diff --git a/LICENSE b/LICENSE
new file mode 100644
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,367 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
diff --git a/README.md b/README.md
new file mode 100644
--- /dev/null
+++ b/README.md
@@ -0,0 +1,44 @@
+# Amazon Network Firewall SDK
+
+* [Version](#version)
+* [Description](#description)
+* [Contribute](#contribute)
+* [Licence](#licence)
+
+
+## Version
+ 
+`2.0` - Derived from API version @2020-11-12@ of the AWS service descriptions, licensed under Apache 2.0.
+
+## Description
+
+Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-network-firewall)
+and the [AWS API Reference](https://aws.amazon.com/documentation/).
+
+The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),
+which provides mechanisms for specifying AuthN/AuthZ information, sending requests,
+and receiving responses.
+
+Lenses are used for constructing and manipulating types,
+due to the depth of nesting of AWS types and transparency regarding
+de/serialisation into more palatable Haskell values.
+The provided lenses should be compatible with any of the major lens libraries
+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).
+
+See [Amazonka.NetworkFirewall](http://hackage.haskell.org/package/amazonka-network-firewall/docs/Amazonka-NetworkFirewall.html)
+or [the AWS documentation](https://aws.amazon.com/documentation/) to get started.
+
+
+## Contribute
+
+For any problems, comments, or feedback please create an issue [here on GitHub](https://github.com/brendanhay/amazonka/issues).
+
+> _Note:_ this library is an auto-generated Haskell package. Please see `amazonka-gen` for more information.
+
+
+## Licence
+
+`amazonka-network-firewall` is released under the [Mozilla Public License Version 2.0](http://www.mozilla.org/MPL/).
+
+Parts of the code are derived from AWS service descriptions, licensed under Apache 2.0.
+Source files subject to this contain an additional licensing clause in their header.
diff --git a/amazonka-network-firewall.cabal b/amazonka-network-firewall.cabal
new file mode 100644
--- /dev/null
+++ b/amazonka-network-firewall.cabal
@@ -0,0 +1,181 @@
+cabal-version:      2.2
+name:               amazonka-network-firewall
+version:            2.0
+synopsis:           Amazon Network Firewall SDK.
+homepage:           https://github.com/brendanhay/amazonka
+bug-reports:        https://github.com/brendanhay/amazonka/issues
+license:            MPL-2.0
+license-file:       LICENSE
+author:             Brendan Hay
+maintainer:
+  Brendan Hay <brendan.g.hay+amazonka@gmail.com>, Jack Kelly <jack@jackkelly.name>
+
+copyright:          Copyright (c) 2013-2023 Brendan Hay
+category:           AWS
+build-type:         Simple
+extra-source-files:
+  fixture/*.proto
+  fixture/*.yaml
+  README.md
+  src/.gitkeep
+
+description:
+  Derived from API version @2020-11-12@ of the AWS service descriptions, licensed under Apache 2.0.
+  .
+  The types from this library are intended to be used with <http://hackage.haskell.org/package/amazonka amazonka>,
+  which provides mechanisms for specifying AuthN/AuthZ information, sending requests, and receiving responses.
+  .
+  It is recommended to use generic lenses or optics from packages such as <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify optional fields and deconstruct responses.
+  .
+  Generated lenses can be found in "Amazonka.NetworkFirewall.Lens" and are
+  suitable for use with a lens package such as <http://hackage.haskell.org/package/lens lens> or <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
+  .
+  See "Amazonka.NetworkFirewall" and the <https://aws.amazon.com/documentation/ AWS documentation> to get started.
+
+source-repository head
+  type:     git
+  location: git://github.com/brendanhay/amazonka.git
+  subdir:   amazonka-network-firewall
+
+library
+  default-language: Haskell2010
+  hs-source-dirs:   src gen
+  ghc-options:
+    -Wall -fwarn-incomplete-uni-patterns
+    -fwarn-incomplete-record-updates -funbox-strict-fields
+
+  exposed-modules:
+    Amazonka.NetworkFirewall
+    Amazonka.NetworkFirewall.AssociateFirewallPolicy
+    Amazonka.NetworkFirewall.AssociateSubnets
+    Amazonka.NetworkFirewall.CreateFirewall
+    Amazonka.NetworkFirewall.CreateFirewallPolicy
+    Amazonka.NetworkFirewall.CreateRuleGroup
+    Amazonka.NetworkFirewall.DeleteFirewall
+    Amazonka.NetworkFirewall.DeleteFirewallPolicy
+    Amazonka.NetworkFirewall.DeleteResourcePolicy
+    Amazonka.NetworkFirewall.DeleteRuleGroup
+    Amazonka.NetworkFirewall.DescribeFirewall
+    Amazonka.NetworkFirewall.DescribeFirewallPolicy
+    Amazonka.NetworkFirewall.DescribeLoggingConfiguration
+    Amazonka.NetworkFirewall.DescribeResourcePolicy
+    Amazonka.NetworkFirewall.DescribeRuleGroup
+    Amazonka.NetworkFirewall.DescribeRuleGroupMetadata
+    Amazonka.NetworkFirewall.DisassociateSubnets
+    Amazonka.NetworkFirewall.Lens
+    Amazonka.NetworkFirewall.ListFirewallPolicies
+    Amazonka.NetworkFirewall.ListFirewalls
+    Amazonka.NetworkFirewall.ListRuleGroups
+    Amazonka.NetworkFirewall.ListTagsForResource
+    Amazonka.NetworkFirewall.PutResourcePolicy
+    Amazonka.NetworkFirewall.TagResource
+    Amazonka.NetworkFirewall.Types
+    Amazonka.NetworkFirewall.Types.ActionDefinition
+    Amazonka.NetworkFirewall.Types.Address
+    Amazonka.NetworkFirewall.Types.Attachment
+    Amazonka.NetworkFirewall.Types.AttachmentStatus
+    Amazonka.NetworkFirewall.Types.CapacityUsageSummary
+    Amazonka.NetworkFirewall.Types.CIDRSummary
+    Amazonka.NetworkFirewall.Types.ConfigurationSyncState
+    Amazonka.NetworkFirewall.Types.CustomAction
+    Amazonka.NetworkFirewall.Types.Dimension
+    Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+    Amazonka.NetworkFirewall.Types.EncryptionType
+    Amazonka.NetworkFirewall.Types.Firewall
+    Amazonka.NetworkFirewall.Types.FirewallMetadata
+    Amazonka.NetworkFirewall.Types.FirewallPolicy
+    Amazonka.NetworkFirewall.Types.FirewallPolicyMetadata
+    Amazonka.NetworkFirewall.Types.FirewallPolicyResponse
+    Amazonka.NetworkFirewall.Types.FirewallStatus
+    Amazonka.NetworkFirewall.Types.FirewallStatusValue
+    Amazonka.NetworkFirewall.Types.GeneratedRulesType
+    Amazonka.NetworkFirewall.Types.Header
+    Amazonka.NetworkFirewall.Types.IPSet
+    Amazonka.NetworkFirewall.Types.IPSetMetadata
+    Amazonka.NetworkFirewall.Types.IPSetReference
+    Amazonka.NetworkFirewall.Types.LogDestinationConfig
+    Amazonka.NetworkFirewall.Types.LogDestinationType
+    Amazonka.NetworkFirewall.Types.LoggingConfiguration
+    Amazonka.NetworkFirewall.Types.LogType
+    Amazonka.NetworkFirewall.Types.MatchAttributes
+    Amazonka.NetworkFirewall.Types.OverrideAction
+    Amazonka.NetworkFirewall.Types.PerObjectStatus
+    Amazonka.NetworkFirewall.Types.PerObjectSyncStatus
+    Amazonka.NetworkFirewall.Types.PortRange
+    Amazonka.NetworkFirewall.Types.PortSet
+    Amazonka.NetworkFirewall.Types.PublishMetricAction
+    Amazonka.NetworkFirewall.Types.ReferenceSets
+    Amazonka.NetworkFirewall.Types.ResourceManagedStatus
+    Amazonka.NetworkFirewall.Types.ResourceManagedType
+    Amazonka.NetworkFirewall.Types.ResourceStatus
+    Amazonka.NetworkFirewall.Types.RuleDefinition
+    Amazonka.NetworkFirewall.Types.RuleGroup
+    Amazonka.NetworkFirewall.Types.RuleGroupMetadata
+    Amazonka.NetworkFirewall.Types.RuleGroupResponse
+    Amazonka.NetworkFirewall.Types.RuleGroupType
+    Amazonka.NetworkFirewall.Types.RuleOption
+    Amazonka.NetworkFirewall.Types.RuleOrder
+    Amazonka.NetworkFirewall.Types.RulesSource
+    Amazonka.NetworkFirewall.Types.RulesSourceList
+    Amazonka.NetworkFirewall.Types.RuleVariables
+    Amazonka.NetworkFirewall.Types.SourceMetadata
+    Amazonka.NetworkFirewall.Types.StatefulAction
+    Amazonka.NetworkFirewall.Types.StatefulEngineOptions
+    Amazonka.NetworkFirewall.Types.StatefulRule
+    Amazonka.NetworkFirewall.Types.StatefulRuleDirection
+    Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride
+    Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference
+    Amazonka.NetworkFirewall.Types.StatefulRuleOptions
+    Amazonka.NetworkFirewall.Types.StatefulRuleProtocol
+    Amazonka.NetworkFirewall.Types.StatelessRule
+    Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference
+    Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions
+    Amazonka.NetworkFirewall.Types.StreamExceptionPolicy
+    Amazonka.NetworkFirewall.Types.SubnetMapping
+    Amazonka.NetworkFirewall.Types.SyncState
+    Amazonka.NetworkFirewall.Types.Tag
+    Amazonka.NetworkFirewall.Types.TargetType
+    Amazonka.NetworkFirewall.Types.TCPFlag
+    Amazonka.NetworkFirewall.Types.TCPFlagField
+    Amazonka.NetworkFirewall.UntagResource
+    Amazonka.NetworkFirewall.UpdateFirewallDeleteProtection
+    Amazonka.NetworkFirewall.UpdateFirewallDescription
+    Amazonka.NetworkFirewall.UpdateFirewallEncryptionConfiguration
+    Amazonka.NetworkFirewall.UpdateFirewallPolicy
+    Amazonka.NetworkFirewall.UpdateFirewallPolicyChangeProtection
+    Amazonka.NetworkFirewall.UpdateLoggingConfiguration
+    Amazonka.NetworkFirewall.UpdateRuleGroup
+    Amazonka.NetworkFirewall.UpdateSubnetChangeProtection
+    Amazonka.NetworkFirewall.Waiters
+
+  build-depends:
+    , amazonka-core  >=2.0  && <2.1
+    , base           >=4.12 && <5
+
+test-suite amazonka-network-firewall-test
+  type:             exitcode-stdio-1.0
+  default-language: Haskell2010
+  hs-source-dirs:   test
+  main-is:          Main.hs
+  ghc-options:      -Wall -threaded
+
+  -- This section is encoded by the template and any modules added by
+  -- hand outside these namespaces will not correctly be added to the
+  -- distribution package.
+  other-modules:
+    Test.Amazonka.Gen.NetworkFirewall
+    Test.Amazonka.NetworkFirewall
+    Test.Amazonka.NetworkFirewall.Internal
+
+  build-depends:
+    , amazonka-core              >=2.0 && <2.1
+    , amazonka-network-firewall
+    , amazonka-test              >=2.0 && <2.1
+    , base
+    , bytestring
+    , case-insensitive
+    , tasty
+    , tasty-hunit
+    , text
+    , time
+    , unordered-containers
diff --git a/fixture/AssociateFirewallPolicy.yaml b/fixture/AssociateFirewallPolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/AssociateFirewallPolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/AssociateFirewallPolicyResponse.proto b/fixture/AssociateFirewallPolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/AssociateFirewallPolicyResponse.proto
diff --git a/fixture/AssociateSubnets.yaml b/fixture/AssociateSubnets.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/AssociateSubnets.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/AssociateSubnetsResponse.proto b/fixture/AssociateSubnetsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/AssociateSubnetsResponse.proto
diff --git a/fixture/CreateFirewall.yaml b/fixture/CreateFirewall.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CreateFirewall.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CreateFirewallPolicy.yaml b/fixture/CreateFirewallPolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CreateFirewallPolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CreateFirewallPolicyResponse.proto b/fixture/CreateFirewallPolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CreateFirewallPolicyResponse.proto
diff --git a/fixture/CreateFirewallResponse.proto b/fixture/CreateFirewallResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CreateFirewallResponse.proto
diff --git a/fixture/CreateRuleGroup.yaml b/fixture/CreateRuleGroup.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CreateRuleGroup.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CreateRuleGroupResponse.proto b/fixture/CreateRuleGroupResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CreateRuleGroupResponse.proto
diff --git a/fixture/DeleteFirewall.yaml b/fixture/DeleteFirewall.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteFirewall.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DeleteFirewallPolicy.yaml b/fixture/DeleteFirewallPolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteFirewallPolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DeleteFirewallPolicyResponse.proto b/fixture/DeleteFirewallPolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteFirewallPolicyResponse.proto
diff --git a/fixture/DeleteFirewallResponse.proto b/fixture/DeleteFirewallResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteFirewallResponse.proto
diff --git a/fixture/DeleteResourcePolicy.yaml b/fixture/DeleteResourcePolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteResourcePolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DeleteResourcePolicyResponse.proto b/fixture/DeleteResourcePolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteResourcePolicyResponse.proto
diff --git a/fixture/DeleteRuleGroup.yaml b/fixture/DeleteRuleGroup.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteRuleGroup.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DeleteRuleGroupResponse.proto b/fixture/DeleteRuleGroupResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteRuleGroupResponse.proto
diff --git a/fixture/DescribeFirewall.yaml b/fixture/DescribeFirewall.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeFirewall.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeFirewallPolicy.yaml b/fixture/DescribeFirewallPolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeFirewallPolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeFirewallPolicyResponse.proto b/fixture/DescribeFirewallPolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeFirewallPolicyResponse.proto
diff --git a/fixture/DescribeFirewallResponse.proto b/fixture/DescribeFirewallResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeFirewallResponse.proto
diff --git a/fixture/DescribeLoggingConfiguration.yaml b/fixture/DescribeLoggingConfiguration.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeLoggingConfiguration.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeLoggingConfigurationResponse.proto b/fixture/DescribeLoggingConfigurationResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeLoggingConfigurationResponse.proto
diff --git a/fixture/DescribeResourcePolicy.yaml b/fixture/DescribeResourcePolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeResourcePolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeResourcePolicyResponse.proto b/fixture/DescribeResourcePolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeResourcePolicyResponse.proto
diff --git a/fixture/DescribeRuleGroup.yaml b/fixture/DescribeRuleGroup.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeRuleGroup.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeRuleGroupMetadata.yaml b/fixture/DescribeRuleGroupMetadata.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeRuleGroupMetadata.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeRuleGroupMetadataResponse.proto b/fixture/DescribeRuleGroupMetadataResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeRuleGroupMetadataResponse.proto
diff --git a/fixture/DescribeRuleGroupResponse.proto b/fixture/DescribeRuleGroupResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeRuleGroupResponse.proto
diff --git a/fixture/DisassociateSubnets.yaml b/fixture/DisassociateSubnets.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DisassociateSubnets.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DisassociateSubnetsResponse.proto b/fixture/DisassociateSubnetsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DisassociateSubnetsResponse.proto
diff --git a/fixture/ListFirewallPolicies.yaml b/fixture/ListFirewallPolicies.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListFirewallPolicies.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListFirewallPoliciesResponse.proto b/fixture/ListFirewallPoliciesResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListFirewallPoliciesResponse.proto
diff --git a/fixture/ListFirewalls.yaml b/fixture/ListFirewalls.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListFirewalls.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListFirewallsResponse.proto b/fixture/ListFirewallsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListFirewallsResponse.proto
diff --git a/fixture/ListRuleGroups.yaml b/fixture/ListRuleGroups.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListRuleGroups.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListRuleGroupsResponse.proto b/fixture/ListRuleGroupsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListRuleGroupsResponse.proto
diff --git a/fixture/ListTagsForResource.yaml b/fixture/ListTagsForResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListTagsForResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListTagsForResourceResponse.proto b/fixture/ListTagsForResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListTagsForResourceResponse.proto
diff --git a/fixture/PutResourcePolicy.yaml b/fixture/PutResourcePolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/PutResourcePolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/PutResourcePolicyResponse.proto b/fixture/PutResourcePolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/PutResourcePolicyResponse.proto
diff --git a/fixture/TagResource.yaml b/fixture/TagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/TagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/TagResourceResponse.proto b/fixture/TagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/TagResourceResponse.proto
diff --git a/fixture/UntagResource.yaml b/fixture/UntagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UntagResourceResponse.proto b/fixture/UntagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResourceResponse.proto
diff --git a/fixture/UpdateFirewallDeleteProtection.yaml b/fixture/UpdateFirewallDeleteProtection.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallDeleteProtection.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateFirewallDeleteProtectionResponse.proto b/fixture/UpdateFirewallDeleteProtectionResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallDeleteProtectionResponse.proto
diff --git a/fixture/UpdateFirewallDescription.yaml b/fixture/UpdateFirewallDescription.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallDescription.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateFirewallDescriptionResponse.proto b/fixture/UpdateFirewallDescriptionResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallDescriptionResponse.proto
diff --git a/fixture/UpdateFirewallEncryptionConfiguration.yaml b/fixture/UpdateFirewallEncryptionConfiguration.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallEncryptionConfiguration.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateFirewallEncryptionConfigurationResponse.proto b/fixture/UpdateFirewallEncryptionConfigurationResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallEncryptionConfigurationResponse.proto
diff --git a/fixture/UpdateFirewallPolicy.yaml b/fixture/UpdateFirewallPolicy.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallPolicy.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateFirewallPolicyChangeProtection.yaml b/fixture/UpdateFirewallPolicyChangeProtection.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallPolicyChangeProtection.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateFirewallPolicyChangeProtectionResponse.proto b/fixture/UpdateFirewallPolicyChangeProtectionResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallPolicyChangeProtectionResponse.proto
diff --git a/fixture/UpdateFirewallPolicyResponse.proto b/fixture/UpdateFirewallPolicyResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateFirewallPolicyResponse.proto
diff --git a/fixture/UpdateLoggingConfiguration.yaml b/fixture/UpdateLoggingConfiguration.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateLoggingConfiguration.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateLoggingConfigurationResponse.proto b/fixture/UpdateLoggingConfigurationResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateLoggingConfigurationResponse.proto
diff --git a/fixture/UpdateRuleGroup.yaml b/fixture/UpdateRuleGroup.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateRuleGroup.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateRuleGroupResponse.proto b/fixture/UpdateRuleGroupResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateRuleGroupResponse.proto
diff --git a/fixture/UpdateSubnetChangeProtection.yaml b/fixture/UpdateSubnetChangeProtection.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSubnetChangeProtection.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/network-firewall/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  network-firewall.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateSubnetChangeProtectionResponse.proto b/fixture/UpdateSubnetChangeProtectionResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSubnetChangeProtectionResponse.proto
diff --git a/gen/Amazonka/NetworkFirewall.hs b/gen/Amazonka/NetworkFirewall.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall.hs
@@ -0,0 +1,637 @@
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Amazonka.NetworkFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Derived from API version @2020-11-12@ of the AWS service descriptions, licensed under Apache 2.0.
