point\nfor all traffic) and distributes traffic while scaling your virtual appliances with the demand.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Set an override for the account the Gateway Load Balancer is deployed to." }, "crossZoneLoadBalancing": { "description": "(OPTIONAL) Whether to enable cross-zone load balancing.", "type": "boolean" }, "deletionProtection": { "description": "(OPTIONAL) Whether to enable deletion protection.", "type": "boolean" }, "endpoints": { "description": "An array of Gateway Load Balancer endpoint configurations.", "items": { "$ref": "#/definitions/IGwlbEndpointConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the Gateway Load Balancer." }, "subnets": { "description": "An array of friendly names of subnets to deploy the Gateway Load Balancer to.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of CloudFormation tag objects.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "targetGroup": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of a target group to forward traffic to" }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC to deploy the Gateway Load Balancer to." } }, "required": [ "name", "endpoints", "subnets", "vpc" ], "type": "object" }, "IGwlbEndpointConfig": { "additionalProperties": false, "description": "Use this configuration to define endpoints for your Gateway Load Balancer.\nGateway Load Balancers use Gateway Load Balancer endpoints to securely exchange\ntraffic across VPC boundaries. A Gateway Load Balancer endpoint is a VPC endpoint\nthat provides private connectivity between virtual appliances in the service provider\nVPC and application servers in the service consumer VPC.\n\nThe following example creates two Gateway Load Balancer endpoints,\n`Endpoint-A` and `Endpoint-B`. The endpoints are created in subnets named\n`Network-Inspection-A` and `Network-Inspection-B`, respectively, in the VPC named\n`Network-Inspection`.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account to deploy the endpoint to." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the Gateway Load Balancer endpoint." }, "subnet": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the subnet to deploy the Gateway Load Balancer endpoint to." }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC to deploy the Gateway Load Balancer endpoint to." } }, "required": [ "name", "account", "subnet", "vpc" ], "type": "object" }, "IIcmpRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define ICMP rules for your network ACLs.\n\nThe following example allows inbound ICMP traffic for Mobile Host Redirect", "properties": { "code": { "description": "The ICMP code number. A value of -1 indicates all types.", "type": "number" }, "type": { "description": "The ICMP type number. A value of -1 indicates all types.", "type": "number" } }, "required": [ "type", "code" ], "type": "object" }, "IInterfaceEndpointConfig": { "additionalProperties": false, "description": "Use this configuration to define interface endpoints for your VPC.\nInterface endpoints powered by AWS PrivateLink to connect your VPC to AWS services as if they were in your VPC, without the use of an internet gateway.", "properties": { "allowedCidrs": { "description": "(OPTIONAL) An array of source CIDRs allowed to communicate with the endpoints.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "central": { "description": "(OPTIONAL) Enable to define interface endpoints as centralized endpoints.", "type": "boolean" }, "defaultPolicy": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the default policy for the interface endpoints." }, "endpoints": { "description": "An array of VPC interface endpoint services to be deployed.", "items": { "$ref": "#/definitions/IInterfaceEndpointServiceConfig" }, "type": "array" }, "subnets": { "description": "An array of the friendly names of VPC subnets for the endpoints to be deployed.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the private hosted zones associated with the VPC Interface endpoints.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "defaultPolicy", "endpoints", "subnets" ], "type": "object" }, "IInterfaceEndpointServiceConfig": { "additionalProperties": false, "description": "Use this configuration to define the service and endpoint policy for gateway endpoints.", "properties": { "applyPolicy": { "description": "(OPTIONAL) Specify whether or not a policy is applied to the endpoint. By default, if no policy is specified in the `policy` property, a default policy is applied. Specifying this option as `false` will ensure no policy is applied to the endpoint. This property defaults to `true` if not specified.", "type": "boolean" }, "policy": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of a policy for the interface endpoint. If left undefined, the default policy will be used." }, "securityGroup": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Apply the provided security group for this interface endpoint." }, "service": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the service to create the endpoint for." }, "serviceName": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The full name of the service to create the endpoint for." } }, "required": [ "service" ], "type": "object" }, "IIpamAllocationConfig": { "additionalProperties": false, "description": "Use this configuration to dynamically assign a VPC or subnet CIDR from an IPAM pool.", "properties": { "ipamPoolName": { "$ref": "#/definitions/NonEmptyString", "description": "The IPAM pool name to request the allocation from." }, "netmaskLength": { "description": "The subnet mask length to request.", "type": "number" } }, "required": [ "ipamPoolName", "netmaskLength" ], "type": "object" }, "IIpamConfig": { "additionalProperties": false, "description": "Use this configuration to define an AWS-managed VPC IPAM.\nIPAM is a feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads.\n\nThe following example defines an IPAM that is capable of operating in the us-east-1 and us-west-2 regions:", "properties": { "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the IPAM." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the IPAM." }, "operatingRegions": { "description": "(OPTIONAL) An array of regions that the IPAM will manage.", "items": { "type": "string" }, "type": "array" }, "pools": { "description": "An optional array of IPAM pool configurations to create under the IPAM.", "items": { "$ref": "#/definitions/IIpamPoolConfig" }, "type": "array" }, "region": { "description": "The region to deploy the IPAM.", "type": "string" }, "scopes": { "description": "(OPTIONAL) An array of IPAM scope configurations to create under the IPAM.", "items": { "$ref": "#/definitions/IIpamScopeConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the IPAM.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "region" ], "type": "object" }, "IIpamPoolConfig": { "additionalProperties": false, "description": "Use this configuration to define custom IPAM pools for your VPCs. A pool is a collection of contiguous\nIP address ranges. IPAM pools enable you to organize your IP addresses according to your routing and security needs.", "properties": { "addressFamily": { "$ref": "#/definitions/IpVersionType", "description": "The address family for the IPAM pool." }, "allocationDefaultNetmaskLength": { "description": "(OPTIONAL) The default netmask length of IPAM allocations for this pool.", "type": "number" }, "allocationMaxNetmaskLength": { "description": "(OPTIONAL) The maximum netmask length of IPAM allocations for this pool.", "type": "number" }, "allocationMinNetmaskLength": { "description": "(OPTIONAL) The minimum netmask length of IPAM allocations for this pool.", "type": "number" }, "allocationResourceTags": { "description": "(OPTIONAL) An array of tags that are required for resources that use CIDRs from this IPAM pool.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "autoImport": { "description": "(OPTIONAL) If set to `true`, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM.", "type": "boolean" }, "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the IPAM pool." }, "locale": { "description": "(OPTIONAL) The AWS Region where you want to make an IPAM pool available for allocations.", "type": "string" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the IPAM pool." }, "provisionedCidrs": { "description": "An array of CIDR ranges to provision for the IPAM pool.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "publiclyAdvertisable": { "description": "(OPTIONAL) Determines if a pool is publicly advertisable.", "type": "boolean" }, "scope": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of the IPAM scope to assign the IPAM pool to." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "sourceIpamPool": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of the source IPAM pool to create this IPAM pool from." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the IPAM pool.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name" ], "type": "object" }, "IIpamScopeConfig": { "additionalProperties": false, "description": "Use this configuration to define custom private IPAM scopes for your VPCs.\nAn IPAM scope is the highest-level container for an IPAM. Within scopes, pools can be created.\nCustom IPAM scopes can be used to create pools and manage resources that use the same IP space.", "properties": { "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Description for the IPAM scope." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the IPAM scope." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the IPAM scope.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name" ], "type": "object" }, "ILifecycleRule": { "additionalProperties": false, "description": "## S3 Bucket Lifecycle Rule Configuration\n\nDefines lifecycle management rules for S3 buckets to automatically transition objects between storage classes and manage object expiration. Lifecycle rules help optimize storage costs and manage data retention policies.\n\n### Key Features\n\n- **Cost Optimization**: Automatically transition objects to cheaper storage classes\n- **Data Management**: Set expiration policies for automatic cleanup\n- **Version Control**: Manage current and non-current object versions separately\n- **Prefix Filtering**: Apply rules to specific object prefixes or entire buckets\n\n### Usage Example\n\n```yaml lifecycleRules: - enabled: true id: LogsLifecycle abortIncompleteMultipartUpload: 7 expiration: 2555 # ~7 years expiredObjectDeleteMarker: false noncurrentVersionExpiration: 365 transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 prefix: logs/\n\n - enabled: true id: ArchiveLifecycle expiredObjectDeleteMarker: true noncurrentVersionExpiration: 90 transitions: - storageClass: DEEP_ARCHIVE transitionAfter: 180 ```", "properties": { "abortIncompleteMultipartUpload": { "description": "**Abort Incomplete Multipart Uploads** *(Optional)*\n\nNumber of days after which incomplete multipart uploads are automatically aborted and cleaned up. This helps prevent storage costs from abandoned multipart uploads.\n\n### Benefits\n\n- **Cost Control**: Prevents charges for incomplete upload parts\n- **Storage Cleanup**: Automatically removes orphaned multipart data\n- **Operational Hygiene**: Maintains clean bucket state\n\n### Considerations\n\n- Set based on your typical upload patterns and file sizes\n- Consider network reliability and upload duration requirements\n- Balance between cost control and operational flexibility", "type": "number" }, "enabled": { "default": true, "description": "**Rule Enabled** *(Optional)*\n\nControls whether this lifecycle rule is active and enforced. Allows you to temporarily disable rules without removing them from the configuration.", "type": "boolean" }, "expiration": { "description": "**Object Expiration** *(Optional)*\n\nNumber of days after object creation when objects are permanently deleted from the bucket. This implements automatic data retention policies and helps manage storage costs for time-sensitive data.\n\n### Use Cases\n\n- **Log Retention**: Automatically delete old log files\n- **Compliance**: Enforce data retention policies\n- **Cost Management**: Remove data that's no longer needed\n- **Regulatory Requirements**: Meet data disposal requirements\n\n### Important Considerations\n\n- **Irreversible**: Expired objects are permanently deleted\n- **Compliance**: Ensure retention periods meet regulatory requirements\n- **Business Needs**: Consider future data access requirements\n- **Backup Strategy**: Ensure critical data is backed up before expiration", "type": "number" }, "expiredObjectDeleteMarker": { "default": false, "description": "**Expired Object Delete Marker Cleanup** *(Optional)*\n\nControls whether S3 automatically removes delete markers that have no non-current versions. This helps clean up versioned buckets and reduce storage costs from orphaned delete markers.\n\n### Benefits When Enabled\n\n- **Cost Reduction**: Eliminates charges for orphaned delete markers\n- **Storage Optimization**: Keeps bucket metadata clean\n- **Operational Efficiency**: Reduces clutter in versioned buckets", "type": "boolean" }, "id": { "description": "**Rule Identifier** *(Optional)*\n\nUnique, human-readable name for the lifecycle rule within the bucket. Used for rule identification, management, and troubleshooting.", "type": "string" }, "noncurrentVersionExpiration": { "description": "**Non-Current Version Expiration** *(Optional)*\n\nNumber of days after an object version becomes non-current when it should be permanently deleted. This manages storage costs for versioned buckets by cleaning up old object versions.\n\n### Considerations\n\n- **Recovery Needs**: Balance cost vs. ability to recover old versions\n- **Compliance**: Some regulations require version retention\n- **Storage Costs**: Non-current versions incur full storage charges\n- **Access Patterns**: Consider how often old versions are accessed", "type": "number" }, "noncurrentVersionTransitions": { "description": "**Non-Current Version Transitions** *(Optional)*\n\nArray of transition rules that specify when non-current object versions should move to different storage classes. This optimizes costs for versioned buckets by moving old versions to cheaper storage.\n\n### Storage Class Optimization\n\nNon-current versions are typically accessed less frequently than current versions, making them ideal candidates for cheaper storage classes.", "items": { "$ref": "#/definitions/ITransition" }, "type": "array" }, "prefix": { "$ref": "#/definitions/NonEmptyString", "default": "undefined (applies to all objects in the bucket)", "description": "**Object Key Prefix Filter** *(Optional)*\n\nObject key prefix that identifies which objects this lifecycle rule applies to. When specified, the rule only affects objects whose keys start with this prefix. When omitted, the rule applies to all objects in the bucket.\n\n\n### Best Practices\n\n- Use consistent prefix naming conventions\n- Design prefixes to support different lifecycle needs\n- Consider future organizational changes\n- Document prefix meanings and purposes" }, "transitions": { "description": "**Current Version Transitions** *(Optional)*\n\nArray of transition rules that specify when current objects should move to different storage classes. This implements cost optimization strategies based on data access patterns and age.\n\n### Cost Optimization Strategy\n\nDesign transitions based on your data access patterns:\n- **Frequently Accessed**: Keep in Standard storage\n- **Infrequently Accessed**: Transition to Standard-IA\n- **Archive Data**: Move to Glacier or Deep Archive\n- **Long-term Retention**: Use Deep Archive for lowest cost", "items": { "$ref": "#/definitions/ITransition" }, "type": "array" } }, "type": "object" }, "ILoadBalancersConfig": { "additionalProperties": false, "description": "Use this configuration to define Application Load Balancers (ALBs) or\nNetwork Load Balancers (NLBs) to be deployed in the specified VPC subnets.", "properties": { "applicationLoadBalancers": { "description": "(OPTIONAL) An array of Application Load Balancer (ALB) configurations. Use this property to define ALBs to be deployed in the specified VPC subnets.", "items": { "$ref": "#/definitions/IApplicationLoadBalancerConfig" }, "type": "array" }, "networkLoadBalancers": { "description": "(OPTIONAL) An array of Network Load Balancer (NLB) configurations. Use this property to define NLBs to be deployed in the specified VPC subnets.", "items": { "$ref": "#/definitions/INetworkLoadBalancerConfig" }, "type": "array" } }, "type": "object" }, "ILocalGatewayConfig": { "additionalProperties": false, "description": "Use this configuration to reference existing local gateways for your Outposts.