{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.NetworkFirewall.Types.RuleDefinition
-- Copyright   : (c) 2013-2023 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.NetworkFirewall.Types.RuleDefinition where

import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import Amazonka.NetworkFirewall.Types.MatchAttributes
import qualified Amazonka.Prelude as Prelude

-- | The inspection criteria and action for a single stateless rule. Network
-- Firewall inspects each packet for the specified matching criteria. When
-- a packet matches the criteria, Network Firewall performs the rule\'s
-- actions on the packet.
--
-- /See:/ 'newRuleDefinition' smart constructor.
data RuleDefinition = RuleDefinition'
  { -- | Criteria for Network Firewall to use to inspect an individual packet in
    -- stateless rule inspection. Each match attributes set can include one or
    -- more items such as IP address, CIDR range, port number, protocol, and
    -- TCP flags.
    RuleDefinition -> MatchAttributes
matchAttributes :: MatchAttributes,
    -- | The actions to take on a packet that matches one of the stateless rule
    -- definition\'s match attributes. You must specify a standard action and
    -- you can add custom actions.
    --
    -- Network Firewall only forwards a packet for stateful rule inspection if
    -- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
    -- if the packet doesn\'t match any stateless rule and you specify
    -- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
    -- FirewallPolicy.
    --
    -- For every rule, you must specify exactly one of the following standard
    -- actions.
    --
    -- -   __aws:pass__ - Discontinues all inspection of the packet and permits
    --     it to go to its intended destination.
    --
    -- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
    --     it from going to its intended destination.
    --
    -- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
    --     packet and forwards it to the stateful rule engine for inspection.
    --
    -- Additionally, you can specify a custom action. To do this, you define a
    -- custom action by name and type, then provide the name you\'ve assigned
    -- to the action in this @Actions@ setting. For information about the
    -- options, see CustomAction.
    --
    -- To provide more than one action in this setting, separate the settings
    -- with a comma. For example, if you have a custom @PublishMetrics@ action
    -- that you\'ve named @MyMetricsAction@, then you could specify the
    -- standard action @aws:pass@ and the custom action with
    -- @[“aws:pass”, “MyMetricsAction”]@.
    RuleDefinition -> [Text]
actions :: [Prelude.Text]
  }
  deriving (RuleDefinition -> RuleDefinition -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: RuleDefinition -> RuleDefinition -> Bool
$c/= :: RuleDefinition -> RuleDefinition -> Bool
== :: RuleDefinition -> RuleDefinition -> Bool
$c== :: RuleDefinition -> RuleDefinition -> Bool
Prelude.Eq, ReadPrec [RuleDefinition]
ReadPrec RuleDefinition
Int -> ReadS RuleDefinition
ReadS [RuleDefinition]
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [RuleDefinition]
$creadListPrec :: ReadPrec [RuleDefinition]
readPrec :: ReadPrec RuleDefinition
$creadPrec :: ReadPrec RuleDefinition
readList :: ReadS [RuleDefinition]
$creadList :: ReadS [RuleDefinition]
readsPrec :: Int -> ReadS RuleDefinition
$creadsPrec :: Int -> ReadS RuleDefinition
Prelude.Read, Int -> RuleDefinition -> ShowS
[RuleDefinition] -> ShowS
RuleDefinition -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [RuleDefinition] -> ShowS
$cshowList :: [RuleDefinition] -> ShowS
show :: RuleDefinition -> String
$cshow :: RuleDefinition -> String
showsPrec :: Int -> RuleDefinition -> ShowS
$cshowsPrec :: Int -> RuleDefinition -> ShowS
Prelude.Show, forall x. Rep RuleDefinition x -> RuleDefinition
forall x. RuleDefinition -> Rep RuleDefinition x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep RuleDefinition x -> RuleDefinition
$cfrom :: forall x. RuleDefinition -> Rep RuleDefinition x
Prelude.Generic)

-- |
-- Create a value of 'RuleDefinition' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'matchAttributes', 'ruleDefinition_matchAttributes' - Criteria for Network Firewall to use to inspect an individual packet in
-- stateless rule inspection. Each match attributes set can include one or
-- more items such as IP address, CIDR range, port number, protocol, and
-- TCP flags.
--
-- 'actions', 'ruleDefinition_actions' - The actions to take on a packet that matches one of the stateless rule
-- definition\'s match attributes. You must specify a standard action and
-- you can add custom actions.
--
-- Network Firewall only forwards a packet for stateful rule inspection if
-- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
-- if the packet doesn\'t match any stateless rule and you specify
-- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
-- FirewallPolicy.
--
-- For every rule, you must specify exactly one of the following standard
-- actions.
--
-- -   __aws:pass__ - Discontinues all inspection of the packet and permits
--     it to go to its intended destination.
--
-- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
--     it from going to its intended destination.
--
-- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
--     packet and forwards it to the stateful rule engine for inspection.
--
-- Additionally, you can specify a custom action. To do this, you define a
-- custom action by name and type, then provide the name you\'ve assigned
-- to the action in this @Actions@ setting. For information about the
-- options, see CustomAction.
--
-- To provide more than one action in this setting, separate the settings
-- with a comma. For example, if you have a custom @PublishMetrics@ action
-- that you\'ve named @MyMetricsAction@, then you could specify the
-- standard action @aws:pass@ and the custom action with
-- @[“aws:pass”, “MyMetricsAction”]@.
newRuleDefinition ::
  -- | 'matchAttributes'
  MatchAttributes ->
  RuleDefinition
newRuleDefinition :: MatchAttributes -> RuleDefinition
newRuleDefinition MatchAttributes
pMatchAttributes_ =
  RuleDefinition'
    { $sel:matchAttributes:RuleDefinition' :: MatchAttributes
matchAttributes =
        MatchAttributes
pMatchAttributes_,
      $sel:actions:RuleDefinition' :: [Text]
actions = forall a. Monoid a => a
Prelude.mempty
    }