+--
+-- This is the API Reference for Network Firewall. This guide is for
+-- developers who need detailed information about the Network Firewall API
+-- actions, data types, and errors.
+--
+-- -   The REST API requires you to handle connection details, such as
+--     calculating signatures, handling request retries, and error
+--     handling. For general information about using the Amazon Web
+--     Services REST APIs, see
+--     <https://docs.aws.amazon.com/general/latest/gr/aws-apis.html Amazon Web Services APIs>.
+--
+--     To access Network Firewall using the REST API endpoint:
+--     @https:\/\/network-firewall.\<region>.amazonaws.com @
+--
+-- -   Alternatively, you can use one of the Amazon Web Services SDKs to
+--     access an API that\'s tailored to the programming language or
+--     platform that you\'re using. For more information, see
+--     <http://aws.amazon.com/tools/#SDKs Amazon Web Services SDKs>.
+--
+-- -   For descriptions of Network Firewall features, including and
+--     step-by-step instructions on how to use them through the Network
+--     Firewall console, see the
+--     <https://docs.aws.amazon.com/network-firewall/latest/developerguide/ Network Firewall Developer Guide>.
+--
+-- Network Firewall is a stateful, managed, network firewall and intrusion
+-- detection and prevention service for Amazon Virtual Private Cloud
+-- (Amazon VPC). With Network Firewall, you can filter traffic at the
+-- perimeter of your VPC. This includes filtering traffic going to and
+-- coming from an internet gateway, NAT gateway, or over VPN or Direct
+-- Connect. Network Firewall uses rules that are compatible with Suricata,
+-- a free, open source network analysis and threat detection engine.
+-- Network Firewall supports Suricata version 5.0.2. For information about
+-- Suricata, see the <https://suricata.io/ Suricata website>.
+--
+-- You can use Network Firewall to monitor and protect your VPC traffic in
+-- a number of ways. The following are just a few examples:
+--
+-- -   Allow domains or IP addresses for known Amazon Web Services service
+--     endpoints, such as Amazon S3, and block all other forms of traffic.
+--
+-- -   Use custom lists of known bad domains to limit the types of domain
+--     names that your applications can access.
+--
+-- -   Perform deep packet inspection on traffic entering or leaving your
+--     VPC.
+--
+-- -   Use stateful protocol detection to filter protocols like HTTPS,
+--     regardless of the port used.
+--
+-- To enable Network Firewall for your VPCs, you perform steps in both
+-- Amazon VPC and in Network Firewall. For information about using Amazon
+-- VPC, see
+-- <https://docs.aws.amazon.com/vpc/latest/userguide/ Amazon VPC User Guide>.
+--
+-- To start using Network Firewall, do the following:
+--
+-- 1.  (Optional) If you don\'t already have a VPC that you want to
+--     protect, create it in Amazon VPC.
+--
+-- 2.  In Amazon VPC, in each Availability Zone where you want to have a
+--     firewall endpoint, create a subnet for the sole use of Network
+--     Firewall.
+--
+-- 3.  In Network Firewall, create stateless and stateful rule groups, to
+--     define the components of the network traffic filtering behavior that
+--     you want your firewall to have.
+--
+-- 4.  In Network Firewall, create a firewall policy that uses your rule
+--     groups and specifies additional default traffic filtering behavior.
+--
+-- 5.  In Network Firewall, create a firewall and specify your new firewall
+--     policy and VPC subnets. Network Firewall creates a firewall endpoint
+--     in each subnet that you specify, with the behavior that\'s defined
+--     in the firewall policy.
+--
+-- 6.  In Amazon VPC, use ingress routing enhancements to route traffic
+--     through the new firewall endpoints.
+module Amazonka.NetworkFirewall
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    -- $errors
+
+    -- ** InsufficientCapacityException
+    _InsufficientCapacityException,
+
+    -- ** InternalServerError
+    _InternalServerError,
+
+    -- ** InvalidOperationException
+    _InvalidOperationException,
+
+    -- ** InvalidRequestException
+    _InvalidRequestException,
+
+    -- ** InvalidResourcePolicyException
+    _InvalidResourcePolicyException,
+
+    -- ** InvalidTokenException
+    _InvalidTokenException,
+
+    -- ** LimitExceededException
+    _LimitExceededException,
+
+    -- ** LogDestinationPermissionException
+    _LogDestinationPermissionException,
+
+    -- ** ResourceNotFoundException
+    _ResourceNotFoundException,
+
+    -- ** ResourceOwnerCheckException
+    _ResourceOwnerCheckException,
+
+    -- ** ThrottlingException
+    _ThrottlingException,
+
+    -- ** UnsupportedOperationException
+    _UnsupportedOperationException,
+
+    -- * Waiters
+    -- $waiters
+
+    -- * Operations
+    -- $operations
+
+    -- ** AssociateFirewallPolicy
+    AssociateFirewallPolicy (AssociateFirewallPolicy'),
+    newAssociateFirewallPolicy,
+    AssociateFirewallPolicyResponse (AssociateFirewallPolicyResponse'),
+    newAssociateFirewallPolicyResponse,
+
+    -- ** AssociateSubnets
+    AssociateSubnets (AssociateSubnets'),
+    newAssociateSubnets,
+    AssociateSubnetsResponse (AssociateSubnetsResponse'),
+    newAssociateSubnetsResponse,
+
+    -- ** CreateFirewall
+    CreateFirewall (CreateFirewall'),
+    newCreateFirewall,
+    CreateFirewallResponse (CreateFirewallResponse'),
+    newCreateFirewallResponse,
+
+    -- ** CreateFirewallPolicy
+    CreateFirewallPolicy (CreateFirewallPolicy'),
+    newCreateFirewallPolicy,
+    CreateFirewallPolicyResponse (CreateFirewallPolicyResponse'),
+    newCreateFirewallPolicyResponse,
+
+    -- ** CreateRuleGroup
+    CreateRuleGroup (CreateRuleGroup'),
+    newCreateRuleGroup,
+    CreateRuleGroupResponse (CreateRuleGroupResponse'),
+    newCreateRuleGroupResponse,
+
+    -- ** DeleteFirewall
+    DeleteFirewall (DeleteFirewall'),
+    newDeleteFirewall,
+    DeleteFirewallResponse (DeleteFirewallResponse'),
+    newDeleteFirewallResponse,
+
+    -- ** DeleteFirewallPolicy
+    DeleteFirewallPolicy (DeleteFirewallPolicy'),
+    newDeleteFirewallPolicy,
+    DeleteFirewallPolicyResponse (DeleteFirewallPolicyResponse'),
+    newDeleteFirewallPolicyResponse,
+
+    -- ** DeleteResourcePolicy
+    DeleteResourcePolicy (DeleteResourcePolicy'),
+    newDeleteResourcePolicy,
+    DeleteResourcePolicyResponse (DeleteResourcePolicyResponse'),
+    newDeleteResourcePolicyResponse,
+
+    -- ** DeleteRuleGroup
+    DeleteRuleGroup (DeleteRuleGroup'),
+    newDeleteRuleGroup,
+    DeleteRuleGroupResponse (DeleteRuleGroupResponse'),
+    newDeleteRuleGroupResponse,
+
+    -- ** DescribeFirewall
+    DescribeFirewall (DescribeFirewall'),
+    newDescribeFirewall,
+    DescribeFirewallResponse (DescribeFirewallResponse'),
+    newDescribeFirewallResponse,
+
+    -- ** DescribeFirewallPolicy
+    DescribeFirewallPolicy (DescribeFirewallPolicy'),
+    newDescribeFirewallPolicy,
+    DescribeFirewallPolicyResponse (DescribeFirewallPolicyResponse'),
+    newDescribeFirewallPolicyResponse,
+
+    -- ** DescribeLoggingConfiguration
+    DescribeLoggingConfiguration (DescribeLoggingConfiguration'),
+    newDescribeLoggingConfiguration,
+    DescribeLoggingConfigurationResponse (DescribeLoggingConfigurationResponse'),
+    newDescribeLoggingConfigurationResponse,
+
+    -- ** DescribeResourcePolicy
+    DescribeResourcePolicy (DescribeResourcePolicy'),
+    newDescribeResourcePolicy,
+    DescribeResourcePolicyResponse (DescribeResourcePolicyResponse'),
+    newDescribeResourcePolicyResponse,
+
+    -- ** DescribeRuleGroup
+    DescribeRuleGroup (DescribeRuleGroup'),
+    newDescribeRuleGroup,
+    DescribeRuleGroupResponse (DescribeRuleGroupResponse'),
+    newDescribeRuleGroupResponse,
+
+    -- ** DescribeRuleGroupMetadata
+    DescribeRuleGroupMetadata (DescribeRuleGroupMetadata'),
+    newDescribeRuleGroupMetadata,
+    DescribeRuleGroupMetadataResponse (DescribeRuleGroupMetadataResponse'),
+    newDescribeRuleGroupMetadataResponse,
+
+    -- ** DisassociateSubnets
+    DisassociateSubnets (DisassociateSubnets'),
+    newDisassociateSubnets,
+    DisassociateSubnetsResponse (DisassociateSubnetsResponse'),
+    newDisassociateSubnetsResponse,
+
+    -- ** ListFirewallPolicies (Paginated)
+    ListFirewallPolicies (ListFirewallPolicies'),
+    newListFirewallPolicies,
+    ListFirewallPoliciesResponse (ListFirewallPoliciesResponse'),
+    newListFirewallPoliciesResponse,
+
+    -- ** ListFirewalls (Paginated)
+    ListFirewalls (ListFirewalls'),
+    newListFirewalls,
+    ListFirewallsResponse (ListFirewallsResponse'),
+    newListFirewallsResponse,
+
+    -- ** ListRuleGroups (Paginated)
+    ListRuleGroups (ListRuleGroups'),
+    newListRuleGroups,
+    ListRuleGroupsResponse (ListRuleGroupsResponse'),
+    newListRuleGroupsResponse,
+
+    -- ** ListTagsForResource (Paginated)
+    ListTagsForResource (ListTagsForResource'),
+    newListTagsForResource,
+    ListTagsForResourceResponse (ListTagsForResourceResponse'),
+    newListTagsForResourceResponse,
+
+    -- ** PutResourcePolicy
+    PutResourcePolicy (PutResourcePolicy'),
+    newPutResourcePolicy,
+    PutResourcePolicyResponse (PutResourcePolicyResponse'),
+    newPutResourcePolicyResponse,
+
+    -- ** TagResource
+    TagResource (TagResource'),
+    newTagResource,
+    TagResourceResponse (TagResourceResponse'),
+    newTagResourceResponse,
+
+    -- ** UntagResource
+    UntagResource (UntagResource'),
+    newUntagResource,
+    UntagResourceResponse (UntagResourceResponse'),
+    newUntagResourceResponse,
+
+    -- ** UpdateFirewallDeleteProtection
+    UpdateFirewallDeleteProtection (UpdateFirewallDeleteProtection'),
+    newUpdateFirewallDeleteProtection,
+    UpdateFirewallDeleteProtectionResponse (UpdateFirewallDeleteProtectionResponse'),
+    newUpdateFirewallDeleteProtectionResponse,
+
+    -- ** UpdateFirewallDescription
+    UpdateFirewallDescription (UpdateFirewallDescription'),
+    newUpdateFirewallDescription,
+    UpdateFirewallDescriptionResponse (UpdateFirewallDescriptionResponse'),
+    newUpdateFirewallDescriptionResponse,
+
+    -- ** UpdateFirewallEncryptionConfiguration
+    UpdateFirewallEncryptionConfiguration (UpdateFirewallEncryptionConfiguration'),
+    newUpdateFirewallEncryptionConfiguration,
+    UpdateFirewallEncryptionConfigurationResponse (UpdateFirewallEncryptionConfigurationResponse'),
+    newUpdateFirewallEncryptionConfigurationResponse,
+
+    -- ** UpdateFirewallPolicy
+    UpdateFirewallPolicy (UpdateFirewallPolicy'),
+    newUpdateFirewallPolicy,
+    UpdateFirewallPolicyResponse (UpdateFirewallPolicyResponse'),
+    newUpdateFirewallPolicyResponse,
+
+    -- ** UpdateFirewallPolicyChangeProtection
+    UpdateFirewallPolicyChangeProtection (UpdateFirewallPolicyChangeProtection'),
+    newUpdateFirewallPolicyChangeProtection,
+    UpdateFirewallPolicyChangeProtectionResponse (UpdateFirewallPolicyChangeProtectionResponse'),
+    newUpdateFirewallPolicyChangeProtectionResponse,
+
+    -- ** UpdateLoggingConfiguration
+    UpdateLoggingConfiguration (UpdateLoggingConfiguration'),
+    newUpdateLoggingConfiguration,
+    UpdateLoggingConfigurationResponse (UpdateLoggingConfigurationResponse'),
+    newUpdateLoggingConfigurationResponse,
+
+    -- ** UpdateRuleGroup
+    UpdateRuleGroup (UpdateRuleGroup'),
+    newUpdateRuleGroup,
+    UpdateRuleGroupResponse (UpdateRuleGroupResponse'),
+    newUpdateRuleGroupResponse,
+
+    -- ** UpdateSubnetChangeProtection
+    UpdateSubnetChangeProtection (UpdateSubnetChangeProtection'),
+    newUpdateSubnetChangeProtection,
+    UpdateSubnetChangeProtectionResponse (UpdateSubnetChangeProtectionResponse'),
+    newUpdateSubnetChangeProtectionResponse,
+
+    -- * Types
+
+    -- ** AttachmentStatus
+    AttachmentStatus (..),
+
+    -- ** ConfigurationSyncState
+    ConfigurationSyncState (..),
+
+    -- ** EncryptionType
+    EncryptionType (..),
+
+    -- ** FirewallStatusValue
+    FirewallStatusValue (..),
+
+    -- ** GeneratedRulesType
+    GeneratedRulesType (..),
+
+    -- ** LogDestinationType
+    LogDestinationType (..),
+
+    -- ** LogType
+    LogType (..),
+
+    -- ** OverrideAction
+    OverrideAction (..),
+
+    -- ** PerObjectSyncStatus
+    PerObjectSyncStatus (..),
+
+    -- ** ResourceManagedStatus
+    ResourceManagedStatus (..),
+
+    -- ** ResourceManagedType
+    ResourceManagedType (..),
+
+    -- ** ResourceStatus
+    ResourceStatus (..),
+
+    -- ** RuleGroupType
+    RuleGroupType (..),
+
+    -- ** RuleOrder
+    RuleOrder (..),
+
+    -- ** StatefulAction
+    StatefulAction (..),
+
+    -- ** StatefulRuleDirection
+    StatefulRuleDirection (..),
+
+    -- ** StatefulRuleProtocol
+    StatefulRuleProtocol (..),
+
+    -- ** StreamExceptionPolicy
+    StreamExceptionPolicy (..),
+
+    -- ** TCPFlag
+    TCPFlag (..),
+
+    -- ** TargetType
+    TargetType (..),
+
+    -- ** ActionDefinition
+    ActionDefinition (ActionDefinition'),
+    newActionDefinition,
+
+    -- ** Address
+    Address (Address'),
+    newAddress,
+
+    -- ** Attachment
+    Attachment (Attachment'),
+    newAttachment,
