Creates a root volume replacement task for an Amazon EC2 instance. The root volume can either be restored to its initial launch state, or it can be restored using a specific snapshot.
For more information, see Replace a root volume in the Amazon Elastic Compute Cloud User Guide.
" + "documentation":"Replaces the EBS-backed root volume for a running instance with a new volume that is restored to the original root volume's launch state, that is restored to a specific snapshot taken from the original root volume, or that is restored from an AMI that has the same key characteristics as that of the instance.
For more information, see Replace a root volume in the Amazon Elastic Compute Cloud User Guide.
" }, "CreateReservedInstancesListing":{ "name":"CreateReservedInstancesListing", @@ -12538,7 +12538,7 @@ }, "SnapshotId":{ "shape":"SnapshotId", - "documentation":"The ID of the snapshot from which to restore the replacement root volume. If you want to restore the volume to the initial launch state, omit this parameter.
" + "documentation":"The ID of the snapshot from which to restore the replacement root volume. The specified snapshot must be a snapshot that you previously created from the original root volume.
If you want to restore the replacement root volume to the initial launch state, or if you want to restore the replacement root volume from an AMI, omit this parameter.
" }, "ClientToken":{ "shape":"String", @@ -12553,6 +12553,14 @@ "shape":"TagSpecificationList", "documentation":"The tags to apply to the root volume replacement task.
", "locationName":"TagSpecification" + }, + "ImageId":{ + "shape":"ImageId", + "documentation":"The ID of the AMI to use to restore the root volume. The specified AMI must have the same product code, billing information, architecture type, and virtualization type as that of the instance.
If you want to restore the replacement volume from a specific snapshot, or if you want to restore it to its launch state, omit this parameter.
" + }, + "DeleteReplacedRootVolume":{ + "shape":"Boolean", + "documentation":"Indicates whether to automatically delete the original root volume after the root volume replacement task completes. To delete the original root volume, specify true. If you choose to keep the original root volume after the replacement task completes, you must manually delete it when you no longer need it.
The tags assigned to the task.
", "locationName":"tagSet" + }, + "ImageId":{ + "shape":"ImageId", + "documentation":"The ID of the AMI used to create the replacement root volume.
", + "locationName":"imageId" + }, + "SnapshotId":{ + "shape":"SnapshotId", + "documentation":"The ID of the snapshot used to create the replacement root volume.
", + "locationName":"snapshotId" + }, + "DeleteReplacedRootVolume":{ + "shape":"Boolean", + "documentation":"Indicates whether the original root volume is to be deleted after the root volume replacement task completes.
", + "locationName":"deleteReplacedRootVolume" } }, "documentation":"Information about a root volume replacement task.
" diff --git a/botocore/data/endpoints.json b/botocore/data/endpoints.json index cf3994c1ff..2ec5e756f3 100644 --- a/botocore/data/endpoints.json +++ b/botocore/data/endpoints.json @@ -2190,6 +2190,7 @@ "deprecated" : true, "hostname" : "cloudcontrolapi-fips.us-west-2.amazonaws.com" }, + "me-central-1" : { }, "me-south-1" : { }, "sa-east-1" : { }, "us-east-1" : { @@ -20372,7 +20373,8 @@ }, "ds" : { "endpoints" : { - "us-iso-east-1" : { } + "us-iso-east-1" : { }, + "us-iso-west-1" : { } } }, "dynamodb" : { diff --git a/botocore/data/fms/2018-01-01/service-2.json b/botocore/data/fms/2018-01-01/service-2.json index d28cf0fc18..e7aa84bfee 100644 --- a/botocore/data/fms/2018-01-01/service-2.json +++ b/botocore/data/fms/2018-01-01/service-2.json @@ -2000,6 +2000,10 @@ }, "documentation":"Violation detail for Network Firewall for an Availability Zone that's missing the expected Firewall Manager managed subnet.
" }, + "NetworkFirewallOverrideAction":{ + "type":"string", + "enum":["DROP_TO_ALERT"] + }, "NetworkFirewallPolicy":{ "type":"structure", "members":{ @@ -2068,6 +2072,16 @@ "min":1, "pattern":"^[a-zA-Z0-9-]+$" }, + "NetworkFirewallStatefulRuleGroupOverride":{ + "type":"structure", + "members":{ + "Action":{ + "shape":"NetworkFirewallOverrideAction", + "documentation":"The action that changes the rule group from DROP to ALERT. This only applies to managed rule groups.
The setting that allows the policy owner to change the behavior of the rule group within a policy.
" + }, "NetworkFirewallUnexpectedFirewallRoutesViolation":{ "type":"structure", "members":{ @@ -2978,7 +2992,7 @@ }, "ManagedServiceData":{ "shape":"ManagedServiceData", - "documentation":"Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: THIRD_PARTY_FIREWALL
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: WAFV2
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
In the loggingConfiguration, you can specify one logDestinationConfigs, you can optionally provide up to 20 redactedFields, and the RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: THIRD_PARTY_FIREWALL
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: WAFV2
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
In the loggingConfiguration, you can specify one logDestinationConfigs, you can optionally provide up to 20 redactedFields, and the RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
An integer setting that indicates the order in which to run the stateful rule groups in a single Network Firewall firewall policy. This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. For information about
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
" + }, + "Override":{ + "shape":"NetworkFirewallStatefulRuleGroupOverride", + "documentation":"The action that allows the policy owner to override the behavior of the rule group within a policy.