\nThe local gateway for your Outpost rack enables connectivity from your Outpost subnets to\nall AWS services that are available in the parent Region, in the same way that you access them from an Availability Zone subnet.", "properties": { "id": { "$ref": "#/definitions/NonEmptyString", "description": "The id for the Local Gateway" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Local Gateway" }, "routeTables": { "description": "The route tables for the Local Gateway", "items": { "$ref": "#/definitions/ILocalGatewayRouteTableConfig" }, "type": "array" } }, "required": [ "name", "id", "routeTables" ], "type": "object" }, "ILocalGatewayRouteTableConfig": { "additionalProperties": false, "description": "Use this configuration to reference route tables for your Outposts local gateway.\nOutpost subnet route tables on a rack can include a route to your on-premises network.\nThe local gateway routes this traffic for low latency routing to the on-premises network.", "properties": { "id": { "$ref": "#/definitions/NonEmptyString", "description": "The id for the Route Table" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Route Table" } }, "required": [ "name", "id" ], "type": "object" }, "INatGatewayConfig": { "additionalProperties": false, "description": "Use this configuration to define AWS-managed NAT Gateways for your VPC.\nYou can use a NAT gateway so that instances in a private subnet can connect to services outside your VPCs.", "properties": { "allocationId": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The allocation ID of the Elastic IP address that's associated with the NAT gateway. This allocation ID must exist in the target account the NAT gateway is deployed to." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the NAT Gateway." }, "private": { "description": "(OPTIONAL) Set `true` to define a NAT gateway with private connectivity type", "type": "boolean" }, "subnet": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the subnet for the NAT Gateway to be deployed." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the NAT Gateway.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "subnet" ], "type": "object" }, "INetworkAclConfig": { "additionalProperties": false, "description": "Use this configuration to define custom network ACLs for your VPC.\nA network ACL allows or denies specific inbound or outbound traffic at the subnet level.\nNetwork ACLs are stateless, which means that responses to allowed inbound traffic are subject\nto the rules for outbound traffic (and vice versa).\n\nThe following example shows an inbound and outbound rule that would allow\ninbound SSH traffic from the CIDR range 10.0.0.0/16.", "properties": { "inboundRules": { "description": "(OPTIONAL) A list of inbound rules to define for the Network ACL", "items": { "$ref": "#/definitions/INetworkAclInboundRuleConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the Network ACL." }, "outboundRules": { "description": "(OPTIONAL) A list of outbound rules to define for the Network ACL", "items": { "$ref": "#/definitions/INetworkAclOutboundRuleConfig" }, "type": "array" }, "subnetAssociations": { "description": "A list of subnets to associate with the Network ACL", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) A list of tags to attach to the Network ACL", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "subnetAssociations" ], "type": "object" }, "INetworkAclInboundRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define inbound rules for your network ACLs.\nAn inbound rule allows or denies specific inbound traffic at the subnet level.\n\nThe following example allows inbound SSH traffic from source CIDR 10.0.0.0/16:", "properties": { "action": { "$ref": "#/definitions/AllowDeny", "description": "The action for the network ACL rule." }, "fromPort": { "description": "The port to start from in the network ACL rule.", "type": "number" }, "icmp": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/IIcmpRuleConfig" } ], "description": "(OPTIONAL) The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter." }, "protocol": { "description": "The {@link https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml IANA protocol number } for the network ACL rule. You may also specify -1 for all protocols.", "type": "number" }, "rule": { "description": "The rule ID number for the rule.", "type": "number" }, "source": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/INetworkAclSubnetSelection" } ], "description": "The source of the network ACL rule." }, "toPort": { "description": "The port to end with in the network ACL rule.", "type": "number" } }, "required": [ "rule", "protocol", "action", "source" ], "type": "object" }, "INetworkAclOutboundRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define outbound rules for your network ACLs.\nAn outbound rule allows or denies specific outbound traffic at the subnet level.\n\nThe following example allows outbound TCP traffic in the ephemeral port ranges to destination CIDR 10.0.0.0/16:", "properties": { "action": { "$ref": "#/definitions/AllowDeny", "description": "The action for the network ACL rule." }, "destination": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/INetworkAclSubnetSelection" } ], "description": "The destination of the network ACL rule." }, "fromPort": { "description": "The port to start from in the network ACL rule.", "type": "number" }, "icmp": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/IIcmpRuleConfig" } ], "description": "(OPTIONAL) The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter." }, "protocol": { "description": "The {@link https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml IANA protocol number } for the network ACL rule. You may also specify -1 for all protocols.", "type": "number" }, "rule": { "description": "The rule ID number for the rule.", "type": "number" }, "toPort": { "description": "The port to end with in the network ACL rule.", "type": "number" } }, "required": [ "rule", "protocol", "action", "destination" ], "type": "object" }, "INetworkAclSubnetSelection": { "additionalProperties": false, "description": "Network ACL subnet selection configuration.\nUse this configuration to dynamically reference a subnet as a source/destination for a network ACL.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account of the subnet." }, "ipv6": { "description": "(OPTIONAL) Indicates whether to target the IPv6 CIDR associated with a subnet.", "type": "boolean" }, "region": { "description": "(OPTIONAL) The region that the subnet is located in.", "type": "string" }, "subnet": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the subnet." }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC of the subnet." } }, "required": [ "vpc", "subnet" ], "type": "object" }, "INetworkConfig": { "additionalProperties": false, "description": "Network Configuration. Used to define a network configuration for the accelerator.", "properties": { "accountVpcEndpointIds": { "additionalProperties": { "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "description": "A map between account Id and all the VPC Endpoint IDs in the account.\n\nCurrently, the dynamic values will only be loaded in FinalizeStack for SCP finalization. Only the account VPC Endpoints referred by ACCEL_LOOKUP in SCPs will be loaded.", "type": "object" }, "accountVpcIds": { "additionalProperties": { "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "description": "A map between account Id and all the VPC IDs in the account.\n\nCurrently, the dynamic values will only be loaded in FinalizeStack for SCP finalization. Only the account VPCs referred in SCPs by ACCEL_LOOKUP will be loaded.", "type": "object" }, "centralNetworkServices": { "$ref": "#/definitions/ICentralNetworkServicesConfig", "description": "An optional Central Network services configuration." }, "certificates": { "description": "Certificate manager configuration", "items": { "$ref": "#/definitions/ICertificateConfig" }, "type": "array" }, "customerGateways": { "description": "An array of Customer Gateway configurations.", "items": { "$ref": "#/definitions/ICustomerGatewayConfig" }, "type": "array" }, "defaultVpc": { "$ref": "#/definitions/IDefaultVpcsConfig", "description": "A default VPC configuration." }, "dhcpOptions": { "description": "An optional list of DHCP options set configurations.", "items": { "$ref": "#/definitions/IDhcpOptsConfig" }, "type": "array" }, "directConnectGateways": { "description": "An optional array of Direct Connect Gateway configurations.", "items": { "$ref": "#/definitions/IDxGatewayConfig" }, "type": "array" }, "elbAccountIds": { "description": "An optional ELB root account ID", "items": { "$ref": "#/definitions/IElbAccountIdsConfig" }, "type": "array" }, "endpointPolicies": { "description": "A list of VPC configurations. An array of VPC endpoint policies.", "items": { "$ref": "#/definitions/IEndpointPolicyConfig" }, "type": "array" }, "firewallManagerService": { "$ref": "#/definitions/IFirewallManagerServiceConfig", "description": "Firewall manager service configuration" }, "homeRegion": { "description": "Accelerator home region name.", "type": "string" }, "prefixLists": { "description": "An optional list of prefix list set configurations.", "items": { "$ref": "#/definitions/IPrefixListConfig" }, "type": "array" }, "transitGatewayConnects": { "description": "An array of Transit Gateway Connect configurations.", "items": { "$ref": "#/definitions/ITransitGatewayConnectConfig" }, "type": "array" }, "transitGatewayPeering": { "description": "Transit Gateway peering configuration.", "items": { "$ref": "#/definitions/ITransitGatewayPeeringConfig" }, "type": "array" }, "transitGateways": { "description": "An array of Transit Gateway configurations.", "items": { "$ref": "#/definitions/ITransitGatewayConfig" }, "type": "array" }, "vpcFlowLogs": { "$ref": "#/definitions/IVpcFlowLogsConfig", "description": "A VPC flow logs configuration." }, "vpcPeering": { "description": "An optional list of VPC peering configurations", "items": { "$ref": "#/definitions/IVpcPeeringConfig" }, "type": "array" }, "vpcTemplates": { "description": "An optional list of VPC template configurations", "items": { "$ref": "#/definitions/IVpcTemplatesConfig" }, "type": "array" }, "vpcs": { "description": "An array of VPC configurations.", "items": { "$ref": "#/definitions/IVpcConfig" }, "type": "array" } }, "required": [ "defaultVpc", "endpointPolicies", "transitGateways", "vpcs" ], "type": "object", "patternProperties": { "^\\.": { "description": "YAML anchor" } } }, "INetworkLoadBalancerConfig": { "additionalProperties": false, "description": "Network Load Balancer configuration.", "properties": { "crossZoneLoadBalancing": { "description": "Cross Zone load balancing for Network Load Balancer.", "type": "boolean" }, "deletionProtection": { "description": "Deletion protection for Network Load Balancer.", "type": "boolean" }, "listeners": { "description": "Listeners for Network Load Balancer.", "items": { "$ref": "#/definitions/INlbListenerConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "Name for Network Load Balancer." }, "scheme": { "$ref": "#/definitions/LoadBalancerSchemeEnum", "description": "Load Balancer scheme. If undefined, the default of {@link https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_CreateLoadBalancer.html ELBv2 CreateLoadBalancer API } is used." }, "subnets": { "description": "Subnets to launch the Network Load Balancer in.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "subnets", "name" ], "type": "object" }, "INfwConfig": { "additionalProperties": false, "description": "Use this configuration to define Network Firewalls in your environment.\nAWS Network Firewall is a stateful, managed, network firewall and intrusion\ndetection and prevention service for your virtual private cloud (VPC) that\nyou create in Amazon Virtual Private Cloud (Amazon VPC).\nWith Network Firewall, you can filter traffic at the perimeter of your VPC.\nThis includes filtering traffic going to and coming from an internet gateway,\nNAT gateway, or over VPN or AWS Direct Connect.\n\nThe following example creates a simple Network Firewall rule group, policy,\nand firewall. The policy and rule group are shared with the entire organization.\nThe firewall endpoints are created in subnets named `Subnet-A` and `Subnet-B`\nin the VPC named `Network-Inspection`.", "properties": { "firewalls": { "description": "An array of Network Firewall firewall configurations.", "items": { "$ref": "#/definitions/INfwFirewallConfig" }, "type": "array" }, "policies": { "description": "An array of Network Firewall policy configurations.", "items": { "$ref": "#/definitions/INfwFirewallPolicyConfig" }, "type": "array" }, "rules": { "description": "An array of Network Firewall rule group configurations.", "items": { "$ref": "#/definitions/INfwRuleGroupConfig" }, "type": "array" } }, "required": [ "firewalls", "policies", "rules" ], "type": "object" }, "INfwFirewallConfig": { "additionalProperties": false, "description": "Use this configuration to define a Network Firewall firewall.\nAn AWS Network Firewall firewall connects a firewall policy,\nwhich defines network traffic monitoring and filtering behavior,\nto the VPC that you want to protect. The firewall configuration\nincludes specifications for the Availability Zones and subnets\nwhere the firewall endpoints are placed. It also defines high-level\nsettings like the firewall logging configuration and tagging on the AWS firewall resource.", "properties": { "deleteProtection": { "description": "(OPTIONAL) Enable for deletion protection on the firewall.", "type": "boolean" }, "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the firewall." }, "firewallPolicy": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the Network Firewall policy or ARN for an existing network firewall policy." }, "firewallPolicyChangeProtection": { "description": "(OPTIONAL) Enable to disallow firewall policy changes.", "type": "boolean" }, "loggingConfiguration": { "description": "(OPTIONAL) An array of Network Firewall logging configurations.", "items": { "$ref": "#/definitions/INfwLoggingConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the firewall." }, "subnetChangeProtection": { "description": "(OPTIONAL) Enable to disallow firewall subnet changes.", "type": "boolean" }, "subnets": { "description": "An array of the friendly names of subnets to deploy Network Firewall to.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tags for the firewall.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC to deploy Network Firewall to." } }, "required": [ "name", "firewallPolicy", "subnets", "vpc" ], "type": "object" }, "INfwFirewallPolicyConfig": { "additionalProperties": false, "description": "Use this configuration to define a Network Firewall policy.\nAn AWS Network Firewall firewall policy defines the monitoring and protection behavior\nfor a firewall. The details of the behavior are defined in the rule groups that you add\nto your policy, and in some policy default settings.", "properties": { "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the policy." }, "firewallPolicy": { "$ref": "#/definitions/INfwFirewallPolicyPolicyConfig", "description": "Use this property to define specific behaviors and rule groups to associate with the policy." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the policy." }, "regions": { "description": "The regions to deploy the policy to.", "items": { "type": "string" }, "type": "array" }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "(OPTIONAL) An array of tags for the policy.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "firewallPolicy", "regions" ], "type": "object" }, "INfwFirewallPolicyPolicyConfig": { "additionalProperties": false, "description": "Use this configuration to define how the Network Firewall policy will behave.\nAn AWS Network Firewall firewall policy defines the monitoring and protection behavior\nfor a firewall. The details of the behavior are defined in the rule groups that you add\nto your policy, and in some policy default settings.", "properties": { "statefulDefaultActions": { "description": "(OPTIONAL) An array of default actions to take on packets evaluated by the stateful engine.", "items": { "$ref": "#/definitions/NfwStatefulDefaultActionType" }, "type": "array" }, "statefulEngineOptions": { "$ref": "#/definitions/NfwStatefulRuleOptionsType", "description": "(OPTIONAL) Define how the stateful engine will evaluate packets." }, "statefulRuleGroups": { "description": "{OPTIONAL) An array of Network Firewall stateful rule group reference configurations.", "items": { "$ref": "#/definitions/INfwStatefulRuleGroupReferenceConfig" }, "type": "array" }, "statelessCustomActions": { "description": "(OPTIONAL) An array of Network Firewall custom action configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceCustomActionConfig" }, "type": "array" }, "statelessDefaultActions": { "description": "An array of default actions to take on packets evaluated by the stateless engine.", "items": { "anyOf": [ { "$ref": "#/definitions/NfwStatelessRuleActionType" }, { "$ref": "#/definitions/NonEmptyString" } ] }, "type": "array" }, "statelessFragmentDefaultActions": { "description": "An array of default actions to take on fragmented packets.", "items": { "anyOf": [ { "$ref": "#/definitions/NfwStatelessRuleActionType" }, { "$ref": "#/definitions/NonEmptyString" } ] }, "type": "array" }, "statelessRuleGroups": { "description": "(OPTIONAL) An array of Network Firewall stateless rule group reference configurations.", "items": { "$ref": "#/definitions/INfwStatelessRuleGroupReferenceConfig" }, "type": "array" } }, "required": [ "statelessDefaultActions", "statelessFragmentDefaultActions" ], "type": "object" }, "INfwLoggingConfig": { "additionalProperties": false, "description": "Use this configuration to define logging destinations for Network Firewall.