From bf77a245bbdd35a1f9e533053911233c1d7644f3 Mon Sep 17 00:00:00 2001
From: awstools <awstools@amazon.com>
Date: Wed, 30 Oct 2024 18:19:44 +0000
Subject: [PATCH] feat(client-network-firewall): AWS Network Firewall now
 supports configuring TCP idle timeout

---
 clients/client-network-firewall/README.md     |  6 ++---
 .../src/NetworkFirewall.ts                    |  4 +--
 .../src/NetworkFirewallClient.ts              |  4 +--
 .../commands/CreateFirewallPolicyCommand.ts   |  3 +++
 .../commands/DescribeFirewallPolicyCommand.ts |  3 +++
 .../commands/UpdateFirewallPolicyCommand.ts   |  3 +++
 clients/client-network-firewall/src/index.ts  |  4 +--
 .../src/models/models_0.ts                    | 26 +++++++++++++++++++
 .../src/protocols/Aws_json1_0.ts              |  5 ++++
 .../aws-models/network-firewall.json          | 25 +++++++++++++++++-
 10 files changed, 69 insertions(+), 14 deletions(-)

diff --git a/clients/client-network-firewall/README.md b/clients/client-network-firewall/README.md
index ad12d5228cb5..5873cedd7c43 100644
--- a/clients/client-network-firewall/README.md
+++ b/clients/client-network-firewall/README.md
@@ -32,9 +32,7 @@ Guide</a>.</p>
 prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
 perimeter of your VPC. This includes filtering traffic going to and coming from an internet
 gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
-with Suricata, a free, open source network analysis and threat detection engine.
-Network Firewall supports Suricata version 6.0.9. For information about Suricata,
-see the <a href="https://suricata.io/">Suricata website</a>.</p>
+with Suricata, a free, open source network analysis and threat detection engine. </p>
 <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
 The following are just a few examples: </p>
 <ul>
@@ -87,7 +85,7 @@ endpoints.</p>
 
 ## Installing
 
-To install the this package, simply type add or install @aws-sdk/client-network-firewall
+To install this package, simply type add or install @aws-sdk/client-network-firewall
 using your favorite package manager:
 
 - `npm install @aws-sdk/client-network-firewall`
diff --git a/clients/client-network-firewall/src/NetworkFirewall.ts b/clients/client-network-firewall/src/NetworkFirewall.ts
index d0916a711959..2bace2698cf7 100644
--- a/clients/client-network-firewall/src/NetworkFirewall.ts
+++ b/clients/client-network-firewall/src/NetworkFirewall.ts
@@ -841,9 +841,7 @@ export interface NetworkFirewall {
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>
diff --git a/clients/client-network-firewall/src/NetworkFirewallClient.ts b/clients/client-network-firewall/src/NetworkFirewallClient.ts
index 37a168543147..fd2b9a8e73f2 100644
--- a/clients/client-network-firewall/src/NetworkFirewallClient.ts
+++ b/clients/client-network-firewall/src/NetworkFirewallClient.ts
@@ -449,9 +449,7 @@ export interface NetworkFirewallClientResolvedConfig extends NetworkFirewallClie
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>
diff --git a/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts
index 92db4decfcc4..1ad1ba1e66dc 100644
--- a/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts
+++ b/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts
@@ -82,6 +82,9 @@ export interface CreateFirewallPolicyCommandOutput extends CreateFirewallPolicyR
  *     StatefulEngineOptions: { // StatefulEngineOptions
  *       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  *       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ *       FlowTimeouts: { // FlowTimeouts
+ *         TcpIdleTimeoutSeconds: Number("int"),
+ *       },
  *     },
  *     TLSInspectionConfigurationArn: "STRING_VALUE",
  *     PolicyVariables: { // PolicyVariables
diff --git a/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts
index afa91fdf2367..b0932f593488 100644
--- a/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts
+++ b/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts
@@ -106,6 +106,9 @@ export interface DescribeFirewallPolicyCommandOutput extends DescribeFirewallPol
  * //     StatefulEngineOptions: { // StatefulEngineOptions
  * //       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  * //       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ * //       FlowTimeouts: { // FlowTimeouts
+ * //         TcpIdleTimeoutSeconds: Number("int"),
+ * //       },
  * //     },
  * //     TLSInspectionConfigurationArn: "STRING_VALUE",
  * //     PolicyVariables: { // PolicyVariables
diff --git a/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts
index 5c9161ef45f4..e6773b33f446 100644
--- a/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts
+++ b/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts
@@ -81,6 +81,9 @@ export interface UpdateFirewallPolicyCommandOutput extends UpdateFirewallPolicyR
  *     StatefulEngineOptions: { // StatefulEngineOptions
  *       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  *       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ *       FlowTimeouts: { // FlowTimeouts
+ *         TcpIdleTimeoutSeconds: Number("int"),
+ *       },
  *     },
  *     TLSInspectionConfigurationArn: "STRING_VALUE",
  *     PolicyVariables: { // PolicyVariables
diff --git a/clients/client-network-firewall/src/index.ts b/clients/client-network-firewall/src/index.ts
index 1043c010d9c1..63677e373c2a 100644
--- a/clients/client-network-firewall/src/index.ts
+++ b/clients/client-network-firewall/src/index.ts
@@ -27,9 +27,7 @@
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>
diff --git a/clients/client-network-firewall/src/models/models_0.ts b/clients/client-network-firewall/src/models/models_0.ts
index 851f413d95ad..5308ed5253b2 100644
--- a/clients/client-network-firewall/src/models/models_0.ts
+++ b/clients/client-network-firewall/src/models/models_0.ts
@@ -1113,6 +1113,25 @@ export interface PolicyVariables {
   RuleVariables?: Record<string, IPSet>;
 }
 