-- | Criteria for Network Firewall to use to inspect an individual packet in
-- stateless rule inspection. Each match attributes set can include one or
-- more items such as IP address, CIDR range, port number, protocol, and
-- TCP flags.
ruleDefinition_matchAttributes :: Lens.Lens' RuleDefinition MatchAttributes
ruleDefinition_matchAttributes :: Lens' RuleDefinition MatchAttributes
ruleDefinition_matchAttributes = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\RuleDefinition' {MatchAttributes
matchAttributes :: MatchAttributes
$sel:matchAttributes:RuleDefinition' :: RuleDefinition -> MatchAttributes
matchAttributes} -> MatchAttributes
matchAttributes) (\s :: RuleDefinition
s@RuleDefinition' {} MatchAttributes
a -> RuleDefinition
s {$sel:matchAttributes:RuleDefinition' :: MatchAttributes
matchAttributes = MatchAttributes
a} :: RuleDefinition)

-- | The actions to take on a packet that matches one of the stateless rule
-- definition\'s match attributes. You must specify a standard action and
-- you can add custom actions.
--
-- Network Firewall only forwards a packet for stateful rule inspection if
-- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
-- if the packet doesn\'t match any stateless rule and you specify
-- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
-- FirewallPolicy.
--
-- For every rule, you must specify exactly one of the following standard
-- actions.
--
-- -   __aws:pass__ - Discontinues all inspection of the packet and permits
--     it to go to its intended destination.
--
-- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
--     it from going to its intended destination.
--
-- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
--     packet and forwards it to the stateful rule engine for inspection.
--
-- Additionally, you can specify a custom action. To do this, you define a
-- custom action by name and type, then provide the name you\'ve assigned
-- to the action in this @Actions@ setting. For information about the
-- options, see CustomAction.
--
-- To provide more than one action in this setting, separate the settings
-- with a comma. For example, if you have a custom @PublishMetrics@ action
-- that you\'ve named @MyMetricsAction@, then you could specify the
-- standard action @aws:pass@ and the custom action with
-- @[“aws:pass”, “MyMetricsAction”]@.
ruleDefinition_actions :: Lens.Lens' RuleDefinition [Prelude.Text]
ruleDefinition_actions :: Lens' RuleDefinition [Text]
ruleDefinition_actions = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\RuleDefinition' {[Text]
actions :: [Text]
$sel:actions:RuleDefinition' :: RuleDefinition -> [Text]
actions} -> [Text]
actions) (\s :: RuleDefinition
s@RuleDefinition' {} [Text]
a -> RuleDefinition
s {$sel:actions:RuleDefinition' :: [Text]
actions = [Text]
a} :: RuleDefinition) forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

instance Data.FromJSON RuleDefinition where
  parseJSON :: Value -> Parser RuleDefinition
parseJSON =
    forall a. String -> (Object -> Parser a) -> Value -> Parser a
Data.withObject
      String
"RuleDefinition"
      ( \Object
x ->
          MatchAttributes -> [Text] -> RuleDefinition
RuleDefinition'
            forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x forall a. FromJSON a => Object -> Key -> Parser a
Data..: Key
"MatchAttributes")
            forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x forall a. FromJSON a => Object -> Key -> Parser (Maybe a)
Data..:? Key
"Actions" forall a. Parser (Maybe a) -> a -> Parser a
Data..!= forall a. Monoid a => a
Prelude.mempty)
      )

instance Prelude.Hashable RuleDefinition where
  hashWithSalt :: Int -> RuleDefinition -> Int
hashWithSalt Int
_salt RuleDefinition' {[Text]
MatchAttributes
actions :: [Text]
matchAttributes :: MatchAttributes
$sel:actions:RuleDefinition' :: RuleDefinition -> [Text]
$sel:matchAttributes:RuleDefinition' :: RuleDefinition -> MatchAttributes
..} =
    Int
_salt
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` MatchAttributes
matchAttributes
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` [Text]
actions

instance Prelude.NFData RuleDefinition where
  rnf :: RuleDefinition -> ()
rnf RuleDefinition' {[Text]
MatchAttributes
actions :: [Text]
matchAttributes :: MatchAttributes
$sel:actions:RuleDefinition' :: RuleDefinition -> [Text]
$sel:matchAttributes:RuleDefinition' :: RuleDefinition -> MatchAttributes
..} =
    forall a. NFData a => a -> ()
Prelude.rnf MatchAttributes
matchAttributes
      seq :: forall a b. a -> b -> b
`Prelude.seq` forall a. NFData a => a -> ()
Prelude.rnf [Text]
actions

instance Data.ToJSON RuleDefinition where
  toJSON :: RuleDefinition -> Value
toJSON RuleDefinition' {[Text]
MatchAttributes
actions :: [Text]
matchAttributes :: MatchAttributes
$sel:actions:RuleDefinition' :: RuleDefinition -> [Text]
$sel:matchAttributes:RuleDefinition' :: RuleDefinition -> MatchAttributes
..} =
    [Pair] -> Value
Data.object
      ( forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ forall a. a -> Maybe a
Prelude.Just
              (Key
"MatchAttributes" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= MatchAttributes
matchAttributes),
            forall a. a -> Maybe a
Prelude.Just (Key
"Actions" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= [Text]
actions)
          ]
      )