Resource: aws_fms_policy

Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.

Example Usage

resource "aws_fms_policy" "example" {
  name                  = "FMS-Policy-Example"
  exclude_resource_tags = false
  remediation_enabled   = false
  resource_type         = "AWS::ElasticLoadBalancingV2::LoadBalancer"

  security_service_policy_data {
    type = "WAF"

    managed_service_data = jsonencode({
      type = "WAF",
      ruleGroups = [{
        id = aws_wafregional_rule_group.example.id
        overrideAction = {
          type = "COUNT"
        }
      }]
      defaultAction = {
        type = "BLOCK"
      }
      overrideCustomerWebACLAssociation = false
    })
  }

  tags = {
    Name = "example-fms-policy"
  }
}

resource "aws_wafregional_rule_group" "example" {
  metric_name = "WAFRuleGroupExample"
  name        = "WAF-Rule-Group-Example"
}

Argument Reference

This resource supports the following arguments:

exclude_map Configuration Block

You can specify inclusions or exclusions, but not both. If you specify an include_map, AWS Firewall Manager applies the policy to all accounts specified by the include_map, and does not evaluate any exclude_map specifications. If you do not specify an include_map, then Firewall Manager applies the policy to all accounts except for those specified by the exclude_map.

include_map Configuration Block

You can specify inclusions or exclusions, but not both. If you specify an include_map, AWS Firewall Manager applies the policy to all accounts specified by the include_map, and does not evaluate any exclude_map specifications. If you do not specify an include_map, then Firewall Manager applies the policy to all accounts except for those specified by the exclude_map.

security_service_policy_data Configuration Block

policy_option Configuration Block

network_firewall_policy Configuration Block

thirdparty_firewall_policy Configuration Block

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Firewall Manager policies using the policy ID. For example:

import {
  to = aws_fms_policy.example
  id = "5be49585-a7e3-4c49-dde1-a179fe4a619a"
}

Using terraform import, import Firewall Manager policies using the policy ID. For example:

% terraform import aws_fms_policy.example 5be49585-a7e3-4c49-dde1-a179fe4a619a