" } }, "documentation":"Network Firewall stateful rule group, used in a NetworkFirewallPolicyDescription.
" diff --git a/botocore/data/glue/2017-03-31/service-2.json b/botocore/data/glue/2017-03-31/service-2.json index 74bc684c9b..9dc7e98f9b 100644 --- a/botocore/data/glue/2017-03-31/service-2.json +++ b/botocore/data/glue/2017-03-31/service-2.json @@ -5890,6 +5890,14 @@ "AllowSingleColumn":{ "shape":"NullableBoolean", "documentation":"Enables the processing of files that contain only one column.
" + }, + "CustomDatatypeConfigured":{ + "shape":"NullableBoolean", + "documentation":"Enables the configuration of custom datatypes.
" + }, + "CustomDatatypes":{ + "shape":"CustomDatatypes", + "documentation":"Creates a list of supported custom datatypes.
" } }, "documentation":"Specifies a custom CSV classifier for CreateClassifier to create.
Enables the processing of files that contain only one column.
" + }, + "CustomDatatypeConfigured":{ + "shape":"NullableBoolean", + "documentation":"Enables the custom datatype to be configured.
" + }, + "CustomDatatypes":{ + "shape":"CustomDatatypes", + "documentation":"A list of custom datatypes including \"BINARY\", \"BOOLEAN\", \"DATE\", \"DECIMAL\", \"DOUBLE\", \"FLOAT\", \"INT\", \"LONG\", \"SHORT\", \"STRING\", \"TIMESTAMP\".
" } }, "documentation":"A classifier for custom CSV content.
Specifies a transform that uses custom code you provide to perform the data transformation. The output is a collection of DynamicFrames.
" }, + "CustomDatatypes":{ + "type":"list", + "member":{"shape":"NameString"} + }, "CustomEntityType":{ "type":"structure", "required":[ @@ -17293,6 +17313,14 @@ "AllowSingleColumn":{ "shape":"NullableBoolean", "documentation":"Enables the processing of files that contain only one column.
" + }, + "CustomDatatypeConfigured":{ + "shape":"NullableBoolean", + "documentation":"Specifies the configuration of custom datatypes.
" + }, + "CustomDatatypes":{ + "shape":"CustomDatatypes", + "documentation":"Specifies a list of supported custom datatypes.
" } }, "documentation":"Specifies a custom CSV classifier to be updated.
" diff --git a/botocore/data/redshift/2012-12-01/service-2.json b/botocore/data/redshift/2012-12-01/service-2.json index 9c3fd37abc..59720248ce 100644 --- a/botocore/data/redshift/2012-12-01/service-2.json +++ b/botocore/data/redshift/2012-12-01/service-2.json @@ -3764,7 +3764,7 @@ }, "ElasticIp":{ "shape":"String", - "documentation":"The Elastic IP (EIP) address for the cluster.
Constraints: The cluster must be provisioned in EC2-VPC and publicly-accessible through an Internet gateway. For more information about provisioning clusters in EC2-VPC, go to Supported Platforms to Launch Your Cluster in the Amazon Redshift Cluster Management Guide.
" + "documentation":"The Elastic IP (EIP) address for the cluster.
Constraints: The cluster must be provisioned in EC2-VPC and publicly-accessible through an Internet gateway. Don't specify the Elastic IP address for a publicly accessible cluster with availability zone relocation turned on. For more information about provisioning clusters in EC2-VPC, go to Supported Platforms to Launch Your Cluster in the Amazon Redshift Cluster Management Guide.
" }, "Tags":{ "shape":"TagList", @@ -8611,7 +8611,7 @@ }, "ElasticIp":{ "shape":"String", - "documentation":"The elastic IP (EIP) address for the cluster.
" + "documentation":"The Elastic IP (EIP) address for the cluster. Don't specify the Elastic IP address for a publicly accessible cluster with availability zone relocation turned on.
" }, "ClusterParameterGroupName":{ "shape":"String", diff --git a/botocore/data/sagemaker/2017-07-24/service-2.json b/botocore/data/sagemaker/2017-07-24/service-2.json index 7986625539..6fe2f7a1f8 100644 --- a/botocore/data/sagemaker/2017-07-24/service-2.json +++ b/botocore/data/sagemaker/2017-07-24/service-2.json @@ -619,7 +619,7 @@ {"shape":"ResourceLimitExceeded"}, {"shape":"ResourceNotFound"} ], - "documentation":"Starts a model training job. After training completes, SageMaker saves the resulting model artifacts to an Amazon S3 location that you specify.
If you choose to host your model using SageMaker hosting services, you can use the resulting model artifacts as part of the model. You can also use the artifacts in a machine learning service other than SageMaker, provided that you know how to use them for inference.
In the request body, you provide the following:
AlgorithmSpecification - Identifies the training algorithm to use.
HyperParameters - Specify these algorithm-specific parameters to enable the estimation of model parameters during training. Hyperparameters can be tuned to optimize this learning process. For a list of hyperparameters for each training algorithm provided by SageMaker, see Algorithms.