+
+    -- ** CIDRSummary
+    CIDRSummary (CIDRSummary'),
+    newCIDRSummary,
+
+    -- ** CapacityUsageSummary
+    CapacityUsageSummary (CapacityUsageSummary'),
+    newCapacityUsageSummary,
+
+    -- ** CustomAction
+    CustomAction (CustomAction'),
+    newCustomAction,
+
+    -- ** Dimension
+    Dimension (Dimension'),
+    newDimension,
+
+    -- ** EncryptionConfiguration
+    EncryptionConfiguration (EncryptionConfiguration'),
+    newEncryptionConfiguration,
+
+    -- ** Firewall
+    Firewall (Firewall'),
+    newFirewall,
+
+    -- ** FirewallMetadata
+    FirewallMetadata (FirewallMetadata'),
+    newFirewallMetadata,
+
+    -- ** FirewallPolicy
+    FirewallPolicy (FirewallPolicy'),
+    newFirewallPolicy,
+
+    -- ** FirewallPolicyMetadata
+    FirewallPolicyMetadata (FirewallPolicyMetadata'),
+    newFirewallPolicyMetadata,
+
+    -- ** FirewallPolicyResponse
+    FirewallPolicyResponse (FirewallPolicyResponse'),
+    newFirewallPolicyResponse,
+
+    -- ** FirewallStatus
+    FirewallStatus (FirewallStatus'),
+    newFirewallStatus,
+
+    -- ** Header
+    Header (Header'),
+    newHeader,
+
+    -- ** IPSet
+    IPSet (IPSet'),
+    newIPSet,
+
+    -- ** IPSetMetadata
+    IPSetMetadata (IPSetMetadata'),
+    newIPSetMetadata,
+
+    -- ** IPSetReference
+    IPSetReference (IPSetReference'),
+    newIPSetReference,
+
+    -- ** LogDestinationConfig
+    LogDestinationConfig (LogDestinationConfig'),
+    newLogDestinationConfig,
+
+    -- ** LoggingConfiguration
+    LoggingConfiguration (LoggingConfiguration'),
+    newLoggingConfiguration,
+
+    -- ** MatchAttributes
+    MatchAttributes (MatchAttributes'),
+    newMatchAttributes,
+
+    -- ** PerObjectStatus
+    PerObjectStatus (PerObjectStatus'),
+    newPerObjectStatus,
+
+    -- ** PortRange
+    PortRange (PortRange'),
+    newPortRange,
+
+    -- ** PortSet
+    PortSet (PortSet'),
+    newPortSet,
+
+    -- ** PublishMetricAction
+    PublishMetricAction (PublishMetricAction'),
+    newPublishMetricAction,
+
+    -- ** ReferenceSets
+    ReferenceSets (ReferenceSets'),
+    newReferenceSets,
+
+    -- ** RuleDefinition
+    RuleDefinition (RuleDefinition'),
+    newRuleDefinition,
+
+    -- ** RuleGroup
+    RuleGroup (RuleGroup'),
+    newRuleGroup,
+
+    -- ** RuleGroupMetadata
+    RuleGroupMetadata (RuleGroupMetadata'),
+    newRuleGroupMetadata,
+
+    -- ** RuleGroupResponse
+    RuleGroupResponse (RuleGroupResponse'),
+    newRuleGroupResponse,
+
+    -- ** RuleOption
+    RuleOption (RuleOption'),
+    newRuleOption,
+
+    -- ** RuleVariables
+    RuleVariables (RuleVariables'),
+    newRuleVariables,
+
+    -- ** RulesSource
+    RulesSource (RulesSource'),
+    newRulesSource,
+
+    -- ** RulesSourceList
+    RulesSourceList (RulesSourceList'),
+    newRulesSourceList,
+
+    -- ** SourceMetadata
+    SourceMetadata (SourceMetadata'),
+    newSourceMetadata,
+
+    -- ** StatefulEngineOptions
+    StatefulEngineOptions (StatefulEngineOptions'),
+    newStatefulEngineOptions,
+
+    -- ** StatefulRule
+    StatefulRule (StatefulRule'),
+    newStatefulRule,
+
+    -- ** StatefulRuleGroupOverride
+    StatefulRuleGroupOverride (StatefulRuleGroupOverride'),
+    newStatefulRuleGroupOverride,
+
+    -- ** StatefulRuleGroupReference
+    StatefulRuleGroupReference (StatefulRuleGroupReference'),
+    newStatefulRuleGroupReference,
+
+    -- ** StatefulRuleOptions
+    StatefulRuleOptions (StatefulRuleOptions'),
+    newStatefulRuleOptions,
+
+    -- ** StatelessRule
+    StatelessRule (StatelessRule'),
+    newStatelessRule,
+
+    -- ** StatelessRuleGroupReference
+    StatelessRuleGroupReference (StatelessRuleGroupReference'),
+    newStatelessRuleGroupReference,
+
+    -- ** StatelessRulesAndCustomActions
+    StatelessRulesAndCustomActions (StatelessRulesAndCustomActions'),
+    newStatelessRulesAndCustomActions,
+
+    -- ** SubnetMapping
+    SubnetMapping (SubnetMapping'),
+    newSubnetMapping,
+
+    -- ** SyncState
+    SyncState (SyncState'),
+    newSyncState,
+
+    -- ** TCPFlagField
+    TCPFlagField (TCPFlagField'),
+    newTCPFlagField,
+
+    -- ** Tag
+    Tag (Tag'),
+    newTag,
+  )
+where
+
+import Amazonka.NetworkFirewall.AssociateFirewallPolicy
+import Amazonka.NetworkFirewall.AssociateSubnets
+import Amazonka.NetworkFirewall.CreateFirewall
+import Amazonka.NetworkFirewall.CreateFirewallPolicy
+import Amazonka.NetworkFirewall.CreateRuleGroup
+import Amazonka.NetworkFirewall.DeleteFirewall
+import Amazonka.NetworkFirewall.DeleteFirewallPolicy
+import Amazonka.NetworkFirewall.DeleteResourcePolicy
+import Amazonka.NetworkFirewall.DeleteRuleGroup
+import Amazonka.NetworkFirewall.DescribeFirewall
+import Amazonka.NetworkFirewall.DescribeFirewallPolicy
+import Amazonka.NetworkFirewall.DescribeLoggingConfiguration
+import Amazonka.NetworkFirewall.DescribeResourcePolicy
+import Amazonka.NetworkFirewall.DescribeRuleGroup
+import Amazonka.NetworkFirewall.DescribeRuleGroupMetadata
+import Amazonka.NetworkFirewall.DisassociateSubnets
+import Amazonka.NetworkFirewall.Lens
+import Amazonka.NetworkFirewall.ListFirewallPolicies
+import Amazonka.NetworkFirewall.ListFirewalls
+import Amazonka.NetworkFirewall.ListRuleGroups
+import Amazonka.NetworkFirewall.ListTagsForResource
+import Amazonka.NetworkFirewall.PutResourcePolicy
+import Amazonka.NetworkFirewall.TagResource
+import Amazonka.NetworkFirewall.Types
+import Amazonka.NetworkFirewall.UntagResource
+import Amazonka.NetworkFirewall.UpdateFirewallDeleteProtection
+import Amazonka.NetworkFirewall.UpdateFirewallDescription
+import Amazonka.NetworkFirewall.UpdateFirewallEncryptionConfiguration
+import Amazonka.NetworkFirewall.UpdateFirewallPolicy
+import Amazonka.NetworkFirewall.UpdateFirewallPolicyChangeProtection
+import Amazonka.NetworkFirewall.UpdateLoggingConfiguration
+import Amazonka.NetworkFirewall.UpdateRuleGroup
+import Amazonka.NetworkFirewall.UpdateSubnetChangeProtection
+import Amazonka.NetworkFirewall.Waiters
+
+-- $errors
+-- Error matchers are designed for use with the functions provided by
+-- <http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
+-- This allows catching (and rethrowing) service specific errors returned
+-- by 'NetworkFirewall'.
+
+-- $operations
+-- Some AWS operations return results that are incomplete and require subsequent
+-- requests in order to obtain the entire result set. The process of sending
+-- subsequent requests to continue where a previous request left off is called
+-- pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
+-- 1000 objects at a time, and you must send subsequent requests with the
+-- appropriate Marker in order to retrieve the next page of results.
+--
+-- Operations that have an 'AWSPager' instance can transparently perform subsequent
+-- requests, correctly setting Markers and other request facets to iterate through
+-- the entire result set of a truncated API operation. Operations which support
+-- this have an additional note in the documentation.
+--
+-- Many operations have the ability to filter results on the server side. See the
+-- individual operation parameters for details.
+
+-- $waiters
+-- Waiters poll by repeatedly sending a request until some remote success condition
+-- configured by the 'Wait' specification is fulfilled. The 'Wait' specification
+-- determines how many attempts should be made, in addition to delay and retry strategies.
diff --git a/gen/Amazonka/NetworkFirewall/AssociateFirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/AssociateFirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/AssociateFirewallPolicy.hs
@@ -0,0 +1,372 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.AssociateFirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Associates a FirewallPolicy to a Firewall.
+--
+-- A firewall policy defines how to monitor and manage your VPC network
+-- traffic, using a collection of inspection rule groups and other
+-- settings. Each firewall requires one firewall policy association, and
+-- you can use the same firewall policy for multiple firewalls.
+module Amazonka.NetworkFirewall.AssociateFirewallPolicy
+  ( -- * Creating a Request
+    AssociateFirewallPolicy (..),
+    newAssociateFirewallPolicy,
+
+    -- * Request Lenses
+    associateFirewallPolicy_firewallArn,
+    associateFirewallPolicy_firewallName,
+    associateFirewallPolicy_updateToken,
+    associateFirewallPolicy_firewallPolicyArn,
+
+    -- * Destructuring the Response
+    AssociateFirewallPolicyResponse (..),
+    newAssociateFirewallPolicyResponse,
+
+    -- * Response Lenses
+    associateFirewallPolicyResponse_firewallArn,
+    associateFirewallPolicyResponse_firewallName,
+    associateFirewallPolicyResponse_firewallPolicyArn,
+    associateFirewallPolicyResponse_updateToken,
+    associateFirewallPolicyResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newAssociateFirewallPolicy' smart constructor.
+data AssociateFirewallPolicy = AssociateFirewallPolicy'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the firewall policy.
+    firewallPolicyArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssociateFirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'associateFirewallPolicy_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'associateFirewallPolicy_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'associateFirewallPolicy_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'firewallPolicyArn', 'associateFirewallPolicy_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+newAssociateFirewallPolicy ::
+  -- | 'firewallPolicyArn'
+  Prelude.Text ->
+  AssociateFirewallPolicy
+newAssociateFirewallPolicy pFirewallPolicyArn_ =
+  AssociateFirewallPolicy'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      firewallPolicyArn = pFirewallPolicyArn_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+associateFirewallPolicy_firewallArn :: Lens.Lens' AssociateFirewallPolicy (Prelude.Maybe Prelude.Text)
+associateFirewallPolicy_firewallArn = Lens.lens (\AssociateFirewallPolicy' {firewallArn} -> firewallArn) (\s@AssociateFirewallPolicy' {} a -> s {firewallArn = a} :: AssociateFirewallPolicy)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+associateFirewallPolicy_firewallName :: Lens.Lens' AssociateFirewallPolicy (Prelude.Maybe Prelude.Text)
+associateFirewallPolicy_firewallName = Lens.lens (\AssociateFirewallPolicy' {firewallName} -> firewallName) (\s@AssociateFirewallPolicy' {} a -> s {firewallName = a} :: AssociateFirewallPolicy)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+associateFirewallPolicy_updateToken :: Lens.Lens' AssociateFirewallPolicy (Prelude.Maybe Prelude.Text)
+associateFirewallPolicy_updateToken = Lens.lens (\AssociateFirewallPolicy' {updateToken} -> updateToken) (\s@AssociateFirewallPolicy' {} a -> s {updateToken = a} :: AssociateFirewallPolicy)
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+associateFirewallPolicy_firewallPolicyArn :: Lens.Lens' AssociateFirewallPolicy Prelude.Text
+associateFirewallPolicy_firewallPolicyArn = Lens.lens (\AssociateFirewallPolicy' {firewallPolicyArn} -> firewallPolicyArn) (\s@AssociateFirewallPolicy' {} a -> s {firewallPolicyArn = a} :: AssociateFirewallPolicy)
+
+instance Core.AWSRequest AssociateFirewallPolicy where
+  type
+    AWSResponse AssociateFirewallPolicy =
+      AssociateFirewallPolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          AssociateFirewallPolicyResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "FirewallPolicyArn")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable AssociateFirewallPolicy where
+  hashWithSalt _salt AssociateFirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` updateToken
+      `Prelude.hashWithSalt` firewallPolicyArn
+
+instance Prelude.NFData AssociateFirewallPolicy where
+  rnf AssociateFirewallPolicy' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+
+instance Data.ToHeaders AssociateFirewallPolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.AssociateFirewallPolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON AssociateFirewallPolicy where
+  toJSON AssociateFirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just
+              ("FirewallPolicyArn" Data..= firewallPolicyArn)
+          ]
+      )
+
+instance Data.ToPath AssociateFirewallPolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery AssociateFirewallPolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newAssociateFirewallPolicyResponse' smart constructor.
+data AssociateFirewallPolicyResponse = AssociateFirewallPolicyResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the firewall policy.
+    firewallPolicyArn :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssociateFirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'associateFirewallPolicyResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'associateFirewallPolicyResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'firewallPolicyArn', 'associateFirewallPolicyResponse_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- 'updateToken', 'associateFirewallPolicyResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'associateFirewallPolicyResponse_httpStatus' - The response's http status code.
+newAssociateFirewallPolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  AssociateFirewallPolicyResponse
+newAssociateFirewallPolicyResponse pHttpStatus_ =
+  AssociateFirewallPolicyResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      firewallPolicyArn = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+associateFirewallPolicyResponse_firewallArn :: Lens.Lens' AssociateFirewallPolicyResponse (Prelude.Maybe Prelude.Text)
+associateFirewallPolicyResponse_firewallArn = Lens.lens (\AssociateFirewallPolicyResponse' {firewallArn} -> firewallArn) (\s@AssociateFirewallPolicyResponse' {} a -> s {firewallArn = a} :: AssociateFirewallPolicyResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+associateFirewallPolicyResponse_firewallName :: Lens.Lens' AssociateFirewallPolicyResponse (Prelude.Maybe Prelude.Text)
+associateFirewallPolicyResponse_firewallName = Lens.lens (\AssociateFirewallPolicyResponse' {firewallName} -> firewallName) (\s@AssociateFirewallPolicyResponse' {} a -> s {firewallName = a} :: AssociateFirewallPolicyResponse)
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+associateFirewallPolicyResponse_firewallPolicyArn :: Lens.Lens' AssociateFirewallPolicyResponse (Prelude.Maybe Prelude.Text)
+associateFirewallPolicyResponse_firewallPolicyArn = Lens.lens (\AssociateFirewallPolicyResponse' {firewallPolicyArn} -> firewallPolicyArn) (\s@AssociateFirewallPolicyResponse' {} a -> s {firewallPolicyArn = a} :: AssociateFirewallPolicyResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+associateFirewallPolicyResponse_updateToken :: Lens.Lens' AssociateFirewallPolicyResponse (Prelude.Maybe Prelude.Text)
+associateFirewallPolicyResponse_updateToken = Lens.lens (\AssociateFirewallPolicyResponse' {updateToken} -> updateToken) (\s@AssociateFirewallPolicyResponse' {} a -> s {updateToken = a} :: AssociateFirewallPolicyResponse)
+
+-- | The response's http status code.
+associateFirewallPolicyResponse_httpStatus :: Lens.Lens' AssociateFirewallPolicyResponse Prelude.Int
+associateFirewallPolicyResponse_httpStatus = Lens.lens (\AssociateFirewallPolicyResponse' {httpStatus} -> httpStatus) (\s@AssociateFirewallPolicyResponse' {} a -> s {httpStatus = a} :: AssociateFirewallPolicyResponse)
+
+instance
+  Prelude.NFData
+    AssociateFirewallPolicyResponse
+  where
+  rnf AssociateFirewallPolicyResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/AssociateSubnets.hs b/gen/Amazonka/NetworkFirewall/AssociateSubnets.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/AssociateSubnets.hs
@@ -0,0 +1,369 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.AssociateSubnets
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Associates the specified subnets in the Amazon VPC to the firewall. You
+-- can specify one subnet for each of the Availability Zones that the VPC
+-- spans.
+--
+-- This request creates an Network Firewall firewall endpoint in each of
+-- the subnets. To enable the firewall\'s protections, you must also modify
+-- the VPC\'s route tables for each subnet\'s Availability Zone, to
+-- redirect the traffic that\'s coming into and going out of the zone
+-- through the firewall endpoint.
+module Amazonka.NetworkFirewall.AssociateSubnets
+  ( -- * Creating a Request
+    AssociateSubnets (..),
+    newAssociateSubnets,
+
+    -- * Request Lenses
+    associateSubnets_firewallArn,
+    associateSubnets_firewallName,
+    associateSubnets_updateToken,
+    associateSubnets_subnetMappings,
+
+    -- * Destructuring the Response
+    AssociateSubnetsResponse (..),
+    newAssociateSubnetsResponse,
+
+    -- * Response Lenses
+    associateSubnetsResponse_firewallArn,
+    associateSubnetsResponse_firewallName,
+    associateSubnetsResponse_subnetMappings,
+    associateSubnetsResponse_updateToken,
+    associateSubnetsResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newAssociateSubnets' smart constructor.
+data AssociateSubnets = AssociateSubnets'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The IDs of the subnets that you want to associate with the firewall.
+    subnetMappings :: [SubnetMapping]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssociateSubnets' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'associateSubnets_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'associateSubnets_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'associateSubnets_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'subnetMappings', 'associateSubnets_subnetMappings' - The IDs of the subnets that you want to associate with the firewall.
+newAssociateSubnets ::
+  AssociateSubnets
+newAssociateSubnets =
+  AssociateSubnets'
+    { firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      subnetMappings = Prelude.mempty
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+associateSubnets_firewallArn :: Lens.Lens' AssociateSubnets (Prelude.Maybe Prelude.Text)
+associateSubnets_firewallArn = Lens.lens (\AssociateSubnets' {firewallArn} -> firewallArn) (\s@AssociateSubnets' {} a -> s {firewallArn = a} :: AssociateSubnets)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+associateSubnets_firewallName :: Lens.Lens' AssociateSubnets (Prelude.Maybe Prelude.Text)
+associateSubnets_firewallName = Lens.lens (\AssociateSubnets' {firewallName} -> firewallName) (\s@AssociateSubnets' {} a -> s {firewallName = a} :: AssociateSubnets)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+associateSubnets_updateToken :: Lens.Lens' AssociateSubnets (Prelude.Maybe Prelude.Text)
+associateSubnets_updateToken = Lens.lens (\AssociateSubnets' {updateToken} -> updateToken) (\s@AssociateSubnets' {} a -> s {updateToken = a} :: AssociateSubnets)
+
+-- | The IDs of the subnets that you want to associate with the firewall.
+associateSubnets_subnetMappings :: Lens.Lens' AssociateSubnets [SubnetMapping]
+associateSubnets_subnetMappings = Lens.lens (\AssociateSubnets' {subnetMappings} -> subnetMappings) (\s@AssociateSubnets' {} a -> s {subnetMappings = a} :: AssociateSubnets) Prelude.. Lens.coerced
+
+instance Core.AWSRequest AssociateSubnets where
+  type
+    AWSResponse AssociateSubnets =
+      AssociateSubnetsResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          AssociateSubnetsResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "SubnetMappings" Core..!@ Prelude.mempty)
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable AssociateSubnets where
+  hashWithSalt _salt AssociateSubnets' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` updateToken
+      `Prelude.hashWithSalt` subnetMappings
+
+instance Prelude.NFData AssociateSubnets where
+  rnf AssociateSubnets' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf subnetMappings
+
+instance Data.ToHeaders AssociateSubnets where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.AssociateSubnets" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON AssociateSubnets where
+  toJSON AssociateSubnets' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just
+              ("SubnetMappings" Data..= subnetMappings)
+          ]
+      )
+
+instance Data.ToPath AssociateSubnets where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery AssociateSubnets where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newAssociateSubnetsResponse' smart constructor.
+data AssociateSubnetsResponse = AssociateSubnetsResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | The IDs of the subnets that are associated with the firewall.
+    subnetMappings :: Prelude.Maybe [SubnetMapping],
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssociateSubnetsResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'associateSubnetsResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'associateSubnetsResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'subnetMappings', 'associateSubnetsResponse_subnetMappings' - The IDs of the subnets that are associated with the firewall.
+--
+-- 'updateToken', 'associateSubnetsResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'associateSubnetsResponse_httpStatus' - The response's http status code.
+newAssociateSubnetsResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  AssociateSubnetsResponse
+newAssociateSubnetsResponse pHttpStatus_ =
+  AssociateSubnetsResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      subnetMappings = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+associateSubnetsResponse_firewallArn :: Lens.Lens' AssociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+associateSubnetsResponse_firewallArn = Lens.lens (\AssociateSubnetsResponse' {firewallArn} -> firewallArn) (\s@AssociateSubnetsResponse' {} a -> s {firewallArn = a} :: AssociateSubnetsResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+associateSubnetsResponse_firewallName :: Lens.Lens' AssociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+associateSubnetsResponse_firewallName = Lens.lens (\AssociateSubnetsResponse' {firewallName} -> firewallName) (\s@AssociateSubnetsResponse' {} a -> s {firewallName = a} :: AssociateSubnetsResponse)
+
+-- | The IDs of the subnets that are associated with the firewall.
+associateSubnetsResponse_subnetMappings :: Lens.Lens' AssociateSubnetsResponse (Prelude.Maybe [SubnetMapping])
+associateSubnetsResponse_subnetMappings = Lens.lens (\AssociateSubnetsResponse' {subnetMappings} -> subnetMappings) (\s@AssociateSubnetsResponse' {} a -> s {subnetMappings = a} :: AssociateSubnetsResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+associateSubnetsResponse_updateToken :: Lens.Lens' AssociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+associateSubnetsResponse_updateToken = Lens.lens (\AssociateSubnetsResponse' {updateToken} -> updateToken) (\s@AssociateSubnetsResponse' {} a -> s {updateToken = a} :: AssociateSubnetsResponse)
+
+-- | The response's http status code.
+associateSubnetsResponse_httpStatus :: Lens.Lens' AssociateSubnetsResponse Prelude.Int
+associateSubnetsResponse_httpStatus = Lens.lens (\AssociateSubnetsResponse' {httpStatus} -> httpStatus) (\s@AssociateSubnetsResponse' {} a -> s {httpStatus = a} :: AssociateSubnetsResponse)
+
+instance Prelude.NFData AssociateSubnetsResponse where
+  rnf AssociateSubnetsResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf subnetMappings
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/CreateFirewall.hs b/gen/Amazonka/NetworkFirewall/CreateFirewall.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/CreateFirewall.hs
@@ -0,0 +1,407 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.CreateFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates an Network Firewall Firewall and accompanying FirewallStatus for
+-- a VPC.
+--
+-- The firewall defines the configuration settings for an Network Firewall
+-- firewall. The settings that you can define at creation include the
+-- firewall policy, the subnets in your VPC to use for the firewall
+-- endpoints, and any tags that are attached to the firewall Amazon Web
+-- Services resource.
+--
+-- After you create a firewall, you can provide additional settings, like
+-- the logging configuration.
+--
+-- To update the settings for a firewall, you use the operations that apply
+-- to the settings themselves, for example UpdateLoggingConfiguration,
+-- AssociateSubnets, and UpdateFirewallDeleteProtection.
+--
+-- To manage a firewall\'s tags, use the standard Amazon Web Services
+-- resource tagging operations, ListTagsForResource, TagResource, and
+-- UntagResource.
+--
+-- To retrieve information about firewalls, use ListFirewalls and
+-- DescribeFirewall.
+module Amazonka.NetworkFirewall.CreateFirewall
+  ( -- * Creating a Request
+    CreateFirewall (..),
+    newCreateFirewall,
+
+    -- * Request Lenses
+    createFirewall_deleteProtection,
+    createFirewall_description,
+    createFirewall_encryptionConfiguration,
+    createFirewall_firewallPolicyChangeProtection,
+    createFirewall_subnetChangeProtection,
+    createFirewall_tags,
+    createFirewall_firewallName,
+    createFirewall_firewallPolicyArn,
+    createFirewall_vpcId,
+    createFirewall_subnetMappings,
+
+    -- * Destructuring the Response
+    CreateFirewallResponse (..),
+    newCreateFirewallResponse,
+
+    -- * Response Lenses
+    createFirewallResponse_firewall,
+    createFirewallResponse_firewallStatus,
+    createFirewallResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newCreateFirewall' smart constructor.
+data CreateFirewall = CreateFirewall'
+  { -- | A flag indicating whether it is possible to delete the firewall. A
+    -- setting of @TRUE@ indicates that the firewall is protected against
+    -- deletion. Use this setting to protect against accidentally deleting a
+    -- firewall that is in use. When you create a firewall, the operation
+    -- initializes this flag to @TRUE@.
+    deleteProtection :: Prelude.Maybe Prelude.Bool,
+    -- | A description of the firewall.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains settings for encryption of your firewall
+    -- resources.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | A setting indicating whether the firewall is protected against a change
+    -- to the firewall policy association. Use this setting to protect against
+    -- accidentally modifying the firewall policy for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    firewallPolicyChangeProtection :: Prelude.Maybe Prelude.Bool,
+    -- | A setting indicating whether the firewall is protected against changes
+    -- to the subnet associations. Use this setting to protect against
+    -- accidentally modifying the subnet associations for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    subnetChangeProtection :: Prelude.Maybe Prelude.Bool,
+    -- | The key:value pairs to associate with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the FirewallPolicy that you want to
+    -- use for the firewall.
+    firewallPolicyArn :: Prelude.Text,
+    -- | The unique identifier of the VPC where Network Firewall should create
+    -- the firewall.
+    --
+    -- You can\'t change this setting after you create the firewall.
+    vpcId :: Prelude.Text,
+    -- | The public subnets to use for your Network Firewall firewalls. Each
+    -- subnet must belong to a different Availability Zone in the VPC. Network
+    -- Firewall creates a firewall endpoint in each subnet.
+    subnetMappings :: [SubnetMapping]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateFirewall' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'deleteProtection', 'createFirewall_deleteProtection' - A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+--
+-- 'description', 'createFirewall_description' - A description of the firewall.
+--
+-- 'encryptionConfiguration', 'createFirewall_encryptionConfiguration' - A complex type that contains settings for encryption of your firewall
+-- resources.
+--
+-- 'firewallPolicyChangeProtection', 'createFirewall_firewallPolicyChangeProtection' - A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'subnetChangeProtection', 'createFirewall_subnetChangeProtection' - A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'tags', 'createFirewall_tags' - The key:value pairs to associate with the resource.
+--
+-- 'firewallName', 'createFirewall_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'firewallPolicyArn', 'createFirewall_firewallPolicyArn' - The Amazon Resource Name (ARN) of the FirewallPolicy that you want to
+-- use for the firewall.
+--
+-- 'vpcId', 'createFirewall_vpcId' - The unique identifier of the VPC where Network Firewall should create
+-- the firewall.
+--
+-- You can\'t change this setting after you create the firewall.
+--
+-- 'subnetMappings', 'createFirewall_subnetMappings' - The public subnets to use for your Network Firewall firewalls. Each
+-- subnet must belong to a different Availability Zone in the VPC. Network
+-- Firewall creates a firewall endpoint in each subnet.
+newCreateFirewall ::
+  -- | 'firewallName'
+  Prelude.Text ->
+  -- | 'firewallPolicyArn'
+  Prelude.Text ->
+  -- | 'vpcId'
+  Prelude.Text ->
+  CreateFirewall
+newCreateFirewall
+  pFirewallName_
+  pFirewallPolicyArn_
+  pVpcId_ =
+    CreateFirewall'
+      { deleteProtection = Prelude.Nothing,
+        description = Prelude.Nothing,
+        encryptionConfiguration = Prelude.Nothing,
+        firewallPolicyChangeProtection = Prelude.Nothing,
+        subnetChangeProtection = Prelude.Nothing,
+        tags = Prelude.Nothing,
+        firewallName = pFirewallName_,
+        firewallPolicyArn = pFirewallPolicyArn_,
+        vpcId = pVpcId_,
+        subnetMappings = Prelude.mempty
+      }
+
+-- | A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+createFirewall_deleteProtection :: Lens.Lens' CreateFirewall (Prelude.Maybe Prelude.Bool)
+createFirewall_deleteProtection = Lens.lens (\CreateFirewall' {deleteProtection} -> deleteProtection) (\s@CreateFirewall' {} a -> s {deleteProtection = a} :: CreateFirewall)
+
+-- | A description of the firewall.
+createFirewall_description :: Lens.Lens' CreateFirewall (Prelude.Maybe Prelude.Text)
+createFirewall_description = Lens.lens (\CreateFirewall' {description} -> description) (\s@CreateFirewall' {} a -> s {description = a} :: CreateFirewall)
+
+-- | A complex type that contains settings for encryption of your firewall
+-- resources.