\nYou can configure AWS Network Firewall logging for your firewall's stateful engine.\nLogging gives you detailed information about network traffic, including the time that\nthe stateful engine received a packet, detailed information about the packet, and any\nstateful rule action taken against the packet. The logs are published to the log destination\nthat you've configured, where you can retrieve and view them.", "properties": { "destination": { "$ref": "#/definitions/LogDestinationType", "description": "The destination service to log to." }, "type": { "$ref": "#/definitions/NfwLogType", "description": "The type of actions to log." } }, "required": [ "destination", "type" ], "type": "object" }, "INfwRuleGroupConfig": { "additionalProperties": false, "description": "Use this configuration to define stateful and stateless rule groups for Network Firewall.\nAn AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic.\nYou add one or more rule groups to a firewall policy as part of policy configuration.", "properties": { "capacity": { "description": "The capacity of the rule group.", "type": "number" }, "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the rule group." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the rule group." }, "regions": { "description": "The regions to deploy the rule group to.", "items": { "type": "string" }, "type": "array" }, "ruleGroup": { "$ref": "#/definitions/INfwRuleGroupRuleConfig", "description": "(OPTIONAL) A Network Firewall rule configuration." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "(OPTIONAL) An array of tags for the rule group.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "type": { "$ref": "#/definitions/NfwRuleType", "description": "The type of rules in the rule group." } }, "required": [ "name", "regions", "capacity", "type" ], "type": "object" }, "INfwRuleGroupRuleConfig": { "additionalProperties": false, "description": "Network Firewall rule group rule configuration.\nUsed to define rules for a Network Firewall rule group.", "properties": { "ruleVariables": { "$ref": "#/definitions/INfwRuleVariableConfig", "description": "A Network Firewall rule variable configuration." }, "rulesSource": { "$ref": "#/definitions/INfwRuleSourceConfig", "description": "A Network Firewall rule source configuration." }, "statefulRuleOptions": { "$ref": "#/definitions/NfwStatefulRuleOptionsType", "description": "A stateful rule option for the rule group." } }, "required": [ "rulesSource" ], "type": "object" }, "INfwRuleSourceConfig": { "additionalProperties": false, "description": "Network Firewall rule source configuration.\nUse this configuration to define stateful and/or stateless rules for your Network Firewall.\nThe following rules sources are supported:\n- File with list of Suricata-compatible rules\n- Domain list\n- Single Suricata-compatible rule\n- Stateful rule in IP header format\n- Stateless rules and custom actions", "properties": { "rulesFile": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Suricata rules file. Use this property to define a Suricata-compatible rules file for Network Firewall." }, "rulesSourceList": { "$ref": "#/definitions/INfwRuleSourceListConfig", "description": "(OPTIONAL) A Network Firewall rule source list configuration. Use this property to define a domain list for Network Firewall." }, "rulesString": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A Suricata-compatible stateful rule string. Use this property to define a single Suricata-compatible rule for Network Firewall." }, "statefulRules": { "description": "(OPTIONAL) An array of Network Firewall stateful rule IP header configurations. Use this property to define a stateful rule in IP header format for Network Firewall.", "items": { "$ref": "#/definitions/INfwRuleSourceStatefulRuleConfig" }, "type": "array" }, "statelessRulesAndCustomActions": { "$ref": "#/definitions/INfwStatelessRulesAndCustomActionsConfig", "description": "(OPTIONAL) A Network Firewall stateless rules and custom action configuration. Use this property to define stateless rules and custom actions for Network Firewall." } }, "type": "object" }, "INfwRuleSourceCustomActionConfig": { "additionalProperties": false, "description": "Use this configuration to define to define custom actions for Network Firewall.\nYou can optionally specify a named custom action to apply.\nFor this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics\nwith the name set to CustomAction and a value that you specify.", "properties": { "actionDefinition": { "$ref": "#/definitions/INfwRuleSourceCustomActionDefinitionConfig", "description": "A Network Firewall custom action definition configuration." }, "actionName": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the custom action." } }, "required": [ "actionDefinition", "actionName" ], "type": "object" }, "INfwRuleSourceCustomActionDefinitionConfig": { "additionalProperties": false, "description": "Use this configuration to define custom CloudWatch metrics for Network Firewall.\nYou can optionally specify a named custom action to apply.\nFor this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics\nwith the name set to CustomAction and a value that you specify.", "properties": { "publishMetricAction": { "$ref": "#/definitions/INfwRuleSourceCustomActionDimensionConfig", "description": "A Network Firewall custom action dimensions configuration." } }, "required": [ "publishMetricAction" ], "type": "object" }, "INfwRuleSourceCustomActionDimensionConfig": { "additionalProperties": false, "description": "Use this configuration to define custom action dimensions to log in CloudWatch metrics.\nYou can optionally specify a named custom action to apply.\nFor this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics\nwith the name set to CustomAction and a value that you specify.", "properties": { "dimensions": { "description": "An array of values of the custom metric dimensions to log.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "dimensions" ], "type": "object" }, "INfwRuleSourceListConfig": { "additionalProperties": false, "description": "Use this configuration to define DNS domain allow and deny lists for Network Firewall.\nDomain lists allow you to configure domain name filtering for your Network Firewall.", "properties": { "generatedRulesType": { "$ref": "#/definitions/NfwGeneratedRulesType", "description": "The type of rules to generate from the source list." }, "targetTypes": { "description": "An array of protocol types to inspect.", "items": { "$ref": "#/definitions/NfwTargetType" }, "type": "array" }, "targets": { "description": "An array of target domain names.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "generatedRulesType", "targets", "targetTypes" ], "type": "object" }, "INfwRuleSourceStatefulRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define stateful rules for Network Firewall in an IP packet header format.\nThis header format can be used instead of Suricata-compatible rules to define your stateful firewall\nfiltering behavior.", "properties": { "action": { "$ref": "#/definitions/NfwStatefulRuleActionType", "description": "The action type for the stateful rule." }, "header": { "$ref": "#/definitions/INfwRuleSourceStatefulRuleHeaderConfig", "description": "A Network Firewall stateful rule header configuration." }, "ruleOptions": { "description": "An array of Network Firewall stateful rule options configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceStatefulRuleOptionsConfig" }, "type": "array" } }, "required": [ "action", "header", "ruleOptions" ], "type": "object" }, "INfwRuleSourceStatefulRuleHeaderConfig": { "additionalProperties": false, "description": "Use this configuration to define stateful rules for Network Firewall in an IP packet header format.\nThis header format can be used instead of Suricata-compatible rules to define your stateful firewall\nfiltering behavior.", "properties": { "destination": { "$ref": "#/definitions/NonEmptyString", "description": "The destination CIDR range to inspect for." }, "destinationPort": { "$ref": "#/definitions/NonEmptyString", "description": "The destination port or port range to inspect." }, "direction": { "$ref": "#/definitions/NfwStatefulRuleDirectionType", "description": "The direction of the traffic flow to inspect." }, "protocol": { "$ref": "#/definitions/NfwStatefulRuleProtocolType", "description": "The protocol to inspect." }, "source": { "$ref": "#/definitions/NonEmptyString", "description": "The source CIDR range to inspect for." }, "sourcePort": { "$ref": "#/definitions/NonEmptyString", "description": "The source port or port range to inspect." } }, "required": [ "destination", "destinationPort", "direction", "protocol", "source", "sourcePort" ], "type": "object" }, "INfwRuleSourceStatefulRuleOptionsConfig": { "additionalProperties": false, "description": "Network Firewall stateful rule options configuration.\nUse this configuration to specify keywords and setting metadata for stateful rules.", "properties": { "keyword": { "$ref": "#/definitions/NonEmptyString", "description": "A Suricata-compatible keyword." }, "settings": { "description": "An array of values for the keyword.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "keyword" ], "type": "object" }, "INfwRuleSourceStatelessMatchAttributesConfig": { "additionalProperties": false, "description": "Use this configuration to define stateless rule match attributes for Network Firewall.\nTo be a match, a packet must satisfy all of the match settings in the rule.", "properties": { "destinationPorts": { "description": "(OPTIONAL) An array of Network Firewall stateless port range configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceStatelessPortRangeConfig" }, "type": "array" }, "destinations": { "description": "(OPTIONAL) An array of destination CIDR ranges to inspect for.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "protocols": { "description": "(OPTIONAL) An array of IP protocol numbers to inspect for.", "items": { "type": "number" }, "type": "array" }, "sourcePorts": { "description": "(OPTIONAL) An array of Network Firewall stateless port range configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceStatelessPortRangeConfig" }, "type": "array" }, "sources": { "description": "(OPTIONAL) An array of source CIDR ranges to inspect for.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tcpFlags": { "description": "(OPTIONAL) An array of Network Firewall stateless TCP flag configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceStatelessTcpFlagsConfig" }, "type": "array" } }, "type": "object" }, "INfwRuleSourceStatelessPortRangeConfig": { "additionalProperties": false, "description": "Use this configuration to define a port range in stateless rules.", "properties": { "fromPort": { "description": "The port to start from in the range.", "type": "number" }, "toPort": { "description": "The port to end with in the range.", "type": "number" } }, "required": [ "fromPort", "toPort" ], "type": "object" }, "INfwRuleSourceStatelessRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define stateless rule for your Network Firewall.\nNetwork Firewall supports the standard stateless 5-tuple rule specification\nfor network traffic inspection. When Network Firewall finds a match between\n a rule's inspection criteria and a packet, we say that the packet matches\nthe rule and its rule group, and Network Firewall applies the rule's specified action to the packet.", "properties": { "priority": { "description": "The priority number for the rule.", "type": "number" }, "ruleDefinition": { "$ref": "#/definitions/INfwRuleSourceStatelessRuleDefinitionConfig", "description": "A Network Firewall stateless rule definition configuration." } }, "required": [ "priority", "ruleDefinition" ], "type": "object" }, "INfwRuleSourceStatelessRuleDefinitionConfig": { "additionalProperties": false, "description": "Use this configuration to define a stateless rule definition for your Network Firewall.", "properties": { "actions": { "description": "An array of actions to take using the stateless rule engine.", "items": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/NfwStatelessRuleActionType" } ] }, "type": "array" }, "matchAttributes": { "$ref": "#/definitions/INfwRuleSourceStatelessMatchAttributesConfig", "description": "A Network Firewall stateless rule match attributes configuration." } }, "required": [ "actions", "matchAttributes" ], "type": "object" }, "INfwRuleSourceStatelessTcpFlagsConfig": { "additionalProperties": false, "description": "Use this configuration to define TCP flags to inspect in stateless rules.\nOptional, standard TCP flag settings, which indicate which flags to inspect and the values to inspect for.", "properties": { "flags": { "description": "An array of TCP flags.", "items": { "$ref": "#/definitions/NfwStatelessRuleTcpFlagType" }, "type": "array" }, "masks": { "description": "The set of flags to consider in the inspection.", "items": { "$ref": "#/definitions/NfwStatelessRuleTcpFlagType" }, "type": "array" } }, "required": [ "flags", "masks" ], "type": "object" }, "INfwRuleVariableConfig": { "additionalProperties": false, "description": "Use this configuration to define rule variable definitions for Network Firewall.\nRule variables can be used in Suricata-compatible and domain list rule definitions.\nThey are not supported in stateful rule IP header definitions.", "properties": { "ipSets": { "anyOf": [ { "$ref": "#/definitions/INfwRuleVariableDefinitionConfig" }, { "items": { "$ref": "#/definitions/INfwRuleVariableDefinitionConfig" }, "type": "array" } ], "description": "A Network Firewall rule variable definition configuration." }, "portSets": { "anyOf": [ { "$ref": "#/definitions/INfwRuleVariableDefinitionConfig" }, { "items": { "$ref": "#/definitions/INfwRuleVariableDefinitionConfig" }, "type": "array" } ], "description": "A Network Firewall rule variable definition configuration." } }, "required": [ "ipSets", "portSets" ], "type": "object" }, "INfwRuleVariableDefinitionConfig": { "additionalProperties": false, "description": "Use this configuration to define rule variable definitions for Network Firewall.\nRule variables can be used in Suricata-compatible and domain list rule definitions.\nThey are not supported in stateful rule IP header definitions.", "properties": { "definition": { "description": "An array of values for the rule variable.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A name for the rule variable." } }, "required": [ "name", "definition" ], "type": "object" }, "INfwStatefulRuleGroupReferenceConfig": { "additionalProperties": false, "description": "Network Firewall stateful rule group reference configuration.\nUse this configuration to reference a stateful rule group in a Network Firewall policy.", "properties": { "managedStatefulRuleGroupName": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Specifies the name of an AWS Managed Rule Group. AWS Managed Rule Groups are predefined, ready-to-use collections of rules that are written and maintained by AWS.\n\nNote: For each entry, you must specify either this property or the `name` property, which references a custom rule group defined in network-config.yaml." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the rule group." }, "priority": { "description": "(OPTIONAL) If using strict ordering, a priority number for the rule.", "type": "number" } }, "type": "object" }, "INfwStatelessRuleGroupReferenceConfig": { "additionalProperties": false, "description": "Network Firewall stateless rule group reference configuration.\nUse this configuration to reference a stateless rule group in a Network Firewall policy.", "properties": { "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the rule group." }, "priority": { "description": "A priority number for the rule.", "type": "number" } }, "required": [ "name", "priority" ], "type": "object" }, "INfwStatelessRulesAndCustomActionsConfig": { "additionalProperties": false, "description": "Use this configuration to define stateless rules and custom actions for Network Firewall.", "properties": { "customActions": { "description": "An array of Network Firewall custom action configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceCustomActionConfig" }, "type": "array" }, "statelessRules": { "description": "An array of Network Firewall stateless rule configurations.", "items": { "$ref": "#/definitions/INfwRuleSourceStatelessRuleConfig" }, "type": "array" } }, "required": [ "statelessRules" ], "type": "object" }, "INlbListenerConfig": { "additionalProperties": false, "description": "Application Load Balancer listener config. Currently only action type of `forward`, `redirect` and `fixed-response` is allowed.", "properties": { "alpnPolicy": { "$ref": "#/definitions/AlpnPolicyEnum", "description": "Application-Layer Protocol Negotiation (ALPN) policy} for TLS encrypted traffic" }, "certificate": { "$ref": "#/definitions/NonEmptyString", "description": "ACM ARN of the certificate to be associated with the listener." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "Name for Listener." }, "port": { "description": "Port where the traffic is directed to.", "type": "number" }, "protocol": { "$ref": "#/definitions/NlbProtocolEnum", "description": "Protocol used for the traffic. The supported protocols are TCP, TLS, UDP, or TCP_UDP." }, "sslPolicy": { "$ref": "#/definitions/SslPolicyNlbEnum", "description": "SSL policy for TLS encrypted traffic" }, "targetGroup": { "$ref": "#/definitions/NonEmptyString", "description": "Target Group to direct the traffic to." } }, "required": [ "name", "targetGroup" ], "type": "object" }, "INlbTargetType": { "additionalProperties": false, "description": "The codes to use when checking for a successful response from a target. If the protocol version is gRPC, these are gRPC codes. Otherwise, these are HTTP codes.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "Friendly Account Name where the NLB is deployed" }, "nlbName": { "$ref": "#/definitions/NonEmptyString", "description": "Friendly name of the NLB" }, "region": { "$ref": "#/definitions/NonEmptyString", "description": "Region where the NLB is deployed" } }, "required": [ "account", "region", "nlbName" ], "type": "object" }, "IOutpostsConfig": { "additionalProperties": false, "description": "Use this configuration to reference Outposts that exist in your environment.\nAWS Outposts enables customers to build and run applications on premises using the same\nprogramming interfaces as in AWS Regions, while using local compute and storage resources\nfor lower latency and local data processing needs.", "properties": { "arn": { "$ref": "#/definitions/NonEmptyString", "description": "The ARN for the Outpost" }, "availabilityZone": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "type": "number" } ], "description": "The availability zone where the Outpost resides" }, "localGateway": { "$ref": "#/definitions/ILocalGatewayConfig", "description": "The Local Gateway configuration for the Outpost" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Outpost" } }, "required": [ "name", "arn", "availabilityZone" ], "type": "object" }, "IPhase1Config": { "additionalProperties": false, "description": "Internet Key Exchange (IKE) Phase 1 tunnel options configuration.\nUse this configuration to restrict the permitted Diffie-Hellman group numbers, encryption algorithms, and integrity algorithms for IKE Phase 1 negotiations.\nYou may also modify the Phase 1 lifetime for the VPN tunnel.", "properties": { "dhGroups": { "description": "(OPTIONAL) An array of permitted Diffie-Hellman group numbers used in the IKE Phase 1 for initial authentication.\n\nDefault - `[2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]`", "items": { "$ref": "#/definitions/Phase1DhGroupType" }, "type": "array" }, "encryptionAlgorithms": { "description": "(OPTIONAL) An array of encryption algorithms permitted for IKE Phase 1 negotiations.\n\nDefault - `[AES128, AES256, AES128-GCM-16, AES256-GCM-16]`", "items": { "$ref": "#/definitions/EncryptionAlgorithmType" }, "type": "array" }, "integrityAlgorithms": { "description": "(OPTIONAL) An array of integrity algorithms permitted for IKE Phase 1 negotiations.\n\nDefault - `[SHA1, SHA2-256, SHA2-384, SHA2-512]`", "items": { "$ref": "#/definitions/IntegrityAlgorithmType" }, "type": "array" }, "lifetimeSeconds": { "description": "(OPTIONAL) The IKE Phase 1 lifetime (in seconds) for the VPN tunnel.\n\nDefault: `28800` (8 hours)", "type": "number" } }, "type": "object" }, "IPhase2Config": { "additionalProperties": false, "description": "Internet Key Exchange (IKE) Phase 2 tunnel options configuration.\nUse this configuration to restrict the permitted Diffie-Hellman group numbers, encryption algorithms, and integrity algorithms for IKE Phase 2 negotiations.\nYou may also modify the Phase 2 lifetime for the VPN tunnel.", "properties": { "dhGroups": { "description": "(OPTIONAL) An array of permitted Diffie-Hellman group numbers used in the IKE Phase 2 negotiations.\n\nDefault - `[2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]`", "items": { "$ref": "#/definitions/Phase2DhGroupType" }, "type": "array" }, "encryptionAlgorithms": { "description": "(OPTIONAL) An array of encryption algorithms permitted for IKE Phase 2 negotiations.\n\nDefault - `[AES128, AES256, AES128-GCM-16, AES256-GCM-16]`", "items": { "$ref": "#/definitions/EncryptionAlgorithmType" }, "type": "array" }, "integrityAlgorithms": { "description": "(OPTIONAL) An array of integrity algorithms permitted for IKE Phase 2 negotiations.\n\nDefault - `[SHA1, SHA2-256, SHA2-384, SHA2-512]`", "items": { "$ref": "#/definitions/IntegrityAlgorithmType" }, "type": "array" }, "lifetimeSeconds": { "description": "(OPTIONAL) The IKE Phase 2 lifetime (in seconds) for the VPN tunnel.\n\nDefault: `3600` (1 hour)", "type": "number" } }, "type": "object" }, "IPrefixListConfig": { "additionalProperties": false, "description": "Use this configuration to define custom prefix lists for your environment.\nA managed prefix list is a set of one or more CIDR blocks.\nYou can use prefix lists to make it easier to configure and maintain your security groups and route tables.\n\nThe following example creates a prefix list named `accelerator-pl` that may contain up to 10 entries.\nThe prefix list is deployed to all accounts in the organization.", "properties": { "accounts": { "description": "(DEPRECATED) An array of friendly names for the accounts the prefix list is deployed.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "addressFamily": { "$ref": "#/definitions/IpAddressFamilyType", "description": "The IP address family of the prefix list." }, "deploymentTargets": { "$ref": "#/definitions/IDeploymentTargets", "description": "Prefix List deployment targets" }, "entries": { "description": "An array of CIDR entries for the prefix list.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "maxEntries": { "description": "The maximum allowed entries in the prefix list.", "type": "number" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the prefix list." }, "regions": { "description": "(DEPRECATED) An array of region names for the prefix list to be deployed.", "items": { "type": "string" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the prefix list.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "addressFamily", "maxEntries", "entries" ], "type": "object" }, "IPrefixListSourceConfig": { "additionalProperties": false, "description": "Prefix list security group source configuration.\nUse this configuration to define a custom prefix list as a source in a security group rule.", "properties": { "prefixLists": { "description": "An array of the friendly names of prefix lists to reference.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "prefixLists" ], "type": "object" }, "IResolverConfig": { "additionalProperties": false, "description": "Use this configuration to define several features of Route 53 resolver, including resolver endpoints,\nDNS firewall rule groups, and DNS query logs.\nAmazon Route 53 Resolver responds recursively to DNS queries from AWS resources for public records,\nAmazon VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in all VPCs.", "properties": { "endpoints": { "description": "(OPTIONAL) An array of Route 53 resolver endpoint configurations.", "items": { "$ref": "#/definitions/IResolverEndpointConfig" }, "type": "array" }, "firewallRuleGroups": { "description": "(OPTIONAL) An array of Route 53 DNS firewall rule group configurations.", "items": { "$ref": "#/definitions/IDnsFirewallRuleGroupConfig" }, "type": "array" }, "queryLogs": { "$ref": "#/definitions/IDnsQueryLogsConfig", "description": "(OPTIONAL) A Route 53 resolver DNS query logging configuration." }, "rules": { "description": "(OPTIONAL) An array of Route 53 resolver rules.", "items": { "$ref": "#/definitions/IResolverRuleConfig" }, "type": "array" } }, "type": "object" }, "IResolverEndpointConfig": { "additionalProperties": false, "description": "Use this configuration to define inbound and outbound resolver endpoints.\nRoute 53 Resolver contains endpoints that you configure to answer DNS queries to\nand from your on-premises environment.", "properties": { "allowedCidrs": { "description": "(OPTIONAL) The allowed ingress/egress CIDRs for the resolver endpoint security group.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the resolver endpoint." }, "protocols": { "description": "(OPTIONAL) An array of DNS Queries over HTTPS (DoH) Protocols to apply to the Route 53 Resolver Endpoints.", "items": { "$ref": "#/definitions/ResolverProtocol" }, "type": "array" }, "rules": { "description": "(OPTIONAL) An array of resolver rule configurations for the endpoint.", "items": { "$ref": "#/definitions/IResolverRuleConfig" }, "type": "array" }, "subnets": { "description": "An array of friendly names for subnets to deploy the resolver endpoint to.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tags for the resolver endpoint.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "type": { "$ref": "#/definitions/ResolverEndpointType", "description": "The type of resolver endpoint to deploy.\n\nINBOUND: allows DNS queries to your VPC from your network\n\nOUTBOUND: allows DNS queries from your VPC to your network" }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC to deploy the resolver endpoint to." } }, "required": [ "name", "type", "vpc", "subnets" ], "type": "object" }, "IResolverRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define resolver SYSTEM and FORWARD rules for your resolver.\nIf you want Resolver to forward queries for specified domain names to your network,\nyou create one forwarding rule for each domain name and specify the name of the\ndomain for which you want to forward queries.", "properties": { "domainName": { "$ref": "#/definitions/NonEmptyString", "description": "The domain name for the resolver rule." }, "excludedRegions": { "description": "(OPTIONAL) Regions to exclude from SYSTEM rule deployment.", "items": { "type": "string" }, "type": "array" }, "inboundEndpointTarget": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of an inbound endpoint to target." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the resolver rule." }, "ruleType": { "$ref": "#/definitions/RuleType", "description": "(OPTIONAL) The type of rule to create." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "(OPTIONAL) An array of tags for the resolver rule.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "targetIps": { "description": "(OPTIONAL) An array of target IP configurations for the resolver rule.", "items": { "$ref": "#/definitions/IRuleTargetIps" }, "type": "array" } }, "required": [ "name", "domainName" ], "type": "object" }, "IRouteTableConfig": { "additionalProperties": false, "description": "Use this configuration to define custom route tables for your VPC.\nRoute tables contain a set of rules, called routes, to determine where network traffic from a subnet or gateway is directed.", "properties": { "gatewayAssociation": { "$ref": "#/definitions/GatewayRouteTableType", "description": "Designate a gateway to associate this route table with." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the VPC route table." }, "routes": { "description": "An array of VPC route table entry configuration objects.", "items": { "$ref": "#/definitions/IRouteTableEntryConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the VPC route table.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name" ], "type": "object" }, "IRouteTableEntryConfig": { "additionalProperties": false, "description": "Use this configuration to define static route entries in a VPC subnet or gateway route table.\nStatic routes are used determine traffic flow from your subnet to a defined destination address and target.", "properties": { "destination": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The destination IPv4 CIDR block or dynamic subnet reference for the route table entry." }, "destinationPrefixList": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the destination prefix list for the route table entry." }, "ipv6Destination": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The destination IPv6 CIDR block or dynamic subnet reference for the route table entry." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the route table." }, "target": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the destination target." }, "targetAvailabilityZone": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "type": "number" } ], "description": "The Availability Zone (AZ) the target resides in." }, "type": { "$ref": "#/definitions/RouteTableEntryType", "description": "The destination type of route table entry." } }, "required": [ "name" ], "type": "object" }, "IRuleTargetIps": { "additionalProperties": false, "properties": { "ip": { "$ref": "#/definitions/NonEmptyString" }, "port": { "$ref": "#/definitions/NonEmptyString" } }, "required": [ "ip" ], "type": "object" }, "ISecurityGroupConfig": { "additionalProperties": false, "description": "Use this configuration to define security groups in your VPC.\nA security group acts as a firewall that controls the traffic\nallowed to and from the resources in your VPC.\nYou can choose the ports and protocols to allow for inbound and outbound traffic.\n\nThe following example creates a security group that allows inbound RDP and SSH traffic from source CIDR 10.0.0.0/16.\nIt also allows all outbound traffic.", "properties": { "description": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) A description for the security group." }, "inboundRules": { "description": "An array of security group rule configurations for ingress rules.", "items": { "$ref": "#/definitions/ISecurityGroupRuleConfig" }, "type": "array" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the security group." }, "outboundRules": { "description": "An array of security group rule configurations for egress rules.", "items": { "$ref": "#/definitions/ISecurityGroupRuleConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the security group.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "inboundRules", "outboundRules" ], "type": "object" }, "ISecurityGroupRuleConfig": { "additionalProperties": false, "description": "Use this configuration to define ingress and egress rules for your security groups.\nThe rules of a security group control the inbound traffic that's allowed to reach the resources\nthat are associated with the security group. The rules also control the outbound traffic that's\nallowed to leave them.", "properties": { "description": { "$ref": "#/definitions/NonEmptyString", "description": "A description for the security group rule." }, "fromPort": { "description": "(OPTIONAL) The port to start from in the security group rule.", "type": "number" }, "ipProtocols": { "description": "(OPTIONAL) An array of custom IP Protocols for the security group rule", "items": { "type": "string" }, "type": "array" }, "sources": { "description": "An array of sources for the security group rule.", "items": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/ISubnetSourceConfig" }, { "$ref": "#/definitions/ISecurityGroupSourceConfig" }, { "$ref": "#/definitions/IPrefixListSourceConfig" } ] }, "type": "array" }, "tcpPorts": { "description": "(OPTIONAL) An array of TCP ports to include in the security group rule.", "items": { "type": "number" }, "type": "array" }, "toPort": { "description": "(OPTIONAL) The port to end with in the security group rule.", "type": "number" }, "types": { "description": "(OPTIONAL) An array of port/protocol types to include in the security group rule.", "items": { "$ref": "#/definitions/SecurityGroupRuleType" }, "type": "array" }, "udpPorts": { "description": "(OPTIONAL) An array of UDP ports to include in the security group rule.", "items": { "type": "number" }, "type": "array" } }, "required": [ "description", "sources" ], "type": "object" }, "ISecurityGroupSourceConfig": { "additionalProperties": false, "description": "Security group source configuration.\nUse this configuration to define a security group as a source of a security group rule.", "properties": { "securityGroups": { "description": "An array of the friendly names of security group rules to reference.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "securityGroups" ], "type": "object" }, "IShareTargets": { "additionalProperties": false, "description": "## Resource Access Manager (RAM) Share Targets Interface\n\nInterface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.