Do not include any security-sensitive information including account access IDs, secrets or tokens in any hyperparameter field. If the use of security-sensitive credentials are detected, SageMaker will reject your training job request and return an exception error.
InputDataConfig - Describes the training dataset and the Amazon S3, EFS, or FSx location where it is stored.
OutputDataConfig - Identifies the Amazon S3 bucket where you want SageMaker to save the results of model training.
ResourceConfig - Identifies the resources, ML compute instances, and ML storage volumes to deploy for model training. In distributed training, you specify more than one instance.
EnableManagedSpotTraining - Optimize the cost of training machine learning models by up to 80% by using Amazon EC2 Spot instances. For more information, see Managed Spot Training.
RoleArn - The Amazon Resource Name (ARN) that SageMaker assumes to perform tasks on your behalf during model training. You must grant this role the necessary permissions so that SageMaker can successfully complete model training.
StoppingCondition - To help cap training costs, use MaxRuntimeInSeconds to set a time limit for training. Use MaxWaitTimeInSeconds to specify how long a managed spot training job has to complete.
Environment - The environment variables to set in the Docker container.
RetryStrategy - The number of times to retry the job when the job fails due to an InternalServerError.
For more information about SageMaker, see How It Works.
" + "documentation":"Starts a model training job. After training completes, SageMaker saves the resulting model artifacts to an Amazon S3 location that you specify.
If you choose to host your model using SageMaker hosting services, you can use the resulting model artifacts as part of the model. You can also use the artifacts in a machine learning service other than SageMaker, provided that you know how to use them for inference.
In the request body, you provide the following:
AlgorithmSpecification - Identifies the training algorithm to use.
HyperParameters - Specify these algorithm-specific parameters to enable the estimation of model parameters during training. Hyperparameters can be tuned to optimize this learning process. For a list of hyperparameters for each training algorithm provided by SageMaker, see Algorithms.
Do not include any security-sensitive information including account access IDs, secrets or tokens in any hyperparameter field. If the use of security-sensitive credentials are detected, SageMaker will reject your training job request and return an exception error.
InputDataConfig - Describes the input required by the training job and the Amazon S3, EFS, or FSx location where it is stored.
OutputDataConfig - Identifies the Amazon S3 bucket where you want SageMaker to save the results of model training.
ResourceConfig - Identifies the resources, ML compute instances, and ML storage volumes to deploy for model training. In distributed training, you specify more than one instance.
EnableManagedSpotTraining - Optimize the cost of training machine learning models by up to 80% by using Amazon EC2 Spot instances. For more information, see Managed Spot Training.
RoleArn - The Amazon Resource Name (ARN) that SageMaker assumes to perform tasks on your behalf during model training. You must grant this role the necessary permissions so that SageMaker can successfully complete model training.
StoppingCondition - To help cap training costs, use MaxRuntimeInSeconds to set a time limit for training. Use MaxWaitTimeInSeconds to specify how long a managed spot training job has to complete.
Environment - The environment variables to set in the Docker container.
RetryStrategy - The number of times to retry the job when the job fails due to an InternalServerError.
For more information about SageMaker, see How It Works.
" }, "CreateTransformJob":{ "name":"CreateTransformJob", @@ -3453,6 +3453,14 @@ "EnableSageMakerMetricsTimeSeries":{ "shape":"Boolean", "documentation":"To generate and save time-series metrics during training, set to true. The default is false and time-series metrics aren't generated except in the following cases:
You use one of the SageMaker built-in algorithms
You use one of the following Prebuilt SageMaker Docker Images:
Tensorflow (version >= 1.15)
MXNet (version >= 1.6)
PyTorch (version >= 1.3)
You specify at least one MetricDefinition
The entrypoint script for a Docker container used to run a training job. This script takes precedence over the default train processing instructions. See How Amazon SageMaker Runs Your Training Image for more information.
" + }, + "ContainerArguments":{ + "shape":"TrainingContainerArguments", + "documentation":"The arguments for a container used to run a training job. See How Amazon SageMaker Runs Your Training Image for additional information.
" } }, "documentation":"Specifies the training algorithm to use in a CreateTrainingJob request.
For more information about algorithms provided by SageMaker, see Algorithms. For information about using your own algorithms, see Using Your Own Algorithms with Amazon SageMaker.
" @@ -26758,6 +26766,28 @@ "type":"string", "enum":["PHASES"] }, + "TrainingContainerArgument":{ + "type":"string", + "max":256, + "pattern":".*" + }, + "TrainingContainerArguments":{ + "type":"list", + "member":{"shape":"TrainingContainerArgument"}, + "max":100, + "min":1 + }, + "TrainingContainerEntrypoint":{ + "type":"list", + "member":{"shape":"TrainingContainerEntrypointString"}, + "max":10, + "min":1 + }, + "TrainingContainerEntrypointString":{ + "type":"string", + "max":256, + "pattern":".*" + }, "TrainingEnvironmentKey":{ "type":"string", "max":512, diff --git a/botocore/data/wafv2/2019-07-29/service-2.json b/botocore/data/wafv2/2019-07-29/service-2.json index 28a16eb701..6b35e35bdc 100644 --- a/botocore/data/wafv2/2019-07-29/service-2.json +++ b/botocore/data/wafv2/2019-07-29/service-2.json @@ -135,7 +135,8 @@ {"shape":"WAFTagOperationInternalErrorException"}, {"shape":"WAFSubscriptionNotFoundException"}, {"shape":"WAFInvalidOperationException"}, - {"shape":"WAFConfigurationWarningException"} + {"shape":"WAFConfigurationWarningException"}, + {"shape":"WAFExpiredManagedRuleGroupVersionException"} ], "documentation":"Creates a WebACL per the specifications provided.