+createFirewall_encryptionConfiguration :: Lens.Lens' CreateFirewall (Prelude.Maybe EncryptionConfiguration)
+createFirewall_encryptionConfiguration = Lens.lens (\CreateFirewall' {encryptionConfiguration} -> encryptionConfiguration) (\s@CreateFirewall' {} a -> s {encryptionConfiguration = a} :: CreateFirewall)
+
+-- | A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+createFirewall_firewallPolicyChangeProtection :: Lens.Lens' CreateFirewall (Prelude.Maybe Prelude.Bool)
+createFirewall_firewallPolicyChangeProtection = Lens.lens (\CreateFirewall' {firewallPolicyChangeProtection} -> firewallPolicyChangeProtection) (\s@CreateFirewall' {} a -> s {firewallPolicyChangeProtection = a} :: CreateFirewall)
+
+-- | A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+createFirewall_subnetChangeProtection :: Lens.Lens' CreateFirewall (Prelude.Maybe Prelude.Bool)
+createFirewall_subnetChangeProtection = Lens.lens (\CreateFirewall' {subnetChangeProtection} -> subnetChangeProtection) (\s@CreateFirewall' {} a -> s {subnetChangeProtection = a} :: CreateFirewall)
+
+-- | The key:value pairs to associate with the resource.
+createFirewall_tags :: Lens.Lens' CreateFirewall (Prelude.Maybe (Prelude.NonEmpty Tag))
+createFirewall_tags = Lens.lens (\CreateFirewall' {tags} -> tags) (\s@CreateFirewall' {} a -> s {tags = a} :: CreateFirewall) Prelude.. Lens.mapping Lens.coerced
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+createFirewall_firewallName :: Lens.Lens' CreateFirewall Prelude.Text
+createFirewall_firewallName = Lens.lens (\CreateFirewall' {firewallName} -> firewallName) (\s@CreateFirewall' {} a -> s {firewallName = a} :: CreateFirewall)
+
+-- | The Amazon Resource Name (ARN) of the FirewallPolicy that you want to
+-- use for the firewall.
+createFirewall_firewallPolicyArn :: Lens.Lens' CreateFirewall Prelude.Text
+createFirewall_firewallPolicyArn = Lens.lens (\CreateFirewall' {firewallPolicyArn} -> firewallPolicyArn) (\s@CreateFirewall' {} a -> s {firewallPolicyArn = a} :: CreateFirewall)
+
+-- | The unique identifier of the VPC where Network Firewall should create
+-- the firewall.
+--
+-- You can\'t change this setting after you create the firewall.
+createFirewall_vpcId :: Lens.Lens' CreateFirewall Prelude.Text
+createFirewall_vpcId = Lens.lens (\CreateFirewall' {vpcId} -> vpcId) (\s@CreateFirewall' {} a -> s {vpcId = a} :: CreateFirewall)
+
+-- | The public subnets to use for your Network Firewall firewalls. Each
+-- subnet must belong to a different Availability Zone in the VPC. Network
+-- Firewall creates a firewall endpoint in each subnet.
+createFirewall_subnetMappings :: Lens.Lens' CreateFirewall [SubnetMapping]
+createFirewall_subnetMappings = Lens.lens (\CreateFirewall' {subnetMappings} -> subnetMappings) (\s@CreateFirewall' {} a -> s {subnetMappings = a} :: CreateFirewall) Prelude.. Lens.coerced
+
+instance Core.AWSRequest CreateFirewall where
+  type
+    AWSResponse CreateFirewall =
+      CreateFirewallResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          CreateFirewallResponse'
+            Prelude.<$> (x Data..?> "Firewall")
+            Prelude.<*> (x Data..?> "FirewallStatus")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable CreateFirewall where
+  hashWithSalt _salt CreateFirewall' {..} =
+    _salt
+      `Prelude.hashWithSalt` deleteProtection
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` firewallPolicyChangeProtection
+      `Prelude.hashWithSalt` subnetChangeProtection
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` vpcId
+      `Prelude.hashWithSalt` subnetMappings
+
+instance Prelude.NFData CreateFirewall where
+  rnf CreateFirewall' {..} =
+    Prelude.rnf deleteProtection
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf firewallPolicyChangeProtection
+      `Prelude.seq` Prelude.rnf subnetChangeProtection
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf vpcId
+      `Prelude.seq` Prelude.rnf subnetMappings
+
+instance Data.ToHeaders CreateFirewall where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.CreateFirewall" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON CreateFirewall where
+  toJSON CreateFirewall' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("DeleteProtection" Data..=)
+              Prelude.<$> deleteProtection,
+            ("Description" Data..=) Prelude.<$> description,
+            ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("FirewallPolicyChangeProtection" Data..=)
+              Prelude.<$> firewallPolicyChangeProtection,
+            ("SubnetChangeProtection" Data..=)
+              Prelude.<$> subnetChangeProtection,
+            ("Tags" Data..=) Prelude.<$> tags,
+            Prelude.Just ("FirewallName" Data..= firewallName),
+            Prelude.Just
+              ("FirewallPolicyArn" Data..= firewallPolicyArn),
+            Prelude.Just ("VpcId" Data..= vpcId),
+            Prelude.Just
+              ("SubnetMappings" Data..= subnetMappings)
+          ]
+      )
+
+instance Data.ToPath CreateFirewall where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery CreateFirewall where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newCreateFirewallResponse' smart constructor.
+data CreateFirewallResponse = CreateFirewallResponse'
+  { -- | The configuration settings for the firewall. These settings include the
+    -- firewall policy and the subnets in your VPC to use for the firewall
+    -- endpoints.
+    firewall :: Prelude.Maybe Firewall,
+    -- | Detailed information about the current status of a Firewall. You can
+    -- retrieve this for a firewall by calling DescribeFirewall and providing
+    -- the firewall name and ARN.
+    firewallStatus :: Prelude.Maybe FirewallStatus,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateFirewallResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewall', 'createFirewallResponse_firewall' - The configuration settings for the firewall. These settings include the
+-- firewall policy and the subnets in your VPC to use for the firewall
+-- endpoints.
+--
+-- 'firewallStatus', 'createFirewallResponse_firewallStatus' - Detailed information about the current status of a Firewall. You can
+-- retrieve this for a firewall by calling DescribeFirewall and providing
+-- the firewall name and ARN.
+--
+-- 'httpStatus', 'createFirewallResponse_httpStatus' - The response's http status code.
+newCreateFirewallResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  CreateFirewallResponse
+newCreateFirewallResponse pHttpStatus_ =
+  CreateFirewallResponse'
+    { firewall = Prelude.Nothing,
+      firewallStatus = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The configuration settings for the firewall. These settings include the
+-- firewall policy and the subnets in your VPC to use for the firewall
+-- endpoints.
+createFirewallResponse_firewall :: Lens.Lens' CreateFirewallResponse (Prelude.Maybe Firewall)
+createFirewallResponse_firewall = Lens.lens (\CreateFirewallResponse' {firewall} -> firewall) (\s@CreateFirewallResponse' {} a -> s {firewall = a} :: CreateFirewallResponse)
+
+-- | Detailed information about the current status of a Firewall. You can
+-- retrieve this for a firewall by calling DescribeFirewall and providing
+-- the firewall name and ARN.
+createFirewallResponse_firewallStatus :: Lens.Lens' CreateFirewallResponse (Prelude.Maybe FirewallStatus)
+createFirewallResponse_firewallStatus = Lens.lens (\CreateFirewallResponse' {firewallStatus} -> firewallStatus) (\s@CreateFirewallResponse' {} a -> s {firewallStatus = a} :: CreateFirewallResponse)
+
+-- | The response's http status code.
+createFirewallResponse_httpStatus :: Lens.Lens' CreateFirewallResponse Prelude.Int
+createFirewallResponse_httpStatus = Lens.lens (\CreateFirewallResponse' {httpStatus} -> httpStatus) (\s@CreateFirewallResponse' {} a -> s {httpStatus = a} :: CreateFirewallResponse)
+
+instance Prelude.NFData CreateFirewallResponse where
+  rnf CreateFirewallResponse' {..} =
+    Prelude.rnf firewall
+      `Prelude.seq` Prelude.rnf firewallStatus
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/CreateFirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/CreateFirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/CreateFirewallPolicy.hs
@@ -0,0 +1,349 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.CreateFirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates the firewall policy for the firewall according to the
+-- specifications.
+--
+-- An Network Firewall firewall policy defines the behavior of a firewall,
+-- in a collection of stateless and stateful rule groups and other
+-- settings. You can use one firewall policy for multiple firewalls.
+module Amazonka.NetworkFirewall.CreateFirewallPolicy
+  ( -- * Creating a Request
+    CreateFirewallPolicy (..),
+    newCreateFirewallPolicy,
+
+    -- * Request Lenses
+    createFirewallPolicy_description,
+    createFirewallPolicy_dryRun,
+    createFirewallPolicy_encryptionConfiguration,
+    createFirewallPolicy_tags,
+    createFirewallPolicy_firewallPolicyName,
+    createFirewallPolicy_firewallPolicy,
+
+    -- * Destructuring the Response
+    CreateFirewallPolicyResponse (..),
+    newCreateFirewallPolicyResponse,
+
+    -- * Response Lenses
+    createFirewallPolicyResponse_httpStatus,
+    createFirewallPolicyResponse_updateToken,
+    createFirewallPolicyResponse_firewallPolicyResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newCreateFirewallPolicy' smart constructor.
+data CreateFirewallPolicy = CreateFirewallPolicy'
+  { -- | A description of the firewall policy.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether you want Network Firewall to just check the validity
+    -- of the request, rather than run the request.
+    --
+    -- If set to @TRUE@, Network Firewall checks whether the request can run
+    -- successfully, but doesn\'t actually make the requested changes. The call
+    -- returns the value that the request would return if you ran it with dry
+    -- run set to @FALSE@, but doesn\'t make additions or changes to your
+    -- resources. This option allows you to make sure that you have the
+    -- required permissions to run the request and that your request parameters
+    -- are valid.
+    --
+    -- If set to @FALSE@, Network Firewall makes the requested changes to your
+    -- resources.
+    dryRun :: Prelude.Maybe Prelude.Bool,
+    -- | A complex type that contains settings for encryption of your firewall
+    -- policy resources.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The key:value pairs to associate with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    firewallPolicyName :: Prelude.Text,
+    -- | The rule groups and policy actions to use in the firewall policy.
+    firewallPolicy :: FirewallPolicy
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateFirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'createFirewallPolicy_description' - A description of the firewall policy.
+--
+-- 'dryRun', 'createFirewallPolicy_dryRun' - Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+--
+-- 'encryptionConfiguration', 'createFirewallPolicy_encryptionConfiguration' - A complex type that contains settings for encryption of your firewall
+-- policy resources.
+--
+-- 'tags', 'createFirewallPolicy_tags' - The key:value pairs to associate with the resource.
+--
+-- 'firewallPolicyName', 'createFirewallPolicy_firewallPolicyName' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- 'firewallPolicy', 'createFirewallPolicy_firewallPolicy' - The rule groups and policy actions to use in the firewall policy.
+newCreateFirewallPolicy ::
+  -- | 'firewallPolicyName'
+  Prelude.Text ->
+  -- | 'firewallPolicy'
+  FirewallPolicy ->
+  CreateFirewallPolicy
+newCreateFirewallPolicy
+  pFirewallPolicyName_
+  pFirewallPolicy_ =
+    CreateFirewallPolicy'
+      { description =
+          Prelude.Nothing,
+        dryRun = Prelude.Nothing,
+        encryptionConfiguration = Prelude.Nothing,
+        tags = Prelude.Nothing,
+        firewallPolicyName = pFirewallPolicyName_,
+        firewallPolicy = pFirewallPolicy_
+      }
+
+-- | A description of the firewall policy.
+createFirewallPolicy_description :: Lens.Lens' CreateFirewallPolicy (Prelude.Maybe Prelude.Text)
+createFirewallPolicy_description = Lens.lens (\CreateFirewallPolicy' {description} -> description) (\s@CreateFirewallPolicy' {} a -> s {description = a} :: CreateFirewallPolicy)
+
+-- | Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+createFirewallPolicy_dryRun :: Lens.Lens' CreateFirewallPolicy (Prelude.Maybe Prelude.Bool)
+createFirewallPolicy_dryRun = Lens.lens (\CreateFirewallPolicy' {dryRun} -> dryRun) (\s@CreateFirewallPolicy' {} a -> s {dryRun = a} :: CreateFirewallPolicy)
+
+-- | A complex type that contains settings for encryption of your firewall
+-- policy resources.
+createFirewallPolicy_encryptionConfiguration :: Lens.Lens' CreateFirewallPolicy (Prelude.Maybe EncryptionConfiguration)
+createFirewallPolicy_encryptionConfiguration = Lens.lens (\CreateFirewallPolicy' {encryptionConfiguration} -> encryptionConfiguration) (\s@CreateFirewallPolicy' {} a -> s {encryptionConfiguration = a} :: CreateFirewallPolicy)
+
+-- | The key:value pairs to associate with the resource.
+createFirewallPolicy_tags :: Lens.Lens' CreateFirewallPolicy (Prelude.Maybe (Prelude.NonEmpty Tag))
+createFirewallPolicy_tags = Lens.lens (\CreateFirewallPolicy' {tags} -> tags) (\s@CreateFirewallPolicy' {} a -> s {tags = a} :: CreateFirewallPolicy) Prelude.. Lens.mapping Lens.coerced
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+createFirewallPolicy_firewallPolicyName :: Lens.Lens' CreateFirewallPolicy Prelude.Text
+createFirewallPolicy_firewallPolicyName = Lens.lens (\CreateFirewallPolicy' {firewallPolicyName} -> firewallPolicyName) (\s@CreateFirewallPolicy' {} a -> s {firewallPolicyName = a} :: CreateFirewallPolicy)
+
+-- | The rule groups and policy actions to use in the firewall policy.
+createFirewallPolicy_firewallPolicy :: Lens.Lens' CreateFirewallPolicy FirewallPolicy
+createFirewallPolicy_firewallPolicy = Lens.lens (\CreateFirewallPolicy' {firewallPolicy} -> firewallPolicy) (\s@CreateFirewallPolicy' {} a -> s {firewallPolicy = a} :: CreateFirewallPolicy)
+
+instance Core.AWSRequest CreateFirewallPolicy where
+  type
+    AWSResponse CreateFirewallPolicy =
+      CreateFirewallPolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          CreateFirewallPolicyResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "FirewallPolicyResponse")
+      )
+
+instance Prelude.Hashable CreateFirewallPolicy where
+  hashWithSalt _salt CreateFirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` dryRun
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` firewallPolicyName
+      `Prelude.hashWithSalt` firewallPolicy
+
+instance Prelude.NFData CreateFirewallPolicy where
+  rnf CreateFirewallPolicy' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf dryRun
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf firewallPolicyName
+      `Prelude.seq` Prelude.rnf firewallPolicy
+
+instance Data.ToHeaders CreateFirewallPolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.CreateFirewallPolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON CreateFirewallPolicy where
+  toJSON CreateFirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Description" Data..=) Prelude.<$> description,
+            ("DryRun" Data..=) Prelude.<$> dryRun,
+            ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("Tags" Data..=) Prelude.<$> tags,
+            Prelude.Just
+              ("FirewallPolicyName" Data..= firewallPolicyName),
+            Prelude.Just
+              ("FirewallPolicy" Data..= firewallPolicy)
+          ]
+      )
+
+instance Data.ToPath CreateFirewallPolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery CreateFirewallPolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newCreateFirewallPolicyResponse' smart constructor.
+data CreateFirewallPolicyResponse = CreateFirewallPolicyResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the firewall policy. The token marks the state
+    -- of the policy resource at the time of the request.
+    --
+    -- To make changes to the policy, you provide the token in your request.
+    -- Network Firewall uses the token to ensure that the policy hasn\'t
+    -- changed since you last retrieved it. If it has changed, the operation
+    -- fails with an @InvalidTokenException@. If this happens, retrieve the
+    -- firewall policy again to get a current copy of it with current token.
+    -- Reapply your changes as needed, then try the operation again using the
+    -- new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a firewall policy. This, along with the
+    -- FirewallPolicy, define the policy. You can retrieve all objects for a
+    -- firewall policy by calling DescribeFirewallPolicy.