+/**
+ * <p>Describes the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle and Network Firewall removes the flow entry from its flow table.
+ *           Existing connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.
+ *      </p>
+ * @public
+ */
+export interface FlowTimeouts {
+  /**
+   * <p>The number of seconds that can pass without any TCP traffic sent through the firewall before the firewall determines that the connection is idle.
+   *         After the idle timeout passes, data packets are dropped, however, the next TCP SYN packet is considered a new flow and is processed by the firewall.
+   *         Clients or targets can use TCP keepalive packets to reset the idle timeout.
+   *          </p>
+   *          <p>You can define the <code>TcpIdleTimeoutSeconds</code> value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds.
+   *       </p>
+   * @public
+   */
+  TcpIdleTimeoutSeconds?: number;
+}
+
 /**
  * @public
  * @enum
@@ -1176,6 +1195,13 @@ export interface StatefulEngineOptions {
    * @public
    */
   StreamExceptionPolicy?: StreamExceptionPolicy;
+
+  /**
+   * <p>Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
+   *         </p>
+   * @public
+   */
+  FlowTimeouts?: FlowTimeouts;
 }
 
 /**
diff --git a/clients/client-network-firewall/src/protocols/Aws_json1_0.ts b/clients/client-network-firewall/src/protocols/Aws_json1_0.ts
index a7bf99ffbdd4..0916c1780fdb 100644
--- a/clients/client-network-firewall/src/protocols/Aws_json1_0.ts
+++ b/clients/client-network-firewall/src/protocols/Aws_json1_0.ts
@@ -163,6 +163,7 @@ import {
   EncryptionConfiguration,
   FirewallPolicy,
   FirewallPolicyResponse,
+  FlowTimeouts,
   Header,
   InsufficientCapacityException,
   InternalServerError,
@@ -1744,6 +1745,8 @@ const se_CreateRuleGroupRequest = (input: CreateRuleGroupRequest, context: __Ser
 
 // se_Flags omitted.
 
+// se_FlowTimeouts omitted.
+
 // se_Header omitted.
 
 // se_IPSet omitted.
@@ -2113,6 +2116,8 @@ const de_FirewallPolicyResponse = (output: any, context: __SerdeContext): Firewa
 
 // de_Flags omitted.
 
+// de_FlowTimeouts omitted.
+
 // de_Header omitted.
 