A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, or an Amazon Cognito user pool.
" }, @@ -316,7 +317,7 @@ {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"Generates a presigned download URL for the specified release of the mobile SDK.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" + "documentation":"Generates a presigned download URL for the specified release of the mobile SDK.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage WAF tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" }, "GetIPSet":{ "name":"GetIPSet", @@ -380,7 +381,7 @@ {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"Retrieves information for the specified mobile SDK release, including release notes and tags.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" + "documentation":"Retrieves information for the specified mobile SDK release, including release notes and tags.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage WAF tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" }, "GetPermissionPolicy":{ "name":"GetPermissionPolicy", @@ -582,7 +583,7 @@ {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"Retrieves a list of the available releases for the mobile SDK and the specified device platform.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" + "documentation":"Retrieves a list of the available releases for the mobile SDK and the specified device platform.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage WAF tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" }, "ListRegexPatternSets":{ "name":"ListRegexPatternSets", @@ -856,6 +857,17 @@ } }, "shapes":{ + "AWSManagedRulesBotControlRuleSet":{ + "type":"structure", + "required":["InspectionLevel"], + "members":{ + "InspectionLevel":{ + "shape":"InspectionLevel", + "documentation":"The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see WAF Bot Control rule group.
" + } + }, + "documentation":"Details for your use of the Bot Control managed rule group, used in ManagedRuleGroupConfig.
The action setting that a log record must contain in order to meet the condition.
" + "documentation":"The action setting that a log record must contain in order to meet the condition. This is the action that WAF applied to the web request.
For rule groups, this is either the configured rule action setting, or if you've applied a rule action override to the rule, it's the override action. The value EXCLUDED_AS_COUNT matches on excluded rules and also on rules that have a rule action override of Count.
A single action condition for a Condition in a logging filter.
" @@ -875,6 +887,7 @@ "BLOCK", "COUNT", "CAPTCHA", + "CHALLENGE", "EXCLUDED_AS_COUNT" ] }, @@ -999,17 +1012,17 @@ "members":{ "CustomRequestHandling":{ "shape":"CustomRequestHandling", - "documentation":"Defines custom handling for the web request.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.
" + "documentation":"Defines custom handling for the web request, used when the CAPTCHA inspection determines that the request's token is valid and unexpired.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.
" } }, - "documentation":"Specifies that WAF should run a CAPTCHA check against the request:
If the request includes a valid, unexpired CAPTCHA token, WAF allows the web request inspection to proceed to the next rule, similar to a CountAction.
If the request doesn't include a valid, unexpired CAPTCHA token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination.
WAF generates a response that it sends back to the client, which includes the following:
The header x-amzn-waf-action with a value of captcha.
The HTTP status code 405 Method Not Allowed.
If the request contains an Accept header with a value of text/html, the response includes a CAPTCHA challenge.
You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting.
This action option is available for rules. It isn't available for web ACL default actions.
" + "documentation":"Specifies that WAF should run a CAPTCHA check against the request:
If the request includes a valid, unexpired CAPTCHA token, WAF applies any custom request handling and labels that you've configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction.
If the request doesn't include a valid, unexpired token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination.
WAF generates a response that it sends back to the client, which includes the following:
The header x-amzn-waf-action with a value of captcha.
The HTTP status code 405 Method Not Allowed.
If the request contains an Accept header with a value of text/html, the response includes a CAPTCHA JavaScript page interstitial.
You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting.
This action option is available for rules. It isn't available for web ACL default actions.
" }, "CaptchaConfig":{ "type":"structure", "members":{ "ImmunityTimeProperty":{ "shape":"ImmunityTimeProperty", - "documentation":"Determines how long a CAPTCHA token remains valid after the client successfully solves a CAPTCHA puzzle.
Determines how long a CAPTCHA timestamp in the token remains valid after the client successfully solves a CAPTCHA puzzle.
Specifies how WAF should handle CAPTCHA evaluations. This is available at the web ACL level and in each rule.
The time that the CAPTCHA puzzle was solved for the supplied token.
The time that the CAPTCHA was last solved for the supplied token.
The result from the inspection of the web request for a valid CAPTCHA token.
Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.
" + } + }, + "documentation":"Specifies that WAF should run a Challenge check against the request to verify that the request is coming from a legitimate client session:
If the request includes a valid, unexpired challenge token, WAF applies any custom request handling and labels that you've configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction.
If the request doesn't include a valid, unexpired challenge token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination.
WAF then generates a challenge response that it sends back to the client, which includes the following:
The header x-amzn-waf-action with a value of challenge.
The HTTP status code 202 Request Accepted.
If the request contains an Accept header with a value of text/html, the response includes a JavaScript page interstitial with a challenge script.
Challenges run silent browser interrogations in the background, and don't generally affect the end user experience.