+    firewallPolicyResponse :: FirewallPolicyResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateFirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'createFirewallPolicyResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'createFirewallPolicyResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+--
+-- 'firewallPolicyResponse', 'createFirewallPolicyResponse_firewallPolicyResponse' - The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+newCreateFirewallPolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'firewallPolicyResponse'
+  FirewallPolicyResponse ->
+  CreateFirewallPolicyResponse
+newCreateFirewallPolicyResponse
+  pHttpStatus_
+  pUpdateToken_
+  pFirewallPolicyResponse_ =
+    CreateFirewallPolicyResponse'
+      { httpStatus =
+          pHttpStatus_,
+        updateToken = pUpdateToken_,
+        firewallPolicyResponse =
+          pFirewallPolicyResponse_
+      }
+
+-- | The response's http status code.
+createFirewallPolicyResponse_httpStatus :: Lens.Lens' CreateFirewallPolicyResponse Prelude.Int
+createFirewallPolicyResponse_httpStatus = Lens.lens (\CreateFirewallPolicyResponse' {httpStatus} -> httpStatus) (\s@CreateFirewallPolicyResponse' {} a -> s {httpStatus = a} :: CreateFirewallPolicyResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+createFirewallPolicyResponse_updateToken :: Lens.Lens' CreateFirewallPolicyResponse Prelude.Text
+createFirewallPolicyResponse_updateToken = Lens.lens (\CreateFirewallPolicyResponse' {updateToken} -> updateToken) (\s@CreateFirewallPolicyResponse' {} a -> s {updateToken = a} :: CreateFirewallPolicyResponse)
+
+-- | The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+createFirewallPolicyResponse_firewallPolicyResponse :: Lens.Lens' CreateFirewallPolicyResponse FirewallPolicyResponse
+createFirewallPolicyResponse_firewallPolicyResponse = Lens.lens (\CreateFirewallPolicyResponse' {firewallPolicyResponse} -> firewallPolicyResponse) (\s@CreateFirewallPolicyResponse' {} a -> s {firewallPolicyResponse = a} :: CreateFirewallPolicyResponse)
+
+instance Prelude.NFData CreateFirewallPolicyResponse where
+  rnf CreateFirewallPolicyResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicyResponse
diff --git a/gen/Amazonka/NetworkFirewall/CreateRuleGroup.hs b/gen/Amazonka/NetworkFirewall/CreateRuleGroup.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/CreateRuleGroup.hs
@@ -0,0 +1,576 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.CreateRuleGroup
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates the specified stateless or stateful rule group, which includes
+-- the rules for network traffic inspection, a capacity setting, and tags.
+--
+-- You provide your rule group specification in your request using either
+-- @RuleGroup@ or @Rules@.
+module Amazonka.NetworkFirewall.CreateRuleGroup
+  ( -- * Creating a Request
+    CreateRuleGroup (..),
+    newCreateRuleGroup,
+
+    -- * Request Lenses
+    createRuleGroup_description,
+    createRuleGroup_dryRun,
+    createRuleGroup_encryptionConfiguration,
+    createRuleGroup_ruleGroup,
+    createRuleGroup_rules,
+    createRuleGroup_sourceMetadata,
+    createRuleGroup_tags,
+    createRuleGroup_ruleGroupName,
+    createRuleGroup_type,
+    createRuleGroup_capacity,
+
+    -- * Destructuring the Response
+    CreateRuleGroupResponse (..),
+    newCreateRuleGroupResponse,
+
+    -- * Response Lenses
+    createRuleGroupResponse_httpStatus,
+    createRuleGroupResponse_updateToken,
+    createRuleGroupResponse_ruleGroupResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newCreateRuleGroup' smart constructor.
+data CreateRuleGroup = CreateRuleGroup'
+  { -- | A description of the rule group.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether you want Network Firewall to just check the validity
+    -- of the request, rather than run the request.
+    --
+    -- If set to @TRUE@, Network Firewall checks whether the request can run
+    -- successfully, but doesn\'t actually make the requested changes. The call
+    -- returns the value that the request would return if you ran it with dry
+    -- run set to @FALSE@, but doesn\'t make additions or changes to your
+    -- resources. This option allows you to make sure that you have the
+    -- required permissions to run the request and that your request parameters
+    -- are valid.
+    --
+    -- If set to @FALSE@, Network Firewall makes the requested changes to your
+    -- resources.
+    dryRun :: Prelude.Maybe Prelude.Bool,
+    -- | A complex type that contains settings for encryption of your rule group
+    -- resources.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | An object that defines the rule group rules.
+    --
+    -- You must provide either this rule group setting or a @Rules@ setting,
+    -- but not both.
+    ruleGroup :: Prelude.Maybe RuleGroup,
+    -- | A string containing stateful rule group rules specifications in Suricata
+    -- flat format, with one rule per line. Use this to import your existing
+    -- Suricata compatible rule groups.
+    --
+    -- You must provide either this rules setting or a populated @RuleGroup@
+    -- setting, but not both.
+    --
+    -- You can provide your rule group specification in Suricata flat format
+    -- through this setting when you create or update your rule group. The call
+    -- response returns a RuleGroup object that Network Firewall has populated
+    -- from your string.
+    rules :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains metadata about the rule group that your own
+    -- rule group is copied from. You can use the metadata to keep track of
+    -- updates made to the originating rule group.
+    sourceMetadata :: Prelude.Maybe SourceMetadata,
+    -- | The key:value pairs to associate with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    ruleGroupName :: Prelude.Text,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    type' :: RuleGroupType,
+    -- | The maximum operating resources that this rule group can use. Rule group
+    -- capacity is fixed at creation. When you update a rule group, you are
+    -- limited to this capacity. When you reference a rule group from a
+    -- firewall policy, Network Firewall reserves this capacity for the rule
+    -- group.
+    --
+    -- You can retrieve the capacity that would be required for a rule group
+    -- before you create the rule group by calling CreateRuleGroup with
+    -- @DryRun@ set to @TRUE@.
+    --
+    -- You can\'t change or exceed this capacity when you update the rule
+    -- group, so leave room for your rule group to grow.
+    --
+    -- __Capacity for a stateless rule group__
+    --
+    -- For a stateless rule group, the capacity required is the sum of the
+    -- capacity requirements of the individual rules that you expect to have in
+    -- the rule group.
+    --
+    -- To calculate the capacity requirement of a single rule, multiply the
+    -- capacity requirement values of each of the rule\'s match settings:
+    --
+    -- -   A match setting with no criteria specified has a value of 1.
+    --
+    -- -   A match setting with @Any@ specified has a value of 1.
+    --
+    -- -   All other match settings have a value equal to the number of
+    --     elements provided in the setting. For example, a protocol setting
+    --     [\"UDP\"] and a source setting [\"10.0.0.0\/24\"] each have a value
+    --     of 1. A protocol setting [\"UDP\",\"TCP\"] has a value of 2. A
+    --     source setting [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"]
+    --     has a value of 3.
+    --
+    -- A rule with no criteria specified in any of its match settings has a
+    -- capacity requirement of 1. A rule with protocol setting
+    -- [\"UDP\",\"TCP\"], source setting
+    -- [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"], and a single
+    -- specification or no specification for each of the other match settings
+    -- has a capacity requirement of 6.
+    --
+    -- __Capacity for a stateful rule group__
+    --
+    -- For a stateful rule group, the minimum capacity required is the number
+    -- of individual rules that you expect to have in the rule group.
+    capacity :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateRuleGroup' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'createRuleGroup_description' - A description of the rule group.
+--
+-- 'dryRun', 'createRuleGroup_dryRun' - Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+--
+-- 'encryptionConfiguration', 'createRuleGroup_encryptionConfiguration' - A complex type that contains settings for encryption of your rule group
+-- resources.
+--
+-- 'ruleGroup', 'createRuleGroup_ruleGroup' - An object that defines the rule group rules.
+--
+-- You must provide either this rule group setting or a @Rules@ setting,
+-- but not both.
+--
+-- 'rules', 'createRuleGroup_rules' - A string containing stateful rule group rules specifications in Suricata
+-- flat format, with one rule per line. Use this to import your existing
+-- Suricata compatible rule groups.
+--
+-- You must provide either this rules setting or a populated @RuleGroup@
+-- setting, but not both.
+--
+-- You can provide your rule group specification in Suricata flat format
+-- through this setting when you create or update your rule group. The call
+-- response returns a RuleGroup object that Network Firewall has populated
+-- from your string.
+--
+-- 'sourceMetadata', 'createRuleGroup_sourceMetadata' - A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to keep track of
+-- updates made to the originating rule group.
+--
+-- 'tags', 'createRuleGroup_tags' - The key:value pairs to associate with the resource.
+--
+-- 'ruleGroupName', 'createRuleGroup_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- 'type'', 'createRuleGroup_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- 'capacity', 'createRuleGroup_capacity' - The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+--
+-- You can\'t change or exceed this capacity when you update the rule
+-- group, so leave room for your rule group to grow.
+--
+-- __Capacity for a stateless rule group__
+--
+-- For a stateless rule group, the capacity required is the sum of the
+-- capacity requirements of the individual rules that you expect to have in
+-- the rule group.
+--
+-- To calculate the capacity requirement of a single rule, multiply the
+-- capacity requirement values of each of the rule\'s match settings:
+--
+-- -   A match setting with no criteria specified has a value of 1.
+--
+-- -   A match setting with @Any@ specified has a value of 1.
+--
+-- -   All other match settings have a value equal to the number of
+--     elements provided in the setting. For example, a protocol setting
+--     [\"UDP\"] and a source setting [\"10.0.0.0\/24\"] each have a value
+--     of 1. A protocol setting [\"UDP\",\"TCP\"] has a value of 2. A
+--     source setting [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"]
+--     has a value of 3.
+--
+-- A rule with no criteria specified in any of its match settings has a
+-- capacity requirement of 1. A rule with protocol setting
+-- [\"UDP\",\"TCP\"], source setting
+-- [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"], and a single
+-- specification or no specification for each of the other match settings
+-- has a capacity requirement of 6.
+--
+-- __Capacity for a stateful rule group__
+--
+-- For a stateful rule group, the minimum capacity required is the number
+-- of individual rules that you expect to have in the rule group.
+newCreateRuleGroup ::
+  -- | 'ruleGroupName'
+  Prelude.Text ->
+  -- | 'type''
+  RuleGroupType ->
+  -- | 'capacity'
+  Prelude.Int ->
+  CreateRuleGroup
+newCreateRuleGroup pRuleGroupName_ pType_ pCapacity_ =
+  CreateRuleGroup'
+    { description = Prelude.Nothing,
+      dryRun = Prelude.Nothing,
+      encryptionConfiguration = Prelude.Nothing,
+      ruleGroup = Prelude.Nothing,
+      rules = Prelude.Nothing,
+      sourceMetadata = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      ruleGroupName = pRuleGroupName_,
+      type' = pType_,
+      capacity = pCapacity_
+    }
+
+-- | A description of the rule group.
+createRuleGroup_description :: Lens.Lens' CreateRuleGroup (Prelude.Maybe Prelude.Text)
+createRuleGroup_description = Lens.lens (\CreateRuleGroup' {description} -> description) (\s@CreateRuleGroup' {} a -> s {description = a} :: CreateRuleGroup)
+
+-- | Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+createRuleGroup_dryRun :: Lens.Lens' CreateRuleGroup (Prelude.Maybe Prelude.Bool)
+createRuleGroup_dryRun = Lens.lens (\CreateRuleGroup' {dryRun} -> dryRun) (\s@CreateRuleGroup' {} a -> s {dryRun = a} :: CreateRuleGroup)
+
+-- | A complex type that contains settings for encryption of your rule group
+-- resources.
+createRuleGroup_encryptionConfiguration :: Lens.Lens' CreateRuleGroup (Prelude.Maybe EncryptionConfiguration)
+createRuleGroup_encryptionConfiguration = Lens.lens (\CreateRuleGroup' {encryptionConfiguration} -> encryptionConfiguration) (\s@CreateRuleGroup' {} a -> s {encryptionConfiguration = a} :: CreateRuleGroup)
+
+-- | An object that defines the rule group rules.
+--
+-- You must provide either this rule group setting or a @Rules@ setting,
+-- but not both.
+createRuleGroup_ruleGroup :: Lens.Lens' CreateRuleGroup (Prelude.Maybe RuleGroup)
+createRuleGroup_ruleGroup = Lens.lens (\CreateRuleGroup' {ruleGroup} -> ruleGroup) (\s@CreateRuleGroup' {} a -> s {ruleGroup = a} :: CreateRuleGroup)
+
+-- | A string containing stateful rule group rules specifications in Suricata
+-- flat format, with one rule per line. Use this to import your existing
+-- Suricata compatible rule groups.
+--
+-- You must provide either this rules setting or a populated @RuleGroup@
+-- setting, but not both.
+--
+-- You can provide your rule group specification in Suricata flat format
+-- through this setting when you create or update your rule group. The call
+-- response returns a RuleGroup object that Network Firewall has populated
+-- from your string.
+createRuleGroup_rules :: Lens.Lens' CreateRuleGroup (Prelude.Maybe Prelude.Text)
+createRuleGroup_rules = Lens.lens (\CreateRuleGroup' {rules} -> rules) (\s@CreateRuleGroup' {} a -> s {rules = a} :: CreateRuleGroup)
+
+-- | A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to keep track of
+-- updates made to the originating rule group.
+createRuleGroup_sourceMetadata :: Lens.Lens' CreateRuleGroup (Prelude.Maybe SourceMetadata)
+createRuleGroup_sourceMetadata = Lens.lens (\CreateRuleGroup' {sourceMetadata} -> sourceMetadata) (\s@CreateRuleGroup' {} a -> s {sourceMetadata = a} :: CreateRuleGroup)
+
+-- | The key:value pairs to associate with the resource.
+createRuleGroup_tags :: Lens.Lens' CreateRuleGroup (Prelude.Maybe (Prelude.NonEmpty Tag))
+createRuleGroup_tags = Lens.lens (\CreateRuleGroup' {tags} -> tags) (\s@CreateRuleGroup' {} a -> s {tags = a} :: CreateRuleGroup) Prelude.. Lens.mapping Lens.coerced
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+createRuleGroup_ruleGroupName :: Lens.Lens' CreateRuleGroup Prelude.Text
+createRuleGroup_ruleGroupName = Lens.lens (\CreateRuleGroup' {ruleGroupName} -> ruleGroupName) (\s@CreateRuleGroup' {} a -> s {ruleGroupName = a} :: CreateRuleGroup)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+createRuleGroup_type :: Lens.Lens' CreateRuleGroup RuleGroupType
+createRuleGroup_type = Lens.lens (\CreateRuleGroup' {type'} -> type') (\s@CreateRuleGroup' {} a -> s {type' = a} :: CreateRuleGroup)
+
+-- | The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+--
+-- You can\'t change or exceed this capacity when you update the rule
+-- group, so leave room for your rule group to grow.
+--
+-- __Capacity for a stateless rule group__
+--
+-- For a stateless rule group, the capacity required is the sum of the
+-- capacity requirements of the individual rules that you expect to have in
+-- the rule group.
+--
+-- To calculate the capacity requirement of a single rule, multiply the
+-- capacity requirement values of each of the rule\'s match settings:
+--
+-- -   A match setting with no criteria specified has a value of 1.
+--
+-- -   A match setting with @Any@ specified has a value of 1.
+--
+-- -   All other match settings have a value equal to the number of
+--     elements provided in the setting. For example, a protocol setting
+--     [\"UDP\"] and a source setting [\"10.0.0.0\/24\"] each have a value
+--     of 1. A protocol setting [\"UDP\",\"TCP\"] has a value of 2. A
+--     source setting [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"]
+--     has a value of 3.
+--
+-- A rule with no criteria specified in any of its match settings has a
+-- capacity requirement of 1. A rule with protocol setting
+-- [\"UDP\",\"TCP\"], source setting
+-- [\"10.0.0.0\/24\",\"10.0.0.1\/24\",\"10.0.0.2\/24\"], and a single
+-- specification or no specification for each of the other match settings
+-- has a capacity requirement of 6.