 // de_InsufficientCapacityException omitted.
diff --git a/codegen/sdk-codegen/aws-models/network-firewall.json b/codegen/sdk-codegen/aws-models/network-firewall.json
index 2343b42bc6de..4cd80f9bcb07 100644
--- a/codegen/sdk-codegen/aws-models/network-firewall.json
+++ b/codegen/sdk-codegen/aws-models/network-firewall.json
@@ -2371,6 +2371,20 @@
         "target": "com.amazonaws.networkfirewall#TCPFlag"
       }
     },
+    "com.amazonaws.networkfirewall#FlowTimeouts": {
+      "type": "structure",
+      "members": {
+        "TcpIdleTimeoutSeconds": {
+          "target": "com.amazonaws.networkfirewall#TcpIdleTimeoutRangeBound",
+          "traits": {
+            "smithy.api#documentation": "<p>The number of seconds that can pass without any TCP traffic sent through the firewall before the firewall determines that the connection is idle.\n        After the idle timeout passes, data packets are dropped, however, the next TCP SYN packet is considered a new flow and is processed by the firewall. \n        Clients or targets can use TCP keepalive packets to reset the idle timeout.\n         </p>\n         <p>You can define the <code>TcpIdleTimeoutSeconds</code> value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds.\n      </p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Describes the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle and Network Firewall removes the flow entry from its flow table. \n          Existing connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.\n     </p>"
+      }
+    },
     "com.amazonaws.networkfirewall#GeneratedRulesType": {
       "type": "enum",
       "members": {
@@ -3360,7 +3374,7 @@
           "name": "network-firewall"
         },
         "aws.protocols#awsJson1_0": {},
-        "smithy.api#documentation": "<p>This is the API Reference for Network Firewall. This guide is for developers who need\n         detailed information about the Network Firewall API actions, data types, and errors. </p>\n         <ul>\n            <li>\n               <p>The REST API requires you to handle connection details, such as calculating\n               signatures, handling request retries, and error handling. For general information\n               about using the Amazon Web Services REST APIs, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/aws-apis.html\">Amazon Web Services APIs</a>. </p>\n               <p>To access Network Firewall using the REST API endpoint:\n                  <code>https://network-firewall.<region>.amazonaws.com </code>\n               </p>\n            </li>\n            <li>\n               <p>Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to\n               the programming language or platform that you're using. For more information, see\n               <a href=\"http://aws.amazon.com/tools/#SDKs\">Amazon Web Services SDKs</a>.</p>\n            </li>\n            <li>\n               <p>For descriptions of Network Firewall features, including and step-by-step\n               instructions on how to use them through the Network Firewall console, see the <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/\">Network Firewall Developer\n                  Guide</a>.</p>\n            </li>\n         </ul>\n         <p>Network Firewall is a stateful, managed, network firewall and intrusion detection and\n         prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the\n         perimeter of your VPC. This includes filtering traffic going to and coming from an internet\n         gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible\n      with Suricata, a free, open source network analysis and threat detection engine.\n      Network Firewall supports Suricata version 6.0.9. For information about Suricata,\n          see the <a href=\"https://suricata.io/\">Suricata website</a>.</p>\n         <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.\n         The following are just a few examples: </p>\n         <ul>\n            <li>\n               <p>Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and\n               block all other forms of traffic.</p>\n            </li>\n            <li>\n               <p>Use custom lists of known bad domains to limit the types of domain names that your\n               applications can access.</p>\n            </li>\n            <li>\n               <p>Perform deep packet inspection on traffic entering or leaving your VPC.</p>\n            </li>\n            <li>\n               <p>Use stateful protocol detection to filter protocols like HTTPS, regardless of the\n               port used.</p>\n            </li>\n         </ul>\n         <p>To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in\n         Network Firewall. For information about using Amazon VPC, see <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/\">Amazon VPC User Guide</a>.</p>\n         <p>To start using Network Firewall, do the following: </p>\n         <ol>\n            <li>\n               <p>(Optional) If you don't already have a VPC that you want to protect, create it in\n               Amazon VPC. </p>\n            </li>\n            <li>\n               <p>In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a\n               subnet for the sole use of Network Firewall. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create stateless and stateful rule groups,\n                 to define the components of the network traffic filtering behavior that you want your firewall to have. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create a firewall policy that uses your rule groups and\n                 specifies additional default traffic filtering behavior. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create a firewall and specify your new firewall policy and\n                 VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you\n               specify, with the behavior that's defined in the firewall policy.</p>\n            </li>\n            <li>\n               <p>In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall\n               endpoints.</p>\n            </li>\n         </ol>",