A challenge enforces token acquisition using an interstitial JavaScript challenge that inspects the client session for legitimate behavior. The challenge blocks bots or at least increases the cost of operating sophisticated bots.
After the client session successfully responds to the challenge, it receives a new token from WAF, which the challenge script uses to resubmit the original request.
You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting.
This action option is available for rules. It isn't available for web ACL default actions.
" + }, + "ChallengeConfig":{ + "type":"structure", + "members":{ + "ImmunityTimeProperty":{ + "shape":"ImmunityTimeProperty", + "documentation":"Determines how long a challenge timestamp in the token remains valid after the client successfully responds to a challenge.
" + } + }, + "documentation":"Specifies how WAF should handle Challenge evaluations. This is available at the web ACL level and in each rule.
The HTTP response code indicating the status of the challenge token in the web request. If the token is missing, invalid, or expired, this code is 202 Request Accepted.
The time that the challenge was last solved for the supplied token.
" + }, + "FailureReason":{ + "shape":"FailureReason", + "documentation":"The reason for failure, populated when the evaluation of the token fails.
" + } + }, + "documentation":"The result from the inspection of the web request for a valid challenge token.
" + }, "CheckCapacityRequest":{ "type":"structure", "required":[ @@ -1589,6 +1640,14 @@ "CaptchaConfig":{ "shape":"CaptchaConfig", "documentation":"Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings. If you don't specify this, WAF uses its default settings for CaptchaConfig.
Specifies how WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings. If you don't specify this, WAF uses its default settings for ChallengeConfig.
Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
Example JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }
The HTTP headers to insert into the request. Duplicate header names are not allowed.
For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.
" } }, - "documentation":"Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for the rule actions allow and count.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.
" + "documentation":"Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn't block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.
" }, "CustomResponse":{ "type":"structure", @@ -1992,7 +2051,7 @@ "documentation":"The name of the rule whose action you want to override to Count.
Specifies a single rule in a rule group whose action you want to override to Count. When you exclude a rule, WAF evaluates it exactly as it would if the rule action setting were Count. This is a useful option for testing the rules in a rule group without modifying how they handle your web traffic.
Specifies a single rule in a rule group whose action you want to override to Count.
Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count.
The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead exclude those rules in your rule group reference statement settings.
The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings.
The amount of time, in seconds, that a CAPTCHA token is valid. The default setting is 300.
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by WAF. The default setting is 300.
For the Challenge action, the minimum setting is 300.
" } }, - "documentation":"Determines how long a CAPTCHA token remains valid after the client successfully solves a CAPTCHA puzzle.
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response.
Details about your login page password field.
" + }, + "AWSManagedRulesBotControlRuleSet":{ + "shape":"AWSManagedRulesBotControlRuleSet", + "documentation":"Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see WAF Bot Control rule group and WAF Bot Control in the WAF Developer Guide.
" } }, - "documentation":"Additional information that's used by a managed rule group. Most managed rule groups don't require this.
Use this for the account takeover prevention managed rule group AWSManagedRulesATPRuleSet, to provide information about the sign-in page of your application.
You can provide multiple individual ManagedRuleGroupConfig objects for any rule group configuration, for example UsernameField and PasswordField. The configuration that you provide depends on the needs of the managed rule group. For the ATP managed rule group, you provide the following individual configuration objects: LoginPath, PasswordField, PayloadType and UsernameField.
For example specifications, see the examples section of CreateWebACL.
" + "documentation":"Additional information that's used by a managed rule group. Many managed rule groups don't require this.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.
For example specifications, see the examples section of CreateWebACL.
" }, "ManagedRuleGroupConfigs":{ "type":"list", @@ -3431,7 +3503,7 @@ }, "ExcludedRules":{ "shape":"ExcludedRules", - "documentation":"The rules in the referenced rule group whose actions are set to Count. When you exclude a rule, WAF evaluates it exactly as it would if the rule action setting were Count. This is a useful option for testing the rules in a rule group without modifying how they handle your web traffic.
Rules in the referenced rule group whose actions are set to Count.
Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count.
Additional information that's used by a managed rule group. Most managed rule groups don't require this.
Use this for the account takeover prevention managed rule group AWSManagedRulesATPRuleSet, to provide information about the sign-in page of your application.
You can provide multiple individual ManagedRuleGroupConfig objects for any rule group configuration, for example UsernameField and PasswordField. The configuration that you provide depends on the needs of the managed rule group. For the ATP managed rule group, you provide the following individual configuration objects: LoginPath, PasswordField, PayloadType and UsernameField.
Additional information that's used by a managed rule group. Many managed rule groups don't require this.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.
Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.
You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.
You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.
You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet or the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet. For more information, see WAF Pricing.
Tags that are associated with the release.
" } }, - "documentation":"Information for a release of the mobile SDK, including release notes and tags.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" + "documentation":"Information for a release of the mobile SDK, including release notes and tags.
The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage WAF tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.
" }, "NextMarker":{ "type":"string", @@ -3673,14 +3749,14 @@ "members":{ "Count":{ "shape":"CountAction", - "documentation":"Override the rule group evaluation result to count only.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead exclude those rules in your rule group reference statement settings.
Override the rule group evaluation result to count only.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings.
Don't override the rule group evaluation result. This is the most common setting.