+--
+-- __Capacity for a stateful rule group__
+--
+-- For a stateful rule group, the minimum capacity required is the number
+-- of individual rules that you expect to have in the rule group.
+createRuleGroup_capacity :: Lens.Lens' CreateRuleGroup Prelude.Int
+createRuleGroup_capacity = Lens.lens (\CreateRuleGroup' {capacity} -> capacity) (\s@CreateRuleGroup' {} a -> s {capacity = a} :: CreateRuleGroup)
+
+instance Core.AWSRequest CreateRuleGroup where
+  type
+    AWSResponse CreateRuleGroup =
+      CreateRuleGroupResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          CreateRuleGroupResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "RuleGroupResponse")
+      )
+
+instance Prelude.Hashable CreateRuleGroup where
+  hashWithSalt _salt CreateRuleGroup' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` dryRun
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` ruleGroup
+      `Prelude.hashWithSalt` rules
+      `Prelude.hashWithSalt` sourceMetadata
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` type'
+      `Prelude.hashWithSalt` capacity
+
+instance Prelude.NFData CreateRuleGroup where
+  rnf CreateRuleGroup' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf dryRun
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf ruleGroup
+      `Prelude.seq` Prelude.rnf rules
+      `Prelude.seq` Prelude.rnf sourceMetadata
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf type'
+      `Prelude.seq` Prelude.rnf capacity
+
+instance Data.ToHeaders CreateRuleGroup where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.CreateRuleGroup" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON CreateRuleGroup where
+  toJSON CreateRuleGroup' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Description" Data..=) Prelude.<$> description,
+            ("DryRun" Data..=) Prelude.<$> dryRun,
+            ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("RuleGroup" Data..=) Prelude.<$> ruleGroup,
+            ("Rules" Data..=) Prelude.<$> rules,
+            ("SourceMetadata" Data..=)
+              Prelude.<$> sourceMetadata,
+            ("Tags" Data..=) Prelude.<$> tags,
+            Prelude.Just ("RuleGroupName" Data..= ruleGroupName),
+            Prelude.Just ("Type" Data..= type'),
+            Prelude.Just ("Capacity" Data..= capacity)
+          ]
+      )
+
+instance Data.ToPath CreateRuleGroup where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery CreateRuleGroup where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newCreateRuleGroupResponse' smart constructor.
+data CreateRuleGroupResponse = CreateRuleGroupResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the rule group. The token marks the state of
+    -- the rule group resource at the time of the request.
+    --
+    -- To make changes to the rule group, you provide the token in your
+    -- request. Network Firewall uses the token to ensure that the rule group
+    -- hasn\'t changed since you last retrieved it. If it has changed, the
+    -- operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the rule group again to get a current copy of it with a current
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a rule group. This, along with the
+    -- RuleGroup, define the rule group. You can retrieve all objects for a
+    -- rule group by calling DescribeRuleGroup.
+    ruleGroupResponse :: RuleGroupResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CreateRuleGroupResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'createRuleGroupResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'createRuleGroupResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'ruleGroupResponse', 'createRuleGroupResponse_ruleGroupResponse' - The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+newCreateRuleGroupResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'ruleGroupResponse'
+  RuleGroupResponse ->
+  CreateRuleGroupResponse
+newCreateRuleGroupResponse
+  pHttpStatus_
+  pUpdateToken_
+  pRuleGroupResponse_ =
+    CreateRuleGroupResponse'
+      { httpStatus = pHttpStatus_,
+        updateToken = pUpdateToken_,
+        ruleGroupResponse = pRuleGroupResponse_
+      }
+
+-- | The response's http status code.
+createRuleGroupResponse_httpStatus :: Lens.Lens' CreateRuleGroupResponse Prelude.Int
+createRuleGroupResponse_httpStatus = Lens.lens (\CreateRuleGroupResponse' {httpStatus} -> httpStatus) (\s@CreateRuleGroupResponse' {} a -> s {httpStatus = a} :: CreateRuleGroupResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+createRuleGroupResponse_updateToken :: Lens.Lens' CreateRuleGroupResponse Prelude.Text
+createRuleGroupResponse_updateToken = Lens.lens (\CreateRuleGroupResponse' {updateToken} -> updateToken) (\s@CreateRuleGroupResponse' {} a -> s {updateToken = a} :: CreateRuleGroupResponse)
+
+-- | The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+createRuleGroupResponse_ruleGroupResponse :: Lens.Lens' CreateRuleGroupResponse RuleGroupResponse
+createRuleGroupResponse_ruleGroupResponse = Lens.lens (\CreateRuleGroupResponse' {ruleGroupResponse} -> ruleGroupResponse) (\s@CreateRuleGroupResponse' {} a -> s {ruleGroupResponse = a} :: CreateRuleGroupResponse)
+
+instance Prelude.NFData CreateRuleGroupResponse where
+  rnf CreateRuleGroupResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf ruleGroupResponse
diff --git a/gen/Amazonka/NetworkFirewall/DeleteFirewall.hs b/gen/Amazonka/NetworkFirewall/DeleteFirewall.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DeleteFirewall.hs
@@ -0,0 +1,222 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DeleteFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Deletes the specified Firewall and its FirewallStatus. This operation
+-- requires the firewall\'s @DeleteProtection@ flag to be @FALSE@. You
+-- can\'t revert this operation.
+--
+-- You can check whether a firewall is in use by reviewing the route tables
+-- for the Availability Zones where you have firewall subnet mappings.
+-- Retrieve the subnet mappings by calling DescribeFirewall. You define and
+-- update the route tables through Amazon VPC. As needed, update the route
+-- tables for the zones to remove the firewall endpoints. When the route
+-- tables no longer use the firewall endpoints, you can remove the firewall
+-- safely.
+--
+-- To delete a firewall, remove the delete protection if you need to using
+-- UpdateFirewallDeleteProtection, then delete the firewall by calling
+-- DeleteFirewall.
+module Amazonka.NetworkFirewall.DeleteFirewall
+  ( -- * Creating a Request
+    DeleteFirewall (..),
+    newDeleteFirewall,
+
+    -- * Request Lenses
+    deleteFirewall_firewallArn,
+    deleteFirewall_firewallName,
+
+    -- * Destructuring the Response
+    DeleteFirewallResponse (..),
+    newDeleteFirewallResponse,
+
+    -- * Response Lenses
+    deleteFirewallResponse_firewall,
+    deleteFirewallResponse_firewallStatus,
+    deleteFirewallResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDeleteFirewall' smart constructor.
+data DeleteFirewall = DeleteFirewall'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteFirewall' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'deleteFirewall_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'deleteFirewall_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDeleteFirewall ::
+  DeleteFirewall
+newDeleteFirewall =
+  DeleteFirewall'
+    { firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteFirewall_firewallArn :: Lens.Lens' DeleteFirewall (Prelude.Maybe Prelude.Text)
+deleteFirewall_firewallArn = Lens.lens (\DeleteFirewall' {firewallArn} -> firewallArn) (\s@DeleteFirewall' {} a -> s {firewallArn = a} :: DeleteFirewall)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteFirewall_firewallName :: Lens.Lens' DeleteFirewall (Prelude.Maybe Prelude.Text)
+deleteFirewall_firewallName = Lens.lens (\DeleteFirewall' {firewallName} -> firewallName) (\s@DeleteFirewall' {} a -> s {firewallName = a} :: DeleteFirewall)
+
+instance Core.AWSRequest DeleteFirewall where
+  type
+    AWSResponse DeleteFirewall =
+      DeleteFirewallResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DeleteFirewallResponse'
+            Prelude.<$> (x Data..?> "Firewall")
+            Prelude.<*> (x Data..?> "FirewallStatus")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DeleteFirewall where
+  hashWithSalt _salt DeleteFirewall' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+
+instance Prelude.NFData DeleteFirewall where
+  rnf DeleteFirewall' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+
+instance Data.ToHeaders DeleteFirewall where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DeleteFirewall" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DeleteFirewall where
+  toJSON DeleteFirewall' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName
+          ]
+      )
+
+instance Data.ToPath DeleteFirewall where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DeleteFirewall where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDeleteFirewallResponse' smart constructor.
+data DeleteFirewallResponse = DeleteFirewallResponse'
+  { firewall :: Prelude.Maybe Firewall,
+    firewallStatus :: Prelude.Maybe FirewallStatus,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteFirewallResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewall', 'deleteFirewallResponse_firewall' - Undocumented member.
+--
+-- 'firewallStatus', 'deleteFirewallResponse_firewallStatus' - Undocumented member.
+--
+-- 'httpStatus', 'deleteFirewallResponse_httpStatus' - The response's http status code.
+newDeleteFirewallResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DeleteFirewallResponse
+newDeleteFirewallResponse pHttpStatus_ =
+  DeleteFirewallResponse'
+    { firewall = Prelude.Nothing,
+      firewallStatus = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | Undocumented member.
+deleteFirewallResponse_firewall :: Lens.Lens' DeleteFirewallResponse (Prelude.Maybe Firewall)
+deleteFirewallResponse_firewall = Lens.lens (\DeleteFirewallResponse' {firewall} -> firewall) (\s@DeleteFirewallResponse' {} a -> s {firewall = a} :: DeleteFirewallResponse)
+
+-- | Undocumented member.
+deleteFirewallResponse_firewallStatus :: Lens.Lens' DeleteFirewallResponse (Prelude.Maybe FirewallStatus)
+deleteFirewallResponse_firewallStatus = Lens.lens (\DeleteFirewallResponse' {firewallStatus} -> firewallStatus) (\s@DeleteFirewallResponse' {} a -> s {firewallStatus = a} :: DeleteFirewallResponse)
+
+-- | The response's http status code.
+deleteFirewallResponse_httpStatus :: Lens.Lens' DeleteFirewallResponse Prelude.Int
+deleteFirewallResponse_httpStatus = Lens.lens (\DeleteFirewallResponse' {httpStatus} -> httpStatus) (\s@DeleteFirewallResponse' {} a -> s {httpStatus = a} :: DeleteFirewallResponse)
+
+instance Prelude.NFData DeleteFirewallResponse where
+  rnf DeleteFirewallResponse' {..} =
+    Prelude.rnf firewall
+      `Prelude.seq` Prelude.rnf firewallStatus
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/DeleteFirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/DeleteFirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DeleteFirewallPolicy.hs
@@ -0,0 +1,210 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DeleteFirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Deletes the specified FirewallPolicy.
+module Amazonka.NetworkFirewall.DeleteFirewallPolicy
+  ( -- * Creating a Request
+    DeleteFirewallPolicy (..),
+    newDeleteFirewallPolicy,
+
+    -- * Request Lenses
+    deleteFirewallPolicy_firewallPolicyArn,
+    deleteFirewallPolicy_firewallPolicyName,
+
+    -- * Destructuring the Response
+    DeleteFirewallPolicyResponse (..),
+    newDeleteFirewallPolicyResponse,
+
+    -- * Response Lenses
+    deleteFirewallPolicyResponse_httpStatus,
+    deleteFirewallPolicyResponse_firewallPolicyResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDeleteFirewallPolicy' smart constructor.
+data DeleteFirewallPolicy = DeleteFirewallPolicy'
+  { -- | The Amazon Resource Name (ARN) of the firewall policy.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteFirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallPolicyArn', 'deleteFirewallPolicy_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallPolicyName', 'deleteFirewallPolicy_firewallPolicyName' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDeleteFirewallPolicy ::
+  DeleteFirewallPolicy
+newDeleteFirewallPolicy =
+  DeleteFirewallPolicy'
+    { firewallPolicyArn =
+        Prelude.Nothing,
+      firewallPolicyName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteFirewallPolicy_firewallPolicyArn :: Lens.Lens' DeleteFirewallPolicy (Prelude.Maybe Prelude.Text)
+deleteFirewallPolicy_firewallPolicyArn = Lens.lens (\DeleteFirewallPolicy' {firewallPolicyArn} -> firewallPolicyArn) (\s@DeleteFirewallPolicy' {} a -> s {firewallPolicyArn = a} :: DeleteFirewallPolicy)
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteFirewallPolicy_firewallPolicyName :: Lens.Lens' DeleteFirewallPolicy (Prelude.Maybe Prelude.Text)
+deleteFirewallPolicy_firewallPolicyName = Lens.lens (\DeleteFirewallPolicy' {firewallPolicyName} -> firewallPolicyName) (\s@DeleteFirewallPolicy' {} a -> s {firewallPolicyName = a} :: DeleteFirewallPolicy)
+
+instance Core.AWSRequest DeleteFirewallPolicy where
+  type
+    AWSResponse DeleteFirewallPolicy =
+      DeleteFirewallPolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DeleteFirewallPolicyResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "FirewallPolicyResponse")
+      )
+
+instance Prelude.Hashable DeleteFirewallPolicy where
+  hashWithSalt _salt DeleteFirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` firewallPolicyName
+
+instance Prelude.NFData DeleteFirewallPolicy where
+  rnf DeleteFirewallPolicy' {..} =
+    Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf firewallPolicyName
+
+instance Data.ToHeaders DeleteFirewallPolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DeleteFirewallPolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DeleteFirewallPolicy where
+  toJSON DeleteFirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallPolicyArn" Data..=)
+              Prelude.<$> firewallPolicyArn,
+            ("FirewallPolicyName" Data..=)
+              Prelude.<$> firewallPolicyName
+          ]
+      )
+
+instance Data.ToPath DeleteFirewallPolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DeleteFirewallPolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDeleteFirewallPolicyResponse' smart constructor.
+data DeleteFirewallPolicyResponse = DeleteFirewallPolicyResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | The object containing the definition of the FirewallPolicyResponse that
+    -- you asked to delete.
+    firewallPolicyResponse :: FirewallPolicyResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteFirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'deleteFirewallPolicyResponse_httpStatus' - The response's http status code.
+--
+-- 'firewallPolicyResponse', 'deleteFirewallPolicyResponse_firewallPolicyResponse' - The object containing the definition of the FirewallPolicyResponse that
+-- you asked to delete.
+newDeleteFirewallPolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'firewallPolicyResponse'
+  FirewallPolicyResponse ->
+  DeleteFirewallPolicyResponse
+newDeleteFirewallPolicyResponse
+  pHttpStatus_
+  pFirewallPolicyResponse_ =
+    DeleteFirewallPolicyResponse'
+      { httpStatus =
+          pHttpStatus_,
+        firewallPolicyResponse =
+          pFirewallPolicyResponse_
+      }
+
+-- | The response's http status code.
+deleteFirewallPolicyResponse_httpStatus :: Lens.Lens' DeleteFirewallPolicyResponse Prelude.Int
+deleteFirewallPolicyResponse_httpStatus = Lens.lens (\DeleteFirewallPolicyResponse' {httpStatus} -> httpStatus) (\s@DeleteFirewallPolicyResponse' {} a -> s {httpStatus = a} :: DeleteFirewallPolicyResponse)
+
+-- | The object containing the definition of the FirewallPolicyResponse that
+-- you asked to delete.
+deleteFirewallPolicyResponse_firewallPolicyResponse :: Lens.Lens' DeleteFirewallPolicyResponse FirewallPolicyResponse
+deleteFirewallPolicyResponse_firewallPolicyResponse = Lens.lens (\DeleteFirewallPolicyResponse' {firewallPolicyResponse} -> firewallPolicyResponse) (\s@DeleteFirewallPolicyResponse' {} a -> s {firewallPolicyResponse = a} :: DeleteFirewallPolicyResponse)
+
+instance Prelude.NFData DeleteFirewallPolicyResponse where
+  rnf DeleteFirewallPolicyResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf firewallPolicyResponse
diff --git a/gen/Amazonka/NetworkFirewall/DeleteResourcePolicy.hs b/gen/Amazonka/NetworkFirewall/DeleteResourcePolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DeleteResourcePolicy.hs
@@ -0,0 +1,161 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DeleteResourcePolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Deletes a resource policy that you created in a PutResourcePolicy
+-- request.