\n\n### Key Features\n\n- **Cross-Account Sharing**: Share resources across multiple AWS accounts\n- **OU-Level Sharing**: Share with entire organizational units at once\n- **Centralized Management**: Manage shared resources from a central account\n- **Cost Optimization**: Avoid resource duplication across accounts\n- **Security**: Maintain resource ownership while enabling controlled access\n\n### Example\n\n```yaml shareTargets: organizationalUnits: - Root ```\n\nLearn more about [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).", "properties": { "accounts": { "description": "**Target Accounts** *(Optional)*\n\nList of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.", "items": { "type": "string" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.", "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "ISubnetConfig": { "additionalProperties": false, "description": "Use this configuration to define subnets for your VPC.\nA subnet is a range of IP addresses in your VPC that can be used to create AWS resources, such as EC2 instances.", "properties": { "assignIpv6OnCreation": { "description": "(OPTIONAL) Indicates whether a network interface created in this subnet receives an IPv6 address on creation.", "type": "boolean" }, "availabilityZone": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "type": "number" } ], "description": "The Availability Zone (AZ) the subnet resides in." }, "enableDns64": { "description": "(OPTIONAL) Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.\n\nFor more information, see {@link https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64 DNS64 and NAT64 } in the Amazon Virtual Private Cloud User Guide.", "type": "boolean" }, "ipamAllocation": { "$ref": "#/definitions/IIpamAllocationConfig", "description": "The IPAM pool configuration for the subnet." }, "ipv4CidrBlock": { "$ref": "#/definitions/NonEmptyString", "description": "The IPv4 CIDR block to associate with the subnet." }, "ipv6CidrBlock": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The IPv6 CIDR block to associate with the subnet." }, "localZone": { "$ref": "#/definitions/NonEmptyString", "description": "The Zone ID of the local zone." }, "mapPublicIpOnLaunch": { "description": "(OPTIONAL) Configure automatic mapping of public IPs.", "type": "boolean" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the VPC subnet." }, "outpost": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name for the outpost to attach to the subnet" }, "privateDnsOptions": { "$ref": "#/definitions/ISubnetPrivateDnsConfig", "description": "(OPTIONAL) Private DNS name options for the subnet." }, "routeTable": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the route table to associate with the subnet." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the VPC subnet.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name" ], "type": "object" }, "ISubnetPrivateDnsConfig": { "additionalProperties": false, "description": "Use this configuration to define custom DNS name settings for your VPC subnets.", "properties": { "enableDnsAAAARecord": { "default": false, "description": "(OPTIONAL) Indicates whether to respond to DNS queries for instance hostname with DNS AAAA records.", "type": "boolean" }, "enableDnsARecord": { "default": false, "description": "(OPTIONAL) Indicates whether to respond to DNS queries for instance hostnames with DNS A records.", "type": "boolean" }, "hostnameType": { "description": "The type of hostname for EC2 instances.", "enum": [ "ip-name", "resource-name" ], "type": "string" } }, "type": "object" }, "ISubnetSourceConfig": { "additionalProperties": false, "description": "VPC subnet security group source configuration.\nUse this configuration to dynamically reference subnet CIDRs in a security group rule.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account in which the VPC subnet resides." }, "ipv6": { "description": "(OPTIONAL) Indicates whether to target the IPv6 CIDR associated with a subnet.", "type": "boolean" }, "subnets": { "description": "An array of the friendly names of subnets to reference.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC in which the subnet resides." } }, "required": [ "account", "vpc", "subnets" ], "type": "object" }, "ITag": { "additionalProperties": false, "description": "## AWS Resource Tag Configuration\n\nDefines key-value pairs used for tagging AWS resources. Tags provide metadata for resource organization, cost allocation, access control, and automation.\n\n### Key Features\n\n- **Resource Organization**: Group and categorize resources logically\n- **Cost Allocation**: Track costs by project, department, or environment\n- **Access Control**: Use tags in IAM policies for conditional access\n- **Automation**: Trigger automated actions based on tag values\n- **Compliance**: Meet organizational and regulatory tagging requirements\n\n### Example\n\n```yaml tags: - key: Environment value: Production - key: Project value: WebApplication - key: Owner value: Platform-Team - key: CostCenter value: Engineering - key: Backup value: Daily ```", "properties": { "key": { "description": "**Tag Key** *(Required)*\n\nThe tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.", "type": "string" }, "value": { "description": "**Tag Value** *(Required)*\n\nThe tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.", "type": "string" } }, "required": [ "key", "value" ], "type": "object" }, "ITargetGroupAttributeTypes": { "additionalProperties": false, "description": "Set attributes for target group.", "properties": { "algorithm": { "$ref": "#/definitions/TargetGroupAttributeAlgorithm", "description": "The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin. The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address." }, "appCookieDuration": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "appCookieName": { "$ref": "#/definitions/NonEmptyString", "description": "Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: AWSALB, AWSALBAPP, and AWSALBTG; they're reserved for use by the load balancer. The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address." }, "connectionTermination": { "description": "Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "deregistrationDelay": { "description": "The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.", "type": "number" }, "lbCookieDuration": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "preserveClientIp": { "description": "Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "proxyProtocolV2": { "description": "Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "slowStart": { "description": "The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "stickiness": { "description": "Indicates whether target stickiness is enabled. The value is true or false. The default is false.", "type": "boolean" }, "stickinessType": { "$ref": "#/definitions/TargetGroupAttributeStickinessType", "description": "Indicates the type of stickiness. The possible values are: - lb_cookie and app_cookie for Application Load Balancers. - source_ip for Network Load Balancers. - source_ip_dest_ip and source_ip_dest_ip_proto for Gateway Load Balancers" }, "targetFailover": { "$ref": "#/definitions/TargetGroupTargetFailoverType", "description": "Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered or becomes unhealthy. The possible values are rebalance and no_rebalance. The default is no_rebalance" } }, "type": "object" }, "ITargetGroupHealthCheckType": { "additionalProperties": false, "description": "Configure health check for target group.", "properties": { "interval": { "description": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds.", "type": "number" }, "path": { "$ref": "#/definitions/NonEmptyString", "description": "[HTTP/HTTPS health checks] The destination for health checks on the targets. [HTTP1 or HTTP2 protocol version] The ping path. The default is /. [GRPC protocol version] The path of a custom health check method with the format /package.service/method. The default is /AWS.ALB/healthcheck." }, "port": { "description": "The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is `traffic-port`, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80.", "type": "number" }, "protocol": { "$ref": "#/definitions/TargetGroupHealthCheckProtocolType", "description": "The protocol the load balancer uses when performing health checks on targets. For Application Load Balancers, the default is HTTP. For Network Load Balancers and Gateway Load Balancers, the default is TCP. The TCP protocol is not supported for health checks if the protocol of the target group is HTTP or HTTPS. GENEVE, TLS, UDP, and TCP_UDP protocols are not supported for health checks." }, "timeout": { "description": "The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds.", "type": "number" } }, "type": "object" }, "ITargetGroupItem": { "additionalProperties": false, "description": "Target Group Configuration", "properties": { "attributes": { "$ref": "#/definitions/ITargetGroupAttributeTypes", "description": "Target Group Attributes." }, "healthCheck": { "$ref": "#/definitions/ITargetGroupHealthCheckType", "description": "Target Group HealthCheck." }, "matcher": { "$ref": "#/definitions/ITargetGroupMatcherType", "description": "The HTTP or gRPC codes to use when checking for a successful response from a target. For target groups with a protocol of TCP, TCP_UDP, UDP or TLS the range is 200-599. For target groups with a protocol of HTTP or HTTPS, the range is 200-499." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the target group. This value is used in {@link ApplicationLoadBalancerListenerConfig Application Load Balancer listeners } , {@link NetworkLoadBalancerListenerConfig Network Load Balancer listeners } , and {@link AutoScalingConfig Autoscaling config } ." }, "port": { "description": "The port on which the targets receive traffic.", "type": "number" }, "protocol": { "$ref": "#/definitions/TargetGroupProtocolType", "description": "Target group protocol version. Should be one of HTTP, HTTPS, GENEVE, TCP, UDP, TCP_UDP or TLS The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, or TCP_UDP. A TCP_UDP listener must be associated with a TCP_UDP target group. For Gateway Load Balancers, the supported protocol is GENEVE." }, "protocolVersion": { "$ref": "#/definitions/TargetGroupProtocolVersionType", "description": "The protocol version. Should be one of 'GRPC', 'HTTP1', 'HTTP2'. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "The accounts/OUs location where the Target Group will be deployed to." }, "targets": { "description": "Target group targets. These targets should be the friendly names assigned to firewall instances.", "items": { "anyOf": [ { "$ref": "#/definitions/NonEmptyString" }, { "$ref": "#/definitions/INlbTargetType" } ] }, "type": "array" }, "threshold": { "$ref": "#/definitions/ITargetGroupThresholdType", "description": "Target Group Threshold." }, "type": { "$ref": "#/definitions/TargetGroupType", "description": "The type of target that you must specify when registering targets with this target group. You can't specify targets for a target group using more than one target type.\n- `instance` - Register targets by instance ID. This is the default value.\n- `ip` - Register targets by IP address. You can specify IP addresses from the subnets of the virtual private cloud (VPC) for the target group, the RFC 1918 range (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), and the RFC 6598 range (100.64.0.0/10). You can't specify publicly routable IP addresses. `alb` - Register a single Application Load Balancer as a target." } }, "required": [ "name", "port", "protocol", "type" ], "type": "object" }, "ITargetGroupMatcherType": { "additionalProperties": false, "description": "Add the ability to target an NLB created by the Landing Zone Accelerator", "properties": { "grpcCode": { "$ref": "#/definitions/NonEmptyString", "description": "You can specify values between 0 and 99. You can specify multiple values (for example, \"0,1\") or a range of values (for example, \"0-5\"). The default value is 12." }, "httpCode": { "$ref": "#/definitions/NonEmptyString", "description": "For Application Load Balancers, you can specify values between 200 and 499, with the default value being 200. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). For Network Load Balancers, you can specify values between 200 and 599, with the default value being 200-399. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). Note that when using shorthand syntax, some values such as commas need to be escaped." } }, "type": "object" }, "ITargetGroupThresholdType": { "additionalProperties": false, "description": "Configure health check threshold for target group.", "properties": { "healthy": { "description": "The number of consecutive health check successes required before considering a target healthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 5. For target groups with a protocol of GENEVE, the default is 3.", "type": "number" }, "unhealthy": { "description": "The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 3.", "type": "number" } }, "type": "object" }, "ITransitGatewayAttachmentConfig": { "additionalProperties": false, "description": "Use this configuration to define a Transit Gateway attachment to your VPC.\nTransit Gateway attachments allow you to interconnect your virtual private clouds (VPCs) and on-premises networks.\nDefining a VPC attachment deploys an elastic network interface within VPC subnets,\nwhich is then used by the transit gateway to route traffic to and from the chosen subnets.", "properties": { "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Transit Gateway attachment." }, "options": { "$ref": "#/definitions/ITransitGatewayAttachmentOptionsConfig", "description": "(OPTIONAL) A Transit Gateway attachment options configuration." }, "routeTableAssociations": { "description": "The friendly name of a Transit Gateway route table to associate the attachment to.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "routeTablePropagations": { "description": "An array of friendly names of Transit Gateway route tables to propagate the attachment.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "subnets": { "description": "An array of the friendly names of VPC subnets for the attachment to be deployed.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the Transit Gateway attachment.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "transitGateway": { "$ref": "#/definitions/ITransitGatewayAttachmentTargetConfig", "description": "A Transit Gateway attachment target configuration object." } }, "required": [ "name", "transitGateway", "subnets" ], "type": "object" }, "ITransitGatewayAttachmentOptionsConfig": { "additionalProperties": false, "description": "Used to specify advanced options for the VPC attachment.", "properties": { "applianceModeSupport": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable to configure appliance mode for the attachment. This option is disabled by default." }, "dnsSupport": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable to configure DNS support for the attachment. This option is enabled by default." }, "ipv6Support": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable to configure IPv6 support for the attachment. This option is disabled by default." }, "securityGroupReferencingSupport": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable security group referencing support for the attachment. This option is disabled by default." } }, "type": "object" }, "ITransitGatewayAttachmentTargetConfig": { "additionalProperties": false, "description": "Use this configuration to target a Transit Gateway when defining an attachment for your VPC.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account for the attachment target Transit Gateway." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the attachment target Transit Gateway." } }, "required": [ "name", "account" ], "type": "object" }, "ITransitGatewayConfig": { "additionalProperties": false, "description": "Use this configuration to define Transit Gateways for your environment.\nA transit gateway acts as a virtual router for traffic flowing between your virtual private clouds (VPCs) and on-premises networks.\n\nThe following example creates a TGW called Network-Main in the Network account in the us-east-1 region.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account to deploy the Transit Gateway." }, "asn": { "description": "A Border Gateway Protocol (BGP) Autonomous System Number (ASN).", "type": "number" }, "autoAcceptSharingAttachments": { "$ref": "#/definitions/EnableDisable", "description": "Enable this option to automatically accept cross-account attachments." }, "defaultRouteTableAssociation": { "$ref": "#/definitions/EnableDisable", "description": "Configure default route table association." }, "defaultRouteTablePropagation": { "$ref": "#/definitions/EnableDisable", "description": "Configure default route table propagation." }, "dnsSupport": { "$ref": "#/definitions/EnableDisable", "description": "Configure DNS support between VPCs." }, "multicastSupport": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable this option to turn on multicast on the Transit Gateway." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Transit Gateway." }, "region": { "description": "The region name to deploy the Transit Gateway.", "type": "string" }, "routeTables": { "description": "An array of Transit Gateway route table configuration objects.", "items": { "$ref": "#/definitions/ITransitGatewayRouteTableConfig" }, "type": "array" }, "securityGroupReferencingSupport": { "$ref": "#/definitions/EnableDisable", "description": "(OPTIONAL) Enable security group referencing support for the Transit Gateway." }, "shareTargets": { "$ref": "#/definitions/IShareTargets", "description": "(OPTIONAL) Resource Access Manager (RAM) share targets." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the Transit Gateway.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "transitGatewayCidrBlocks": { "description": "(OPTIONAL) A list of transit gateway IPv4 CIDR blocks.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "transitGatewayFlowLogs": { "$ref": "#/definitions/ITransitGatewayFlowLogsConfig", "description": "(OPTIONAL) Transit Gateway flow logs configuration." }, "transitGatewayIpv6CidrBlocks": { "description": "(OPTIONAL) A list of transit gateway IPv6 CIDR blocks.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "vpnEcmpSupport": { "$ref": "#/definitions/EnableDisable", "description": "Equal Cost Multipath (ECMP) routing support between VPN tunnels." } }, "required": [ "name", "account", "region", "asn", "dnsSupport", "vpnEcmpSupport", "defaultRouteTableAssociation", "defaultRouteTablePropagation", "autoAcceptSharingAttachments", "routeTables" ], "type": "object" }, "ITransitGatewayConnectConfig": { "additionalProperties": false, "description": "Use this configuration to define a Transit Gateway Connect attachment to your Direct Connect Gateway.", "properties": { "directConnect": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The Direct Connect Gateway Attachment that belongs to the Transit Gateway that a Transit Gateway Connect Attachment is being made for." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Transit Gateway Connect attachment." }, "options": { "$ref": "#/definitions/ITransitGatewayConnectOptionsConfig", "description": "(OPTIONAL) Options around the Transit Gateway Connect" }, "region": { "$ref": "#/definitions/NonEmptyString", "description": "The AWS Region for the attachment." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the Transit Gateway attachment.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "transitGateway": { "$ref": "#/definitions/ITransitGatewayAttachmentTargetConfig", "description": "The Transit Gateway configuration object to set the Transit Gateway Connect." }, "vpc": { "$ref": "#/definitions/ITransitGatewayConnectVpcConfig", "description": "The VPC Attachment that belongs to the Transit Gateway that a Transit Gateway Connect Attachment is being made for." } }, "required": [ "name", "region", "transitGateway" ], "type": "object" }, "ITransitGatewayConnectOptionsConfig": { "additionalProperties": false, "properties": { "protocol": { "$ref": "#/definitions/TransitGatewayConnectProtocol", "description": "The tunnel protocl for the Transit Gateway Connect" } }, "required": [ "protocol" ], "type": "object" }, "ITransitGatewayConnectVpcConfig": { "additionalProperties": false, "properties": { "vpcAttachment": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the VPC attachment" }, "vpcName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the VPC" } }, "required": [ "vpcName", "vpcAttachment" ], "type": "object" }, "ITransitGatewayFlowLogsConfig": { "additionalProperties": false, "description": "## Transit Gateway Flow Logs Configuration Interface\n\nInterface for AWS Transit Gateway Flow Logs configuration, which captures information about IP traffic flowing to and from Transit Gateways . Flow logs provide visibility into network traffic patterns, security analysis, and troubleshooting capabilities.\n\n### Key Features\n\n- **Traffic Visibility**: Monitor all Transit Gateway network traffic\n- **Security Analysis**: Detect suspicious traffic patterns and potential threats\n- **Compliance**: Meet regulatory requirements for network monitoring\n- **Troubleshooting**: Diagnose connectivity and performance issues\n- **Cost Optimization**: Analyze traffic patterns to optimize network costs\n\n### Supported Destinations\n\n- **Amazon S3**: Cost-effective long-term storage and analysis\n- **CloudWatch Logs**: Real-time monitoring and alerting capabilities\n- **Dual Destination**: Send logs to both S3 and CloudWatch simultaneously\n\nLearn more about [Transit Gateway Flow Logs](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html).", "properties": { "customFields": { "description": "**Custom Fields** *(Required when defaultFormat is false)*\n\nArray of specific fields to include in flow log records when using custom format. This allows you to capture exactly the network information needed for your use cases.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "defaultFormat": { "description": "**Use Default Format** *(Required)*\n\nControls whether to use the AWS default flow log format or a custom format with specific fields. When false, allows customization of logged fields.", "type": "boolean" }, "destinations": { "description": "**Log Destinations** *(Required)*\n\nArray of destination services where Transit Gateway flow logs should be delivered. You can send logs to one or both supported destinations simultaneously.", "items": { "$ref": "#/definitions/LogDestinationType" }, "type": "array" }, "destinationsConfig": { "$ref": "#/definitions/IVpcFlowLogsDestinationConfig", "description": "**Log Destinations** *(Required)*\n\nArray of destination services where VPC flow logs should be delivered. You can send logs to one or both supported destinations simultaneously." }, "maxAggregationInterval": { "description": "**Maximum Aggregation Interval** *(Required)*\n\nThe maximum interval in seconds for aggregating flow log records before they are captured and delivered to the destination. This value must be 60 for Transit Gateway Flow Logs", "type": "number" } }, "required": [ "maxAggregationInterval", "destinations", "defaultFormat", "customFields" ], "type": "object" }, "ITransitGatewayPeeringAccepterConfig": { "additionalProperties": false, "description": "Transit Gateway (TGW) peering accepter configuration.\nUse this configuration to define the accepter side of the peering attachment.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account of the accepter transit gateway" }, "applyTags": { "description": "(OPTIONAL) Peering request apply tags flag. Note: When this flag is set to `true`, the requester attachment tags are replicated to the accepter attachment.", "type": "boolean" }, "autoAccept": { "description": "(OPTIONAL) Peering request auto accept flag. Note: When this flag is set to `true`, the peering request will be automatically accepted by the accelerator.", "type": "boolean" }, "region": { "description": "The name of the region the accepter transit gateway resides in", "type": "string" }, "routeTableAssociations": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of TGW route table to associate with this peering attachment." }, "transitGatewayName": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the accepter transit gateway" } }, "required": [ "transitGatewayName", "account", "region", "routeTableAssociations" ], "type": "object" }, "ITransitGatewayPeeringConfig": { "additionalProperties": false, "description": "Use this configuration to define a peering attachment between two TGWs.", "properties": { "accepter": { "$ref": "#/definitions/ITransitGatewayPeeringAccepterConfig", "description": "Peering attachment accepter configuration" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of TGW peering." }, "requester": { "$ref": "#/definitions/ITransitGatewayPeeringRequesterConfig", "description": "Peering attachment requester configuration." } }, "required": [ "name", "requester", "accepter" ], "type": "object" }, "ITransitGatewayPeeringRequesterConfig": { "additionalProperties": false, "description": "Transit Gateway (TGW) peering requester configuration.\nUse this configuration to define the requester side of the peering attachment.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account of the requester transit gateway" }, "region": { "description": "The name of the region the accepter transit gateway resides in", "type": "string" }, "routeTableAssociations": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of TGW route table to associate with this peering attachment." }, "tags": { "description": "(OPTIONAL) An array of tag objects for the Transit Gateway Peering.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "transitGatewayName": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the requester transit gateway" } }, "required": [ "transitGatewayName", "account", "region", "routeTableAssociations" ], "type": "object" }, "ITransitGatewayRouteEntryConfig": { "additionalProperties": false, "description": "Use this configuration to define static route entries in a Transit Gateway route table.", "properties": { "attachment": { "anyOf": [ { "$ref": "#/definitions/ITransitGatewayRouteTableVpcEntryConfig" }, { "$ref": "#/definitions/ITransitGatewayRouteTableDxGatewayEntryConfig" }, { "$ref": "#/definitions/ITransitGatewayRouteTableVpnEntryConfig" }, { "$ref": "#/definitions/ITransitGatewayRouteTableTgwPeeringEntryConfig" } ], "description": "The target {@link https://docs.aws.amazon.com/vpc/latest/tgw/working-with-transit-gateways.html Transit Gateway attachment } for the route table entry. Supported attachment types include:\n\n- VPC\n- Direct Connect Gateway\n- VPN\n- Transit Gateway Peering" }, "blackhole": { "description": "(OPTIONAL) Enable to create a blackhole for the destination CIDR. Leave undefined if specifying a VPC destination.", "type": "boolean" }, "destinationCidrBlock": { "$ref": "#/definitions/NonEmptyString", "description": "The destination IPv4/v6 CIDR block for the route table entry." }, "destinationPrefixList": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of a prefix list for the route table entry." } }, "type": "object" }, "ITransitGatewayRouteTableConfig": { "additionalProperties": false, "description": "Use this configuration define route tables for your Transit Gateway. Route tables are used to configure\nrouting behaviors for your Transit Gateway.\n\nThe following example creates a TGW route table called Network-Main-Shared with no static route entries:", "properties": { "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the Transit Gateway route table." }, "routes": { "description": "An array of Transit Gateway route entry configuration objects.", "items": { "$ref": "#/definitions/ITransitGatewayRouteEntryConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tag objects for the Transit Gateway route table.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "routes" ], "type": "object" }, "ITransitGatewayRouteTableDxGatewayEntryConfig": { "additionalProperties": false, "description": "Transit Gateway Direct Connect Gateway static route entry configuration.\nUse this configuration to define a Direct Connect Gateway attachment as a target for Transit\nGateway static routes.", "properties": { "directConnectGatewayName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the Direct Connect Gateway" } }, "required": [ "directConnectGatewayName" ], "type": "object" }, "ITransitGatewayRouteTableTgwPeeringEntryConfig": { "additionalProperties": false, "description": "Transit Gateway peering static route entry configuration.\nUsed to define a peering attachment as a target for Transit\nGateway static routes.", "properties": { "transitGatewayPeeringName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the Transit Gateway peering connection" } }, "required": [ "transitGatewayPeeringName" ], "type": "object" }, "ITransitGatewayRouteTableVpcEntryConfig": { "additionalProperties": false, "description": "Transit Gateway VPC static route entry configuration.\nUse this configuration to define an account and VPC name as a target for Transit Gateway static route entries.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the account where the VPC resides." }, "vpcName": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC." } }, "required": [ "account", "vpcName" ], "type": "object" }, "ITransitGatewayRouteTableVpnEntryConfig": { "additionalProperties": false, "description": "Transit Gateway VPN static route entry configuration.\nUse this configuration to define a VPN attachment as a target for Transit\nGateway static routes.", "properties": { "vpnConnectionName": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the VPN connection" } }, "required": [ "vpnConnectionName" ], "type": "object" }, "ITransition": { "additionalProperties": false, "description": "## S3 Storage Class Transition Configuration\n\nDefines when and how objects should transition from their current storage class to a different storage class. Used in S3 lifecycle rules to optimize storage costs based on data access patterns and retention requirements.\n\n### Key Components\n\n- **Storage Class**: Target storage class for the transition\n- **Transition Timing**: Number of days after object creation or version change\n\n### Example\n\n```yaml transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 - storageClass: DEEP_ARCHIVE transitionAfter: 2555 ```", "properties": { "storageClass": { "$ref": "#/definitions/StorageClass", "description": "**Target Storage Class** *(Required)*\n\nThe S3 storage class that objects should transition to after the specified time period." }, "transitionAfter": { "description": "**Transition After (Days)** *(Required)*\n\nNumber of days after object creation (for current versions) or after becoming non-current (for non-current versions) when the transition should occur.", "type": "number" } }, "required": [ "storageClass", "transitionAfter" ], "type": "object" }, "IVirtualPrivateGatewayConfig": { "additionalProperties": false, "description": "Used to define Virtual Private Gateways that are attached to a VPC.\nYou can create an IPsec VPN connection between your VPC and your remote network.\nOn the AWS side of the Site-to-Site VPN connection, a virtual private gateway or transit\ngateway provides two VPN endpoints (tunnels) for automatic failover.", "properties": { "asn": { "description": "Define the ASN (Amazon Side) used for the Virtual Private Gateway", "type": "number" } }, "required": [ "asn" ], "type": "object" }, "IVpcConfig": { "additionalProperties": false, "description": "Use this configuration to define a VPC that is deployed to a single account and region.\nWith Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically\nisolated virtual network that you've defined. This virtual network closely resembles a traditional\nnetwork that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.", "properties": { "account": { "$ref": "#/definitions/NonEmptyString", "description": "The logical name of the account to deploy the VPC to" }, "cidrs": { "description": "(OPTIONAL) A list of IPv4 CIDRs to associate with the VPC.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "defaultSecurityGroupRulesDeletion": { "description": "(OPTIONAL) Determine if the all traffic ingress and egress rules are deleted in the default security group of a VPC.", "type": "boolean" }, "dhcpOptions": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of a custom DHCP options set." }, "dnsFirewallRuleGroups": { "description": "(OPTIONAL) An array of DNS firewall VPC association configurations. Use this property to associate Route 53 resolver DNS firewall rule groups with the VPC.", "items": { "$ref": "#/definitions/IVpcDnsFirewallAssociationConfig" }, "type": "array" }, "egressOnlyIgw": { "description": "(OPTIONAL) Create an {@link https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html Egress-only internet gateway (EIGW) } for the VPC", "type": "boolean" }, "enableDnsHostnames": { "description": "Enable DNS hostname support for the VPC.", "type": "boolean" }, "enableDnsSupport": { "description": "Enable DNS support for the VPC.", "type": "boolean" }, "gatewayEndpoints": { "$ref": "#/definitions/IGatewayEndpointConfig", "description": "(OPTIONAL) An array of gateway endpoints for the VPC. Use this property to define S3 or DynamoDB gateway endpoints for the VPC." }, "instanceTenancy": { "$ref": "#/definitions/InstanceTenancyType", "description": "(OPTIONAL) Define instance tenancy for the VPC. The default value is `default`." }, "interfaceEndpoints": { "$ref": "#/definitions/IInterfaceEndpointConfig", "description": "(OPTIONAL) A list of VPC interface endpoints. Use this property to define VPC interface endpoints for the VPC." }, "internetGateway": { "description": "Defines if an {@link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html internet gateway } should be added to the VPC", "type": "boolean" }, "ipamAllocations": { "description": "(OPTIONAL) An array of IPAM allocation configurations.", "items": { "$ref": "#/definitions/IIpamAllocationConfig" }, "type": "array" }, "ipv6Cidrs": { "description": "(OPTIONAL) An array of IPv6 CIDR block configurations.", "items": { "$ref": "#/definitions/IVpcIpv6Config" }, "type": "array" }, "loadBalancers": { "$ref": "#/definitions/ILoadBalancersConfig", "description": "Elastic Load Balancing configuration. Use this property to define Elastic Load Balancers for this VPC." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC.\n\nThe value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value." }, "natGateways": { "description": "(OPTIONAL) An array of NAT gateway configurations for the VPC. Use this property to configure the NAT gateways for the VPC.", "items": { "$ref": "#/definitions/INatGatewayConfig" }, "type": "array" }, "networkAcls": { "default": "undefined", "description": "(OPTIONAL) A list of Network Access Control Lists (ACLs) to deploy for this VPC", "items": { "$ref": "#/definitions/INetworkAclConfig" }, "type": "array" }, "outposts": { "description": "(OPTIONAL) An array of Local Gateway Route table configurations. Use this configuration to associate Outposts Local Gateway Route tables with the VPC.", "items": { "$ref": "#/definitions/IOutpostsConfig" }, "type": "array" }, "queryLogs": { "description": "(OPTIONAL) A list of DNS query log configuration names.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "region": { "description": "The AWS region to deploy the VPC to", "type": "string" }, "resolverRules": { "description": "(OPTIONAL) A list of Route 53 resolver rule names.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "routeTables": { "description": "(OPTIONAL) An array of route table configurations for the VPC. Use this property to configure the route tables for the VPC.", "items": { "$ref": "#/definitions/IRouteTableConfig" }, "type": "array" }, "securityGroups": { "default": "undefined", "description": "(OPTIONAL) A list of Security Groups to deploy for this VPC", "items": { "$ref": "#/definitions/ISecurityGroupConfig" }, "type": "array" }, "subnets": { "description": "(OPTIONAL) An array of subnet configurations for the VPC. Use this property to configure the subnets for the VPC.", "items": { "$ref": "#/definitions/ISubnetConfig" }, "type": "array" }, "tags": { "default": "undefined", "description": "(OPTIONAL) A list of tags to apply to this VPC", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "targetGroups": { "description": "Target group configuration. Use this property to define target groups for this VPC.", "items": { "$ref": "#/definitions/ITargetGroupItem" }, "type": "array" }, "transitGatewayAttachments": { "description": "(OPTIONAL) An array of Transit Gateway attachment configurations. Use this property to configure the Transit Gateway attachments for the VPC.", "items": { "$ref": "#/definitions/ITransitGatewayAttachmentConfig" }, "type": "array" }, "useCentralEndpoints": { "default": false, "description": "(OPTIONAL) When set to true, this VPC will be configured to utilize centralized endpoints. This includes having the Route 53 Private Hosted Zone associated with this VPC. Centralized endpoints are configured per region, and can span to spoke accounts.\n\nNOTE: The AWS partition and regions must support the creation of Route 53 private hosted zones and DNS alias records for AWS VPC Endpoint resource types or the pipeline will fail. Ensure your partition and regions will support useCentralEndpoints before enabling it.", "type": "boolean" }, "virtualPrivateGateway": { "$ref": "#/definitions/IVirtualPrivateGatewayConfig", "default": "undefined", "description": "(OPTIONAL) Virtual Private Gateway configuration. Use this property to configure a Virtual Private Gateway for the VPC." }, "vpcFlowLogs": { "$ref": "#/definitions/IVpcFlowLogsConfig", "description": "VPC flog log configuration. Use this property to define a VPC-specific VPC flow logs configuration." }, "vpcRoute53Resolver": { "$ref": "#/definitions/IVpcResolverConfig", "description": "A Route 53 resolver configuration local to the VPC." } }, "required": [ "name", "account", "region" ], "type": "object" }, "IVpcDnsFirewallAssociationConfig": { "additionalProperties": false, "properties": { "mutationProtection": { "$ref": "#/definitions/MutationProtectionType" }, "name": { "$ref": "#/definitions/NonEmptyString" }, "priority": { "type": "number" }, "tags": { "items": { "$ref": "#/definitions/ITag" }, "type": "array" } }, "required": [ "name", "priority" ], "type": "object" }, "IVpcFlowLogsCloudWatchLogsConfig": { "additionalProperties": false, "description": "## VPC Flow Logs CloudWatch Logs Configuration Interface\n\nConfiguration interface for CloudWatch Logs destination settings when VPC Flow Logs are sent to Amazon CloudWatch Logs. Provides control over log retention and encryption for real-time monitoring capabilities.\n\n### Key Features\n\n- **Retention Management**: Control how long logs are kept in CloudWatch\n- **Encryption**: Secure logs with customer-managed KMS keys\n- **Real-time Analysis**: Enable immediate log analysis and alerting\n- **Cost Control**: Manage CloudWatch Logs storage costs through retention", "properties": { "kms": { "$ref": "#/definitions/NonEmptyString", "description": "**KMS Key** *(Optional)*\n\nName of the KMS key to use for encrypting flow logs in CloudWatch Logs. Provides additional security for sensitive network traffic data." }, "retentionInDays": { "default": 365, "description": "**Retention in Days** *(Optional)*\n\nNumber of days to retain flow logs in CloudWatch Logs. After this period, logs are automatically deleted to control costs.", "type": "number" } }, "type": "object" }, "IVpcFlowLogsConfig": { "additionalProperties": false, "description": "## VPC Flow Logs Configuration Interface\n\nInterface for AWS VPC Flow Logs configuration, which captures information about IP traffic flowing to and from network interfaces in your VPCs. Flow logs provide visibility into network traffic patterns, security analysis, and troubleshooting capabilities.\n\n### Key Features\n\n- **Traffic Visibility**: Monitor all network traffic in your VPCs\n- **Security Analysis**: Detect suspicious traffic patterns and potential threats\n- **Compliance**: Meet regulatory requirements for network monitoring\n- **Troubleshooting**: Diagnose connectivity and performance issues\n- **Cost Optimization**: Analyze traffic patterns to optimize network costs\n\n### Supported Destinations\n\n- **Amazon S3**: Cost-effective long-term storage and analysis\n- **CloudWatch Logs**: Real-time monitoring and alerting capabilities\n- **Dual Destination**: Send logs to both S3 and CloudWatch simultaneously\n\nLearn more about [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html).", "properties": { "customFields": { "description": "**Custom Fields** *(Required when defaultFormat is false)*\n\nArray of specific fields to include in flow log records when using custom format. This allows you to capture exactly the network information needed for your use cases.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "defaultFormat": { "description": "**Use Default Format** *(Required)*\n\nControls whether to use the AWS default flow log format or a custom format with specific fields. When false, allows customization of logged fields.", "type": "boolean" }, "destinations": { "description": "**Log Destinations** *(Required)*\n\nArray of destination services where VPC flow logs should be delivered. You can send logs to one or both supported destinations simultaneously.", "items": { "$ref": "#/definitions/LogDestinationType" }, "type": "array" }, "destinationsConfig": { "$ref": "#/definitions/IVpcFlowLogsDestinationConfig", "description": "**Destination Configuration** *(Optional)*\n\nAdvanced configuration options for flow log destinations, including S3 lifecycle policies and CloudWatch Logs retention settings." }, "maxAggregationInterval": { "description": "**Maximum Aggregation Interval** *(Required)*\n\nThe maximum interval in seconds for aggregating flow log records before they are captured and delivered to the destination.", "type": "number" }, "trafficType": { "$ref": "#/definitions/TrafficType", "description": "**Traffic Type** *(Required)*\n\nSpecifies the type of network traffic to capture in VPC flow logs. This determines which traffic flows will be recorded and available for analysis." } }, "required": [ "trafficType", "maxAggregationInterval", "destinations", "defaultFormat", "customFields" ], "type": "object" }, "IVpcFlowLogsDestinationConfig": { "additionalProperties": false, "description": "## VPC Flow Logs Destination Configuration Interface\n\nConfiguration interface for VPC Flow Logs destination settings, supporting both S3 and CloudWatch Logs destinations. Allows fine-grained control over how flow logs are stored, retained, and processed.\n\n### Supported Destinations\n\n- **S3**: Cost-effective long-term storage with lifecycle management\n- **CloudWatch Logs**: Real-time monitoring with immediate alerting capabilities\n- **Dual Destination**: Send to both S3 and CloudWatch simultaneously\n\n### Example\n\n```yaml destinationsConfig: s3: lifecycleRules: - enabled: true expiration: 2555 transitions: - storageClass: GLACIER transitionAfter: 365 cloudWatchLogs: retentionInDays: 365 kms: flow-logs-key ```", "properties": { "cloudWatchLogs": { "$ref": "#/definitions/IVpcFlowLogsCloudWatchLogsConfig", "description": "**CloudWatch Logs Configuration** *(Optional)*\n\nConfiguration for CloudWatch Logs destination including retention and encryption. Used when flow logs are sent to CloudWatch Logs for real-time monitoring." }, "s3": { "$ref": "#/definitions/IVpcFlowLogsS3BucketConfig", "description": "**S3 Configuration** *(Optional)*\n\nConfiguration for S3 destination including lifecycle rules and custom paths. Used when flow logs are sent to Amazon S3 for long-term storage and analysis." } }, "type": "object" }, "IVpcFlowLogsS3BucketConfig": { "additionalProperties": false, "description": "## VPC Flow Logs S3 Bucket Configuration Interface\n\nConfiguration interface for S3 destination settings when VPC Flow Logs are sent to Amazon S3. Provides control over lifecycle management and custom log path configurations for cost optimization and organization.\n\n### Key Features\n\n- **Lifecycle Management**: Automatic transition and expiration of log files\n- **Custom Paths**: Override default S3 log path structure\n- **Cost Optimization**: Reduce storage costs through intelligent tiering\n- **Retention Control**: Manage log retention periods automatically", "properties": { "lifecycleRules": { "description": "**Lifecycle Rules** *(Optional)*\n\nS3 lifecycle rules to manage flow log files automatically. Controls when logs transition to cheaper storage classes and when they expire.", "items": { "$ref": "#/definitions/ILifecycleRule" }, "type": "array" }, "overrideS3LogPath": { "$ref": "#/definitions/NonEmptyString", "description": "**Override S3 Log Path** *(Optional)*\n\nCustom S3 key prefix for organizing flow log files. Overrides the default LZA path structure for flow logs." } }, "type": "object" }, "IVpcIpv6Config": { "additionalProperties": false, "description": "VPC IPv6 static CIDR configuration. Use this to associate a static IPv6 CIDR block to your VPC.", "properties": { "amazonProvided": { "description": "(OPTIONAL) Indicates whether Amazon automatically provisions a /56 IPv6 CIDR block for the VPC.", "type": "boolean" }, "byoipPoolId": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Used to define the Bring-Your-Own-IP (BYOIP) address pool ID to use for the IPv6 CIDR block." }, "cidrBlock": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) Associate an IPv6 CIDR block with your VPC." } }, "type": "object" }, "IVpcPeeringConfig": { "additionalProperties": false, "description": "VPC peering configuration.\nUsed to define VPC peering connections.\n\nVPC can be from vpc or vpcTemplates configuration.", "properties": { "name": { "$ref": "#/definitions/NonEmptyString", "description": "A friendly name for the peering connection." }, "tags": { "description": "An array of tags for the peering connection.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "vpcs": { "description": "The VPCs to peer.\n\nVPC can be from vpc or vpcTemplates configuration.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" } }, "required": [ "name", "vpcs" ], "type": "object" }, "IVpcResolverConfig": { "additionalProperties": false, "description": "Use this configuration to define local resolver endpoints and Route 53 query logging to the VPC.", "properties": { "endpoints": { "description": "(OPTIONAL) An array of Route 53 resolver endpoint configurations.", "items": { "$ref": "#/definitions/IResolverEndpointConfig" }, "type": "array" }, "queryLogs": { "$ref": "#/definitions/IDnsQueryLogsConfig", "description": "(OPTIONAL) A Route 53 resolver DNS query logging configuration." } }, "type": "object" }, "IVpcTemplatesConfig": { "additionalProperties": false, "description": "Use this configuration to define a VPC using a standard configuration that is deployed to multiple account(s)/OU(s) defined using a `deploymentTargets` property.\nWith Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically\nisolated virtual network that you've defined. This virtual network closely resembles a traditional\nnetwork that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.\n\nStatic CIDR:\n```\nvpcTemplates:\n - name: Accelerator-Template\n deploymentTargets:\n organizationalUnits:\n - Infrastructure\n region: us-east-1\n cidrs:\n - 10.0.0.0/24\n enableDnsHostnames: true\n enableDnsSupport: true\n instanceTenancy: default\n routeTables: []\n subnets: []\n natGateways: []\n transitGatewayAttachments: []\n tags: []\n```\nIPAM allocation:\n```\nvpcTemplates:\n - name: Accelerator-Template\n deploymentTargets:\n organizationalUnits:\n - Infrastructure\n region: us-east-1\n ipamAllocations:\n - ipamPoolName: accelerator-regional-pool\n netmaskLength: 24\n enableDnsHostnames: true\n enableDnsSupport: true\n instanceTenancy: default\n routeTables: []\n subnets: []\n natGateways: []\n transitGatewayAttachments: []\n tags: []\n```\nStatic IPv6 CIDR:\n```\nvpcTemplates:\n - name: Accelerator-Template\n deploymentTargets:\n organizationalUnits:\n - Infrastructure\n region: us-east-1\n cidrs:\n - 10.0.0.0/24\n ipv6Cidrs:\n - amazonProvided: true\n enableDnsHostnames: true\n enableDnsSupport: true\n instanceTenancy: default\n routeTables: []\n subnets: []\n natGateways: []\n transitGatewayAttachments: []\n tags: []\n```", "properties": { "cidrs": { "description": "(OPTIONAL) A list of IPv4 CIDRs to associate with the VPC.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "defaultSecurityGroupRulesDeletion": { "description": "(OPTIONAL) Determine if the all traffic ingress and egress rules are deleted in the default security group of a VPC.", "type": "boolean" }, "deploymentTargets": { "$ref": "#/definitions/IDeploymentTargets", "description": "VPC deployment targets." }, "dhcpOptions": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The friendly name of a custom DHCP options set." }, "dnsFirewallRuleGroups": { "description": "(OPTIONAL) An array of DNS firewall VPC association configurations. Use this property to associate Route 53 resolver DNS firewall rule groups with the VPC.", "items": { "$ref": "#/definitions/IVpcDnsFirewallAssociationConfig" }, "type": "array" }, "egressOnlyIgw": { "description": "(OPTIONAL) Create an {@link https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html Egress-only internet gateway (EIGW) } for the VPC", "type": "boolean" }, "enableDnsHostnames": { "description": "Enable DNS hostname support for the VPC.", "type": "boolean" }, "enableDnsSupport": { "description": "Enable DNS support for the VPC.", "type": "boolean" }, "gatewayEndpoints": { "$ref": "#/definitions/IGatewayEndpointConfig", "description": "(OPTIONAL) An array of gateway endpoints for the VPC. Use this property to define S3 or DynamoDB gateway endpoints for the VPC." }, "instanceTenancy": { "$ref": "#/definitions/InstanceTenancyType", "description": "(OPTIONAL) Define instance tenancy for the VPC. The default value is `default`." }, "interfaceEndpoints": { "$ref": "#/definitions/IInterfaceEndpointConfig", "description": "(OPTIONAL) A list of VPC interface endpoints. Use this property to define VPC interface endpoints for the VPC." }, "internetGateway": { "description": "Defines if an {@link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html internet gateway } should be added to the VPC", "type": "boolean" }, "ipamAllocations": { "description": "(OPTIONAL) An array of IPAM allocation configurations.", "items": { "$ref": "#/definitions/IIpamAllocationConfig" }, "type": "array" }, "ipv6Cidrs": { "description": "(OPTIONAL) An array of IPv6 CIDR block configurations.", "items": { "$ref": "#/definitions/IVpcIpv6Config" }, "type": "array" }, "loadBalancers": { "$ref": "#/definitions/ILoadBalancersConfig", "description": "Elastic Load Balancing configuration. Use this property to define Elastic Load Balancers for this VPC." }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The friendly name of the VPC.