" } }, - "documentation":"The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead exclude those rules in your rule group reference statement settings.
The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings.
The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead exclude those rules in your rule group reference statement settings.
The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings.
Specifies how WAF should handle CAPTCHA evaluations. If you don't specify this, WAF uses the CAPTCHA configuration that's defined for the web ACL.
Specifies how WAF should handle Challenge evaluations. If you don't specify this, WAF uses the challenge configuration that's defined for the web ACL.
A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to allow, block, or count. Each rule includes one top-level Statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.
" @@ -4204,10 +4286,38 @@ "Captcha":{ "shape":"CaptchaAction", "documentation":"Instructs WAF to run a CAPTCHA check against the web request.
Instructs WAF to run a Challenge check against the web request.
The action that WAF should take on a web request when it matches a rule's statement. Settings at the web ACL level can override the rule action setting.
" }, + "RuleActionOverride":{ + "type":"structure", + "required":[ + "Name", + "ActionToUse" + ], + "members":{ + "Name":{ + "shape":"EntityName", + "documentation":"The name of the rule to override.
" + }, + "ActionToUse":{ + "shape":"RuleAction", + "documentation":"The override action to use, in place of the configured action of the rule in the rule group.
" + } + }, + "documentation":"Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.
You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
The rules in the referenced rule group whose actions are set to Count. When you exclude a rule, WAF evaluates it exactly as it would if the rule action setting were Count. This is a useful option for testing the rules in a rule group without modifying how they handle your web traffic.
Rules in the referenced rule group whose actions are set to Count.
Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count.
Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.
You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.
You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You can only use a rule group reference statement at the top level inside a web ACL.
The action for the Rule that the request matched: Allow, Block, or Count.
The action that WAF applied to the request.
" }, "RuleNameWithinRuleGroup":{ "shape":"EntityName", @@ -4382,6 +4496,14 @@ "CaptchaResponse":{ "shape":"CaptchaResponse", "documentation":"The CAPTCHA response for the request.
The Challenge response for the request.
Used only for rule group rules that have a rule action override in place in the web ACL. This is the action that the rule group rule is configured for, and not the action that was applied to the request. The action that WAF applied is the Action value.
Represents a single sampled web request. The response from GetSampledRequests includes a SampledHTTPRequests complex type that appears as SampledRequests in the response syntax. SampledHTTPRequests contains an array of SampledHTTPRequest objects.
Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings. If you don't specify this, WAF uses its default settings for CaptchaConfig.
Specifies how WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings. If you don't specify this, WAF uses its default settings for ChallengeConfig.
Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
Example JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }
Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings. If you don't specify this, WAF uses its default settings for CaptchaConfig.
Specifies how WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings. If you don't specify this, WAF uses its default settings for ChallengeConfig.
Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
" } }, "documentation":"A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, or an Amazon Cognito user pool.
" diff --git a/docs/source/conf.py b/docs/source/conf.py index 34cd1ac641..d60a4d29fa 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -54,7 +54,7 @@ # The short X.Y version. version = '1.28' # The full version, including alpha/beta/rc tags. -release = '1.28.2' +release = '1.28.3' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/tests/functional/test_context_params.py b/tests/functional/test_context_params.py new file mode 100644 index 0000000000..f83327d24b --- /dev/null +++ b/tests/functional/test_context_params.py @@ -0,0 +1,502 @@ +# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. + +import pytest + +from botocore.config import Config +from tests import ClientHTTPStubber, mock + + +# Some tests in this file require ruleset based endpoint resolution to be +# enabled for all services (including the mock service "otherservice"). This +# temporary fixutre should be removed once ruleset based endpoint resolution +# is no longer limited to a subset of services. +@pytest.fixture(autouse=True) +def enable_endpoint_resolution_v2_for_all_services(): + with mock.patch('botocore.client.FORCE_ENDPOINT_RESOLUTION_V2', True): + yield + + +# fake rulesets compatible with all fake service models below + +FAKE_RULESET_TEMPLATE = { + "version": "1.0", + "parameters": {}, + "rules": [ + { + "conditions": [], + "type": "endpoint", + "endpoint": { + "url": "https://foo.bar", + "properties": {}, + "headers": {}, + }, + } + ], +} + +# The