+        "smithy.api#documentation": "<p>This is the API Reference for Network Firewall. This guide is for developers who need\n         detailed information about the Network Firewall API actions, data types, and errors. </p>\n         <ul>\n            <li>\n               <p>The REST API requires you to handle connection details, such as calculating\n               signatures, handling request retries, and error handling. For general information\n               about using the Amazon Web Services REST APIs, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/aws-apis.html\">Amazon Web Services APIs</a>. </p>\n               <p>To access Network Firewall using the REST API endpoint:\n                  <code>https://network-firewall.<region>.amazonaws.com </code>\n               </p>\n            </li>\n            <li>\n               <p>Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to\n               the programming language or platform that you're using. For more information, see\n               <a href=\"http://aws.amazon.com/tools/#SDKs\">Amazon Web Services SDKs</a>.</p>\n            </li>\n            <li>\n               <p>For descriptions of Network Firewall features, including and step-by-step\n               instructions on how to use them through the Network Firewall console, see the <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/\">Network Firewall Developer\n                  Guide</a>.</p>\n            </li>\n         </ul>\n         <p>Network Firewall is a stateful, managed, network firewall and intrusion detection and\n         prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the\n         perimeter of your VPC. This includes filtering traffic going to and coming from an internet\n         gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible\n      with Suricata, a free, open source network analysis and threat detection engine. </p>\n         <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.\n         The following are just a few examples: </p>\n         <ul>\n            <li>\n               <p>Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and\n               block all other forms of traffic.</p>\n            </li>\n            <li>\n               <p>Use custom lists of known bad domains to limit the types of domain names that your\n               applications can access.</p>\n            </li>\n            <li>\n               <p>Perform deep packet inspection on traffic entering or leaving your VPC.</p>\n            </li>\n            <li>\n               <p>Use stateful protocol detection to filter protocols like HTTPS, regardless of the\n               port used.</p>\n            </li>\n         </ul>\n         <p>To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in\n         Network Firewall. For information about using Amazon VPC, see <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/\">Amazon VPC User Guide</a>.</p>\n         <p>To start using Network Firewall, do the following: </p>\n         <ol>\n            <li>\n               <p>(Optional) If you don't already have a VPC that you want to protect, create it in\n               Amazon VPC. </p>\n            </li>\n            <li>\n               <p>In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a\n               subnet for the sole use of Network Firewall. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create stateless and stateful rule groups,\n                 to define the components of the network traffic filtering behavior that you want your firewall to have. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create a firewall policy that uses your rule groups and\n                 specifies additional default traffic filtering behavior. </p>\n            </li>\n            <li>\n               <p>In Network Firewall, create a firewall and specify your new firewall policy and\n                 VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you\n               specify, with the behavior that's defined in the firewall policy.</p>\n            </li>\n            <li>\n               <p>In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall\n               endpoints.</p>\n            </li>\n         </ol>",
         "smithy.api#title": "AWS Network Firewall",
         "smithy.rules#endpointRuleSet": {
           "version": "1.0",
@@ -5304,6 +5318,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>DROP</code> - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CONTINUE</code> - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to <code>drop http</code> traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a <code>flow:stateless</code> rule would still match, as would the <code>aws:drop_strict</code> default action.</p>\n            </li>\n            <li>\n               <p>\n                  <code>REJECT</code> - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.</p>\n            </li>\n         </ul>"
           }
+        },
+        "FlowTimeouts": {
+          "target": "com.amazonaws.networkfirewall#FlowTimeouts",
+          "traits": {
+            "smithy.api#documentation": "<p>Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.\n        </p>"
+          }
         }
       },
       "traits": {
@@ -6073,6 +6093,9 @@
         "target": "com.amazonaws.networkfirewall#TargetType"
       }
     },
+    "com.amazonaws.networkfirewall#TcpIdleTimeoutRangeBound": {
+      "type": "integer"
+    },
     "com.amazonaws.networkfirewall#ThrottlingException": {
       "type": "structure",
       "members": {