\n\nThe value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value." }, "natGateways": { "description": "(OPTIONAL) An array of NAT gateway configurations for the VPC. Use this property to configure the NAT gateways for the VPC.", "items": { "$ref": "#/definitions/INatGatewayConfig" }, "type": "array" }, "networkAcls": { "default": "undefined", "description": "(OPTIONAL) A list of Network Access Control Lists (ACLs) to deploy for this VPC", "items": { "$ref": "#/definitions/INetworkAclConfig" }, "type": "array" }, "queryLogs": { "description": "(OPTIONAL) A list of DNS query log configuration names.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "region": { "description": "The AWS region to deploy the VPCs to", "type": "string" }, "resolverRules": { "description": "(OPTIONAL) A list of Route 53 resolver rule names.", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "routeTables": { "description": "(OPTIONAL) An array of route table configurations for the VPC. Use this property to configure the route tables for the VPC.", "items": { "$ref": "#/definitions/IRouteTableConfig" }, "type": "array" }, "securityGroups": { "default": "undefined", "description": "(OPTIONAL) A list of Security Groups to deploy for this VPC", "items": { "$ref": "#/definitions/ISecurityGroupConfig" }, "type": "array" }, "subnets": { "description": "(OPTIONAL) An array of subnet configurations for the VPC. Use this property to configure the subnets for the VPC.", "items": { "$ref": "#/definitions/ISubnetConfig" }, "type": "array" }, "tags": { "default": "undefined", "description": "(OPTIONAL) A list of tags to apply to this VPC", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "targetGroups": { "description": "Target group configuration. Use this property to define target groups for this VPC.", "items": { "$ref": "#/definitions/ITargetGroupItem" }, "type": "array" }, "transitGatewayAttachments": { "description": "(OPTIONAL) An array of Transit Gateway attachment configurations. Use this property to configure the Transit Gateway attachments for the VPC.", "items": { "$ref": "#/definitions/ITransitGatewayAttachmentConfig" }, "type": "array" }, "useCentralEndpoints": { "default": false, "description": "(OPTIONAL) When set to true, this VPC will be configured to utilize centralized endpoints. This includes having the Route 53 Private Hosted Zone associated with this VPC. Centralized endpoints are configured per region, and can span to spoke accounts", "type": "boolean" }, "virtualPrivateGateway": { "$ref": "#/definitions/IVirtualPrivateGatewayConfig", "default": "undefined", "description": "(OPTIONAL) Virtual Private Gateway configuration. Use this property to configure a Virtual Private Gateway for the VPC." }, "vpcFlowLogs": { "$ref": "#/definitions/IVpcFlowLogsConfig", "description": "VPC flog log configuration. Use this property to define a VPC-specific VPC flow logs configuration." } }, "required": [ "name", "region", "deploymentTargets" ], "type": "object" }, "IVpnConnectionConfig": { "additionalProperties": false, "description": "Use this configuration to define the VPN connections that\nterminate either on a Transit Gateway or virtual private gateway.\nA VPN connection refers to the connection between your VPC and your own on-premises network.\nYou can enable access to your remote network from your VPC by creating an\nAWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing\nto pass traffic through the connection.\n\n**IMPORTANT**: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can make property changes in one of {@link VpnConnectionConfig } or {@link VpnTunnelOptionsSpecificationsConfig }, but not both.\nYou may make multiple property changes in one of those configurations if necessary. Trying to modify properties in both configurations will result in a pipeline failure. This is due to the fact that\nonly a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.\n\nNote: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference:\nhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html", "properties": { "amazonIpv4NetworkCidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The Amazon-side IPv4 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the Amazon-side CIDR range that can communicate with your local network.\n\nDefault - `0.0.0.0/0`" }, "amazonIpv6NetworkCidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The Amazon-side IPv6 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the Amazon-side CIDR range that can communicate with your local network.\n\nDefault - `::/0`" }, "customerIpv4NetworkCidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The customer-side IPv4 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the local CIDR range that can communicate with your AWS environment.\n\nDefault - `0.0.0.0/0`" }, "customerIpv6NetworkCidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The customer-side IPv6 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the local CIDR range that can communicate with your AWS environment.\n\nDefault - `::/0`" }, "enableVpnAcceleration": { "description": "(OPTIONAL) Enable Site-to-Site VPN Acceleration. For more information, see {@link https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html Accelerated Site-to-Site VPN connections } .", "type": "boolean" }, "name": { "$ref": "#/definitions/NonEmptyString", "description": "The name of the VPN Connection.\n\nThe value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value." }, "outsideIpAddressType": { "$ref": "#/definitions/OutsideIpAddressType", "description": "(OPTIONALThe type of IP address assigned to the outside interface of the customer gateway device. Valid values include `PublicIpv4` or `Ipv6`." }, "routeTableAssociations": { "description": "(OPTIONAL) An array of Transit Gateway route table names to associate the VPN attachment to", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "routeTablePropagations": { "description": "(OPTIONAL) An array of Transit Gateway route table names to propagate the VPN attachment to", "items": { "$ref": "#/definitions/NonEmptyString" }, "type": "array" }, "staticRoutesOnly": { "description": "(OPTIONAL) If creating a VPN connection for a device that doesn't support Border Gateway Protocol (BGP) declare true as a value, otherwise, use false.", "type": "boolean" }, "tags": { "description": "(OPTIONAL) An array of tags for the VPN Connection.", "items": { "$ref": "#/definitions/ITag" }, "type": "array" }, "transitGateway": { "$ref": "#/definitions/NonEmptyString", "description": "The logical name of the Transit Gateway that the customer Gateway is attached to so that a VPN connection is established." }, "tunnelSpecifications": { "description": "(OPTIONAL) Define the optional VPN Tunnel configuration", "items": { "$ref": "#/definitions/IVpnTunnelOptionsSpecificationsConfig" }, "type": "array" }, "vpc": { "$ref": "#/definitions/NonEmptyString", "description": "The logical name of the Virtual Private Cloud that a Virtual Private Gateway is attached to." } }, "required": [ "name" ], "type": "object" }, "IVpnLoggingConfig": { "additionalProperties": false, "description": "Use this configuration to define CloudWatch log groups for your Site-to-Site VPN connections.\nAWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments.\nWith this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment,\nInternet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages.", "properties": { "enable": { "description": "(OPTIONAL) Enable site-to-site VPN tunnel logging to CloudWatch Logs.", "type": "boolean" }, "logGroupName": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL) The name of the CloudWatch Logs log group that you would like tunnel logs to be sent to.\n\nDefault - Randomly generated name based on CDK stack and VPN resource name." }, "outputFormat": { "$ref": "#/definitions/VpnLoggingOutputFormatType", "description": "(OPTIONAL) The output format of the VPN tunnel logs.\n\nDefault - `json`" } }, "type": "object" }, "IVpnTunnelOptionsSpecificationsConfig": { "additionalProperties": false, "description": "Use this configuration to define optional tunnel configurations for a site-to-site VPN connection.\n\n**IMPORTANT**: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can only make property changes to one VPN tunnel per core pipeline run.\nYou may make multiple property changes in that one VPN tunnel if necessary. Trying to modify properties in both tunnels will result in a pipeline failure. This is due to the fact that\nonly a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.\n\nNote: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference:\nhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html", "properties": { "dpdTimeoutAction": { "$ref": "#/definitions/DpdTimeoutActionType", "description": "(OPTIONAL) Dead Peer Detection (DPD) timeout action. You can specify the action to take after DPD timeout occurs.\n\nDefault - `clear`" }, "dpdTimeoutSeconds": { "description": "(OPTIONAL) The duration, in seconds, after which Dead Peer Detection (DPD) timeout occurs.\n\nDefault - `30`", "type": "number" }, "ikeVersions": { "description": "(OPTIONAL) The Internet Key Exchange (IKE) versions that are permitted on the tunnel.\n\nDefault - `ikev1`,`ikev2`", "items": { "$ref": "#/definitions/IkeVersionType" }, "type": "array" }, "logging": { "$ref": "#/definitions/IVpnLoggingConfig", "description": "(OPTIONAL) Site-to-Site VPN CloudWatch logging configuration." }, "phase1": { "$ref": "#/definitions/IPhase1Config", "description": "(OPTIONAL) Internet Key Exchange (IKE) phase 1 configuration." }, "phase2": { "$ref": "#/definitions/IPhase2Config", "description": "(OPTIONAL) Internet Key Exchange (IKE) phase 2 configuration." }, "preSharedKey": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL): The Secrets Manager name that stores the pre-shared key (PSK), that exists in the same account and region that the VPN Connection will be created in." }, "rekeyFuzzPercentage": { "description": "(OPTIONAL) The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.\n\nDefault - `100`", "type": "number" }, "rekeyMarginTimeSeconds": { "description": "(OPTIONAL) The margin time in seconds before the phase 1 and phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.\n\nDefault - `270` (4.5 minutes)", "type": "number" }, "replayWindowSize": { "description": "(OPTIONAL) The number of packets in an IKE replay window.\n\nDefault - `1024`", "type": "number" }, "startupAction": { "$ref": "#/definitions/StartupActionType", "description": "(OPTIONAL) The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify `start` for Amazon Web Services to initiate the IKE negotiation.\n\nDefault - `add`" }, "tunnelInsideCidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL): The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway." }, "tunnelInsideIpv6Cidr": { "$ref": "#/definitions/NonEmptyString", "description": "(OPTIONAL): The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway." }, "tunnelLifecycleControl": { "description": "(OPTIONAL) Enable tunnel endpoint lifecycle control. This feature provides control over the schedule of endpoint replacements. For more information, see {@link https://docs.aws.amazon.com/vpn/latest/s2svpn/tunnel-endpoint-lifecycle.html Tunnel Endpoint Lifecycle Control } .", "type": "boolean" } }, "type": "object" }, "IkeVersionType": { "enum": [ 1, 2 ], "type": "number" }, "InstanceTenancyType": { "enum": [ "default", "dedicated" ], "type": "string" }, "IntegrityAlgorithmType": { "enum": [ "SHA1", "SHA2-256", "SHA2-384", "SHA2-512" ], "type": "string" }, "IpAddressFamilyType": { "enum": [ "IPv4", "IPv6" ], "type": "string" }, "IpVersionType": { "enum": [ "ipv4", "ipv6" ], "type": "string" }, "LoadBalancerSchemeEnum": { "enum": [ "internet-facing", "internal" ], "type": "string" }, "LogDestinationType": { "description": "## Log Destination Type\n\nDefines the supported destinations for storing and processing log data from various AWS services like VPC Flow Logs, CloudTrail, and other logging services.\n\n### Values\n- **s3**: Amazon S3 for cost-effective long-term storage and batch analysis\n- **cloud-watch-logs**: CloudWatch Logs for real-time monitoring and alerting", "enum": [ "s3", "cloud-watch-logs" ], "type": "string" }, "MutationProtectionType": { "enum": [ "ENABLED", "DISABLED" ], "type": "string" }, "NetbiosNodeType": { "enum": [ 1, 2, 4, 8 ], "type": "number" }, "NfwGeneratedRulesType": { "enum": [ "ALLOWLIST", "DENYLIST" ], "type": "string" }, "NfwLogType": { "enum": [ "ALERT", "FLOW" ], "type": "string" }, "NfwRuleType": { "enum": [ "STATEFUL", "STATELESS" ], "type": "string" }, "NfwStatefulDefaultActionType": { "enum": [ "aws:drop_strict", "aws:drop_established", "aws:alert_strict", "aws:alert_established" ], "type": "string" }, "NfwStatefulRuleActionType": { "enum": [ "ALERT", "DROP", "PASS" ], "type": "string" }, "NfwStatefulRuleDirectionType": { "enum": [ "ANY", "FORWARD" ], "type": "string" }, "NfwStatefulRuleOptionsType": { "enum": [ "DEFAULT_ACTION_ORDER", "STRICT_ORDER" ], "type": "string" }, "NfwStatefulRuleProtocolType": { "enum": [ "DCERPC", "DHCP", "DNS", "FTP", "HTTP", "ICMP", "IKEV2", "IMAP", "IP", "KRB5", "MSN", "NTP", "SMB", "SMTP", "SSH", "TCP", "TFTP", "TLS", "UDP" ], "type": "string" }, "NfwStatelessRuleActionType": { "enum": [ "aws:pass", "aws:drop", "aws:forward_to_sfe" ], "type": "string" }, "NfwStatelessRuleTcpFlagType": { "enum": [ "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR" ], "type": "string" }, "NfwTargetType": { "enum": [ "TLS_SNI", "HTTP_HOST" ], "type": "string" }, "NlbProtocolEnum": { "enum": [ "TCP", "UDP", "TLS", "TCP_UDP" ], "type": "string" }, "NonEmptyString": { "description": "## Non-Empty String Type\n\nRepresents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.\n\n```", "minLength": 1, "type": "string" }, "OutsideIpAddressType": { "enum": [ "PublicIpv4", "Ipv6" ], "type": "string" }, "Phase1DhGroupType": { "enum": [ 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24 ], "type": "number" }, "Phase2DhGroupType": { "enum": [ 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24 ], "type": "number" }, "ResolverEndpointType": { "enum": [ "INBOUND", "OUTBOUND" ], "type": "string" }, "ResolverProtocol": { "enum": [ "DoH-FIPS", "DoH", "Do53" ], "type": "string" }, "RouteTableEntryType": { "enum": [ "transitGateway", "natGateway", "internetGateway", "egressOnlyIgw", "local", "localGateway", "gatewayEndpoint", "gatewayLoadBalancerEndpoint", "networkFirewall", "networkInterface", "virtualPrivateGateway", "vpcPeering" ], "type": "string" }, "RoutingHttpXffHeaderProcessingModeEnum": { "enum": [ "append", "preserve", "remove" ], "type": "string" }, "RuleType": { "enum": [ "FORWARD", "RECURSIVE", "SYSTEM" ], "type": "string" }, "SecurityGroupRuleType": { "enum": [ "RDP", "SSH", "HTTP", "HTTPS", "MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS", "TCP", "UDP", "ICMP", "ALL" ], "type": "string" }, "SslPolicyAlbEnum": { "enum": [ "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06", "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-2016-08" ], "type": "string" }, "SslPolicyNlbEnum": { "enum": [ "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06", "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-2016-08" ], "type": "string" }, "StartupActionType": { "enum": [ "add", "start" ], "type": "string" }, "StorageClass": { "description": "## S3 Storage Class Type\n\nDefines the available Amazon S3 storage classes for lifecycle transitions. Each storage class is optimized for different access patterns, durability requirements, and cost considerations.", "enum": [ "DEEP_ARCHIVE", "GLACIER", "GLACIER_IR", "STANDARD_IA", "INTELLIGENT_TIERING", "ONEZONE_IA" ], "type": "string" }, "TargetGroupAttributeAlgorithm": { "enum": [ "round_robin", "least_outstanding_requests" ], "type": "string" }, "TargetGroupAttributeStickinessType": { "enum": [ "lb_cookie", "app_cookie", "source_ip", "source_ip_dest_ip", "source_ip_dest_ip_proto" ], "type": "string" }, "TargetGroupHealthCheckProtocolType": { "enum": [ "HTTP", "HTTPS", "TCP" ], "type": "string" }, "TargetGroupProtocolType": { "enum": [ "TCP", "TLS", "UDP", "TCP_UDP", "HTTP", "HTTPS", "GENEVE" ], "type": "string" }, "TargetGroupProtocolVersionType": { "enum": [ "GRPC", "HTTP1", "HTTP2" ], "type": "string" }, "TargetGroupTargetFailoverType": { "enum": [ "no_rebalance", "rebalance" ], "type": "string" }, "TargetGroupType": { "enum": [ "instance", "ip", "alb", "lambda" ], "type": "string" }, "TrafficType": { "description": "## VPC Flow Logs Traffic Type\n\nDefines which types of network traffic should be captured in VPC Flow Logs. This determines the scope of network visibility and the volume of log data generated.\n\n### Values\n- **ALL**: Capture all network traffic (both accepted and rejected)\n- **ACCEPT**: Capture only traffic that was allowed by security groups/NACLs\n- **REJECT**: Capture only traffic that was blocked by security groups/NACLs", "enum": [ "ALL", "ACCEPT", "REJECT" ], "type": "string" }, "TransitGatewayConnectProtocol": { "const": "gre", "type": "string" }, "VpnLoggingOutputFormatType": { "enum": [ "json", "text" ], "type": "string" } } }