region param is unrelated to context parameters and used as control in +# all test cases to ascertain that ANY EndpointProvider paramaters get +# populated. +REGION_PARAM = { + "builtIn": "AWS::Region", + "required": False, + "documentation": "", + "type": "String", +} + +FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS = { + **FAKE_RULESET_TEMPLATE, + "parameters": { + "Region": REGION_PARAM, + }, +} + +FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM = { + **FAKE_RULESET_TEMPLATE, + "parameters": { + "Region": REGION_PARAM, + "FooClientContextParamName": { + "required": False, + "documentation": "", + "type": "String", + }, + }, +} + +FAKE_RULESET_WITH_STATIC_CONTEXT_PARAM = { + **FAKE_RULESET_TEMPLATE, + "parameters": { + "Region": REGION_PARAM, + "FooStaticContextParamName": { + "required": False, + "documentation": "", + "type": "String", + }, + }, +} + +FAKE_RULESET_WITH_DYNAMIC_CONTEXT_PARAM = { + **FAKE_RULESET_TEMPLATE, + "parameters": { + "Region": REGION_PARAM, + "FooDynamicContextParamName": { + "required": False, + "documentation": "", + "type": "String", + }, + }, +} + +# fake models for "otherservice" + +FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS = { + "version": "2.0", + "documentation": "", + "metadata": { + "apiVersion": "2020-02-02", + "endpointPrefix": "otherservice", + "protocol": "rest-xml", + "serviceFullName": "Other Service", + "serviceId": "Other Service", + "signatureVersion": "v4", + "signingName": "otherservice", + "uid": "otherservice-2020-02-02", + }, + "operations": { + "MockOperation": { + "name": "MockOperation", + "http": {"method": "GET", "requestUri": "/"}, + "input": {"shape": "MockOperationRequest"}, + "documentation": "", + }, + }, + "shapes": { + "MockOpParam": { + "type": "string", + }, + "MockOperationRequest": { + "type": "structure", + "required": ["MockOpParam"], + "members": { + "MockOpParam": { + "shape": "MockOpParam", + "documentation": "", + "location": "uri", + "locationName": "param", + }, + }, + }, + }, +} + +FAKE_MODEL_WITH_CLIENT_CONTEXT_PARAM = { + **FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + "clientContextParams": { + "FooClientContextParamName": { + "documentation": "My mock client context parameter", + "type": "string", + } + }, +} + +FAKE_MODEL_WITH_STATIC_CONTEXT_PARAM = { + **FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + "operations": { + "MockOperation": { + "name": "MockOperation", + "http": {"method": "GET", "requestUri": "/"}, + "input": {"shape": "MockOperationRequest"}, + "documentation": "", + "staticContextParams": { + "FooStaticContextParamName": { + "value": "foo-static-context-param-value" + } + }, + }, + }, +} + +FAKE_MODEL_WITH_DYNAMIC_CONTEXT_PARAM = { + **FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + "shapes": { + "MockOpParam": { + "type": "string", + }, + "MockOperationRequest": { + "type": "structure", + "required": ["MockOpParam"], + "members": { + "MockOpParam": { + "shape": "MockOpParam", + "documentation": "", + "location": "uri", + "locationName": "param", + "contextParam": {"name": "FooDynamicContextParamName"}, + }, + }, + }, + }, + # +} + +# fake models for s3 and s3control, the only services botocore currently +# supports client context parameters for + +S3_METADATA = { + "apiVersion": "2006-03-01", + "checksumFormat": "md5", + "endpointPrefix": "s3", + "globalEndpoint": "s3.amazonaws.com", + "protocol": "rest-xml", + "serviceAbbreviation": "Amazon S3", + "serviceFullName": "Amazon Simple Storage Service", + "serviceId": "S3", + "signatureVersion": "s3", + "uid": "s3-2006-03-01", +} + +FAKE_S3_MODEL_WITHOUT_ANY_CONTEXT_PARAMS = { + **FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + "metadata": S3_METADATA, +} + +FAKE_S3_MODEL_WITH_CLIENT_CONTEXT_PARAM = { + **FAKE_MODEL_WITH_CLIENT_CONTEXT_PARAM, + "metadata": S3_METADATA, +} + +S3CONTROL_METADATA = { + "apiVersion": "2018-08-20", + "endpointPrefix": "s3-control", + "protocol": "rest-xml", + "serviceFullName": "AWS S3 Control", + "serviceId": "S3 Control", + "signatureVersion": "s3v4", + "signingName": "s3", + "uid": "s3control-2018-08-20", +} + +FAKE_S3CONTROL_MODEL_WITHOUT_ANY_CONTEXT_PARAMS = { + **FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + "metadata": S3CONTROL_METADATA, +} + +FAKE_S3CONTROL_MODEL_WITH_CLIENT_CONTEXT_PARAM = { + **FAKE_MODEL_WITH_CLIENT_CONTEXT_PARAM, + "metadata": S3CONTROL_METADATA, +} + + +def patch_load_service_model( + session, monkeypatch, service_model_json, ruleset_json +): + def mock_load_service_model(service_name, type_name, api_version=None): + if type_name == 'service-2': + return service_model_json + if type_name == 'endpoint-rule-set-1': + return ruleset_json + + loader = session.get_component('data_loader') + monkeypatch.setattr(loader, 'load_service_model', mock_load_service_model) + + +@pytest.mark.parametrize( + 'service_name,service_model,ruleset,call_should_include_ctx_param', + [ + # s3 + ( + 's3', + FAKE_S3_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + True, + ), + ( + 's3', + FAKE_S3_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + ( + 's3', + FAKE_S3_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + False, + ), + ( + 's3', + FAKE_S3_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + # s3control + ( + 's3control', + FAKE_S3CONTROL_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + True, + ), + ( + 's3control', + FAKE_S3CONTROL_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + ( + 's3control', + FAKE_S3CONTROL_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + False, + ), + ( + 's3control', + FAKE_S3CONTROL_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + # botocore does not currently support client context params for + # services other than s3 and s3-control. + ( + 'otherservice', + FAKE_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + False, # would be True for s3 and s3control + ), + ( + 'otherservice', + FAKE_MODEL_WITH_CLIENT_CONTEXT_PARAM, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, # same as for s3 and s3control + ), + ( + 'otherservice', + FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITH_CLIENT_CONTEXT_PARAM, + False, # same as for s3 and s3control + ), + ( + 'otherservice', + FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, # same as for s3 and s3control + ), + ], +) +def test_client_context_param_sent_to_endpoint_resolver( + monkeypatch, + patched_session, + service_name, + service_model, + ruleset, + call_should_include_ctx_param, +): + # patch loader to return fake service model and fake endpoint ruleset + patch_load_service_model( + patched_session, monkeypatch, service_model, ruleset + ) + + # construct client using patched loader and a config object with an s3 + # section that sets the foo_context_param to a value + client = patched_session.create_client( + service_name, + region_name='us-east-1', + config=Config( + s3={'foo_client_context_param_name': 'foo_context_param_value'} + ), + ) + + # Stub client to prevent a request from getting sent and asceertain that + # only a single request would get sent. Wrap the EndpointProvider's + # resolve_endpoint method for inspecting the arguments it gets called with. + with ClientHTTPStubber(client, strict=True) as http_stubber: + http_stubber.add_response(status=200) + with mock.patch.object( + client._ruleset_resolver._provider, + 'resolve_endpoint', + wraps=client._ruleset_resolver._provider.resolve_endpoint, + ) as mock_resolve_endpoint: + client.mock_operation(MockOpParam='mock-op-param-value') + + if call_should_include_ctx_param: + mock_resolve_endpoint.assert_called_once_with( + Region='us-east-1', + FooClientContextParamName='foo_context_param_value', + ) + else: + mock_resolve_endpoint.assert_called_once_with(Region='us-east-1') + + +@pytest.mark.parametrize( + 'service_name,service_model,ruleset,call_should_include_ctx_param', + [ + ( + 'otherservice', + FAKE_MODEL_WITH_STATIC_CONTEXT_PARAM, + FAKE_RULESET_WITH_STATIC_CONTEXT_PARAM, + True, + ), + ( + 'otherservice', + FAKE_MODEL_WITH_STATIC_CONTEXT_PARAM, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + ( + 'otherservice', + FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITH_STATIC_CONTEXT_PARAM, + False, + ), + ( + 'otherservice', + FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + ], +) +def test_static_context_param_sent_to_endpoint_resolver( + monkeypatch, + patched_session, + service_name, + service_model, + ruleset, + call_should_include_ctx_param, +): + # patch loader to return fake service model and fake endpoint ruleset + patch_load_service_model( + patched_session, monkeypatch, service_model, ruleset + ) + + # construct client using patched loader, but no special config is required + # for static context param to take effect + client = patched_session.create_client( + service_name, region_name='us-east-1' + ) + + with ClientHTTPStubber(client, strict=True) as http_stubber: + http_stubber.add_response(status=200) + with mock.patch.object( + client._ruleset_resolver._provider, + 'resolve_endpoint', + wraps=client._ruleset_resolver._provider.resolve_endpoint, + ) as mock_resolve_endpoint: + client.mock_operation(MockOpParam='mock-op-param-value') + + if call_should_include_ctx_param: + mock_resolve_endpoint.assert_called_once_with( + Region='us-east-1', + FooStaticContextParamName='foo-static-context-param-value', + ) + else: + mock_resolve_endpoint.assert_called_once_with(Region='us-east-1') + + +@pytest.mark.parametrize( + 'service_name,service_model,ruleset,call_should_include_ctx_param', + [ + ( + 'otherservice', + FAKE_MODEL_WITH_DYNAMIC_CONTEXT_PARAM, + FAKE_RULESET_WITH_DYNAMIC_CONTEXT_PARAM, + True, + ), + ( + 'otherservice', + FAKE_MODEL_WITH_DYNAMIC_CONTEXT_PARAM, + FAKE_RULESET_WITHOUT_ANY_CONTEXT_PARAMS, + False, + ), + ( + 'otherservice', + FAKE_MODEL_WITHOUT_ANY_CONTEXT_PARAMS, + FAKE_RULESET_WITH_DYNAMIC_CONTEXT_PARAM, + False, + ), + ], +) +def test_dynamic_context_param_sent_to_endpoint_resolver( + monkeypatch, + patched_session, + service_name, + service_model, + ruleset, + call_should_include_ctx_param, +): + # patch loader to return fake service model and fake endpoint ruleset + patch_load_service_model( + patched_session, monkeypatch, service_model, ruleset + ) + + # construct client using patched loader, but no special config is required + # for static context param to take effect + client = patched_session.create_client( + service_name, region_name='us-east-1' + ) + + with ClientHTTPStubber(client, strict=True) as http_stubber: + http_stubber.add_response(status=200) + with mock.patch.object( + client._ruleset_resolver._provider, + 'resolve_endpoint', + wraps=client._ruleset_resolver._provider.resolve_endpoint, + ) as mock_resolve_endpoint: + client.mock_operation(MockOpParam='mock-op-param-value') + + if call_should_include_ctx_param: + mock_resolve_endpoint.assert_called_once_with( + Region='us-east-1', + FooDynamicContextParamName='mock-op-param-value', + ) + else: + mock_resolve_endpoint.assert_called_once_with(Region='us-east-1')