+module Amazonka.NetworkFirewall.DeleteResourcePolicy
+  ( -- * Creating a Request
+    DeleteResourcePolicy (..),
+    newDeleteResourcePolicy,
+
+    -- * Request Lenses
+    deleteResourcePolicy_resourceArn,
+
+    -- * Destructuring the Response
+    DeleteResourcePolicyResponse (..),
+    newDeleteResourcePolicyResponse,
+
+    -- * Response Lenses
+    deleteResourcePolicyResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDeleteResourcePolicy' smart constructor.
+data DeleteResourcePolicy = DeleteResourcePolicy'
+  { -- | The Amazon Resource Name (ARN) of the rule group or firewall policy
+    -- whose resource policy you want to delete.
+    resourceArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteResourcePolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'deleteResourcePolicy_resourceArn' - The Amazon Resource Name (ARN) of the rule group or firewall policy
+-- whose resource policy you want to delete.
+newDeleteResourcePolicy ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  DeleteResourcePolicy
+newDeleteResourcePolicy pResourceArn_ =
+  DeleteResourcePolicy' {resourceArn = pResourceArn_}
+
+-- | The Amazon Resource Name (ARN) of the rule group or firewall policy
+-- whose resource policy you want to delete.
+deleteResourcePolicy_resourceArn :: Lens.Lens' DeleteResourcePolicy Prelude.Text
+deleteResourcePolicy_resourceArn = Lens.lens (\DeleteResourcePolicy' {resourceArn} -> resourceArn) (\s@DeleteResourcePolicy' {} a -> s {resourceArn = a} :: DeleteResourcePolicy)
+
+instance Core.AWSRequest DeleteResourcePolicy where
+  type
+    AWSResponse DeleteResourcePolicy =
+      DeleteResourcePolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          DeleteResourcePolicyResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DeleteResourcePolicy where
+  hashWithSalt _salt DeleteResourcePolicy' {..} =
+    _salt `Prelude.hashWithSalt` resourceArn
+
+instance Prelude.NFData DeleteResourcePolicy where
+  rnf DeleteResourcePolicy' {..} =
+    Prelude.rnf resourceArn
+
+instance Data.ToHeaders DeleteResourcePolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DeleteResourcePolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DeleteResourcePolicy where
+  toJSON DeleteResourcePolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("ResourceArn" Data..= resourceArn)]
+      )
+
+instance Data.ToPath DeleteResourcePolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DeleteResourcePolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDeleteResourcePolicyResponse' smart constructor.
+data DeleteResourcePolicyResponse = DeleteResourcePolicyResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteResourcePolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'deleteResourcePolicyResponse_httpStatus' - The response's http status code.
+newDeleteResourcePolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DeleteResourcePolicyResponse
+newDeleteResourcePolicyResponse pHttpStatus_ =
+  DeleteResourcePolicyResponse'
+    { httpStatus =
+        pHttpStatus_
+    }
+
+-- | The response's http status code.
+deleteResourcePolicyResponse_httpStatus :: Lens.Lens' DeleteResourcePolicyResponse Prelude.Int
+deleteResourcePolicyResponse_httpStatus = Lens.lens (\DeleteResourcePolicyResponse' {httpStatus} -> httpStatus) (\s@DeleteResourcePolicyResponse' {} a -> s {httpStatus = a} :: DeleteResourcePolicyResponse)
+
+instance Prelude.NFData DeleteResourcePolicyResponse where
+  rnf DeleteResourcePolicyResponse' {..} =
+    Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/DeleteRuleGroup.hs b/gen/Amazonka/NetworkFirewall/DeleteRuleGroup.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DeleteRuleGroup.hs
@@ -0,0 +1,236 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DeleteRuleGroup
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Deletes the specified RuleGroup.
+module Amazonka.NetworkFirewall.DeleteRuleGroup
+  ( -- * Creating a Request
+    DeleteRuleGroup (..),
+    newDeleteRuleGroup,
+
+    -- * Request Lenses
+    deleteRuleGroup_ruleGroupArn,
+    deleteRuleGroup_ruleGroupName,
+    deleteRuleGroup_type,
+
+    -- * Destructuring the Response
+    DeleteRuleGroupResponse (..),
+    newDeleteRuleGroupResponse,
+
+    -- * Response Lenses
+    deleteRuleGroupResponse_httpStatus,
+    deleteRuleGroupResponse_ruleGroupResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDeleteRuleGroup' smart constructor.
+data DeleteRuleGroup = DeleteRuleGroup'
+  { -- | The Amazon Resource Name (ARN) of the rule group.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupName :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    --
+    -- This setting is required for requests that do not include the
+    -- @RuleGroupARN@.
+    type' :: Prelude.Maybe RuleGroupType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteRuleGroup' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleGroupArn', 'deleteRuleGroup_ruleGroupArn' - The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'ruleGroupName', 'deleteRuleGroup_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'type'', 'deleteRuleGroup_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+newDeleteRuleGroup ::
+  DeleteRuleGroup
+newDeleteRuleGroup =
+  DeleteRuleGroup'
+    { ruleGroupArn = Prelude.Nothing,
+      ruleGroupName = Prelude.Nothing,
+      type' = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteRuleGroup_ruleGroupArn :: Lens.Lens' DeleteRuleGroup (Prelude.Maybe Prelude.Text)
+deleteRuleGroup_ruleGroupArn = Lens.lens (\DeleteRuleGroup' {ruleGroupArn} -> ruleGroupArn) (\s@DeleteRuleGroup' {} a -> s {ruleGroupArn = a} :: DeleteRuleGroup)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+deleteRuleGroup_ruleGroupName :: Lens.Lens' DeleteRuleGroup (Prelude.Maybe Prelude.Text)
+deleteRuleGroup_ruleGroupName = Lens.lens (\DeleteRuleGroup' {ruleGroupName} -> ruleGroupName) (\s@DeleteRuleGroup' {} a -> s {ruleGroupName = a} :: DeleteRuleGroup)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+deleteRuleGroup_type :: Lens.Lens' DeleteRuleGroup (Prelude.Maybe RuleGroupType)
+deleteRuleGroup_type = Lens.lens (\DeleteRuleGroup' {type'} -> type') (\s@DeleteRuleGroup' {} a -> s {type' = a} :: DeleteRuleGroup)
+
+instance Core.AWSRequest DeleteRuleGroup where
+  type
+    AWSResponse DeleteRuleGroup =
+      DeleteRuleGroupResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DeleteRuleGroupResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "RuleGroupResponse")
+      )
+
+instance Prelude.Hashable DeleteRuleGroup where
+  hashWithSalt _salt DeleteRuleGroup' {..} =
+    _salt
+      `Prelude.hashWithSalt` ruleGroupArn
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` type'
+
+instance Prelude.NFData DeleteRuleGroup where
+  rnf DeleteRuleGroup' {..} =
+    Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf type'
+
+instance Data.ToHeaders DeleteRuleGroup where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DeleteRuleGroup" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DeleteRuleGroup where
+  toJSON DeleteRuleGroup' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("RuleGroupArn" Data..=) Prelude.<$> ruleGroupArn,
+            ("RuleGroupName" Data..=) Prelude.<$> ruleGroupName,
+            ("Type" Data..=) Prelude.<$> type'
+          ]
+      )
+
+instance Data.ToPath DeleteRuleGroup where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DeleteRuleGroup where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDeleteRuleGroupResponse' smart constructor.
+data DeleteRuleGroupResponse = DeleteRuleGroupResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | The high-level properties of a rule group. This, along with the
+    -- RuleGroup, define the rule group. You can retrieve all objects for a
+    -- rule group by calling DescribeRuleGroup.
+    ruleGroupResponse :: RuleGroupResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DeleteRuleGroupResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'deleteRuleGroupResponse_httpStatus' - The response's http status code.
+--
+-- 'ruleGroupResponse', 'deleteRuleGroupResponse_ruleGroupResponse' - The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+newDeleteRuleGroupResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'ruleGroupResponse'
+  RuleGroupResponse ->
+  DeleteRuleGroupResponse
+newDeleteRuleGroupResponse
+  pHttpStatus_
+  pRuleGroupResponse_ =
+    DeleteRuleGroupResponse'
+      { httpStatus = pHttpStatus_,
+        ruleGroupResponse = pRuleGroupResponse_
+      }
+
+-- | The response's http status code.
+deleteRuleGroupResponse_httpStatus :: Lens.Lens' DeleteRuleGroupResponse Prelude.Int
+deleteRuleGroupResponse_httpStatus = Lens.lens (\DeleteRuleGroupResponse' {httpStatus} -> httpStatus) (\s@DeleteRuleGroupResponse' {} a -> s {httpStatus = a} :: DeleteRuleGroupResponse)
+
+-- | The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+deleteRuleGroupResponse_ruleGroupResponse :: Lens.Lens' DeleteRuleGroupResponse RuleGroupResponse
+deleteRuleGroupResponse_ruleGroupResponse = Lens.lens (\DeleteRuleGroupResponse' {ruleGroupResponse} -> ruleGroupResponse) (\s@DeleteRuleGroupResponse' {} a -> s {ruleGroupResponse = a} :: DeleteRuleGroupResponse)
+
+instance Prelude.NFData DeleteRuleGroupResponse where
+  rnf DeleteRuleGroupResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf ruleGroupResponse
diff --git a/gen/Amazonka/NetworkFirewall/DescribeFirewall.hs b/gen/Amazonka/NetworkFirewall/DescribeFirewall.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeFirewall.hs
@@ -0,0 +1,283 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns the data objects for the specified firewall.
+module Amazonka.NetworkFirewall.DescribeFirewall
+  ( -- * Creating a Request
+    DescribeFirewall (..),
+    newDescribeFirewall,
+
+    -- * Request Lenses
+    describeFirewall_firewallArn,
+    describeFirewall_firewallName,
+
+    -- * Destructuring the Response
+    DescribeFirewallResponse (..),
+    newDescribeFirewallResponse,
+
+    -- * Response Lenses
+    describeFirewallResponse_firewall,
+    describeFirewallResponse_firewallStatus,
+    describeFirewallResponse_updateToken,
+    describeFirewallResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeFirewall' smart constructor.
+data DescribeFirewall = DescribeFirewall'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeFirewall' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'describeFirewall_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'describeFirewall_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDescribeFirewall ::
+  DescribeFirewall
+newDescribeFirewall =
+  DescribeFirewall'
+    { firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeFirewall_firewallArn :: Lens.Lens' DescribeFirewall (Prelude.Maybe Prelude.Text)
+describeFirewall_firewallArn = Lens.lens (\DescribeFirewall' {firewallArn} -> firewallArn) (\s@DescribeFirewall' {} a -> s {firewallArn = a} :: DescribeFirewall)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeFirewall_firewallName :: Lens.Lens' DescribeFirewall (Prelude.Maybe Prelude.Text)
+describeFirewall_firewallName = Lens.lens (\DescribeFirewall' {firewallName} -> firewallName) (\s@DescribeFirewall' {} a -> s {firewallName = a} :: DescribeFirewall)
+
+instance Core.AWSRequest DescribeFirewall where
+  type
+    AWSResponse DescribeFirewall =
+      DescribeFirewallResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeFirewallResponse'
+            Prelude.<$> (x Data..?> "Firewall")
+            Prelude.<*> (x Data..?> "FirewallStatus")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DescribeFirewall where
+  hashWithSalt _salt DescribeFirewall' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+
+instance Prelude.NFData DescribeFirewall where
+  rnf DescribeFirewall' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+
+instance Data.ToHeaders DescribeFirewall where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeFirewall" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeFirewall where
+  toJSON DescribeFirewall' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName
+          ]
+      )
+
+instance Data.ToPath DescribeFirewall where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeFirewall where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeFirewallResponse' smart constructor.
+data DescribeFirewallResponse = DescribeFirewallResponse'
+  { -- | The configuration settings for the firewall. These settings include the
+    -- firewall policy and the subnets in your VPC to use for the firewall
+    -- endpoints.
+    firewall :: Prelude.Maybe Firewall,
+    -- | Detailed information about the current status of a Firewall. You can
+    -- retrieve this for a firewall by calling DescribeFirewall and providing
+    -- the firewall name and ARN.
+    firewallStatus :: Prelude.Maybe FirewallStatus,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeFirewallResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewall', 'describeFirewallResponse_firewall' - The configuration settings for the firewall. These settings include the
+-- firewall policy and the subnets in your VPC to use for the firewall
+-- endpoints.
+--
+-- 'firewallStatus', 'describeFirewallResponse_firewallStatus' - Detailed information about the current status of a Firewall. You can
+-- retrieve this for a firewall by calling DescribeFirewall and providing
+-- the firewall name and ARN.
+--
+-- 'updateToken', 'describeFirewallResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'describeFirewallResponse_httpStatus' - The response's http status code.
+newDescribeFirewallResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DescribeFirewallResponse
+newDescribeFirewallResponse pHttpStatus_ =
+  DescribeFirewallResponse'
+    { firewall =
+        Prelude.Nothing,
+      firewallStatus = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The configuration settings for the firewall. These settings include the
+-- firewall policy and the subnets in your VPC to use for the firewall
+-- endpoints.
+describeFirewallResponse_firewall :: Lens.Lens' DescribeFirewallResponse (Prelude.Maybe Firewall)
+describeFirewallResponse_firewall = Lens.lens (\DescribeFirewallResponse' {firewall} -> firewall) (\s@DescribeFirewallResponse' {} a -> s {firewall = a} :: DescribeFirewallResponse)
+
+-- | Detailed information about the current status of a Firewall. You can
+-- retrieve this for a firewall by calling DescribeFirewall and providing
+-- the firewall name and ARN.
+describeFirewallResponse_firewallStatus :: Lens.Lens' DescribeFirewallResponse (Prelude.Maybe FirewallStatus)
+describeFirewallResponse_firewallStatus = Lens.lens (\DescribeFirewallResponse' {firewallStatus} -> firewallStatus) (\s@DescribeFirewallResponse' {} a -> s {firewallStatus = a} :: DescribeFirewallResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+describeFirewallResponse_updateToken :: Lens.Lens' DescribeFirewallResponse (Prelude.Maybe Prelude.Text)
+describeFirewallResponse_updateToken = Lens.lens (\DescribeFirewallResponse' {updateToken} -> updateToken) (\s@DescribeFirewallResponse' {} a -> s {updateToken = a} :: DescribeFirewallResponse)
+
+-- | The response's http status code.
+describeFirewallResponse_httpStatus :: Lens.Lens' DescribeFirewallResponse Prelude.Int
+describeFirewallResponse_httpStatus = Lens.lens (\DescribeFirewallResponse' {httpStatus} -> httpStatus) (\s@DescribeFirewallResponse' {} a -> s {httpStatus = a} :: DescribeFirewallResponse)
+
+instance Prelude.NFData DescribeFirewallResponse where
+  rnf DescribeFirewallResponse' {..} =
+    Prelude.rnf firewall
+      `Prelude.seq` Prelude.rnf firewallStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/DescribeFirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/DescribeFirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeFirewallPolicy.hs
@@ -0,0 +1,273 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeFirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns the data objects for the specified firewall policy.
+module Amazonka.NetworkFirewall.DescribeFirewallPolicy
+  ( -- * Creating a Request
+    DescribeFirewallPolicy (..),
+    newDescribeFirewallPolicy,
+
+    -- * Request Lenses
+    describeFirewallPolicy_firewallPolicyArn,
+    describeFirewallPolicy_firewallPolicyName,
+
+    -- * Destructuring the Response
+    DescribeFirewallPolicyResponse (..),
+    newDescribeFirewallPolicyResponse,
+
+    -- * Response Lenses
+    describeFirewallPolicyResponse_firewallPolicy,
+    describeFirewallPolicyResponse_httpStatus,
+    describeFirewallPolicyResponse_updateToken,
+    describeFirewallPolicyResponse_firewallPolicyResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeFirewallPolicy' smart constructor.
+data DescribeFirewallPolicy = DescribeFirewallPolicy'
+  { -- | The Amazon Resource Name (ARN) of the firewall policy.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeFirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallPolicyArn', 'describeFirewallPolicy_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallPolicyName', 'describeFirewallPolicy_firewallPolicyName' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDescribeFirewallPolicy ::
+  DescribeFirewallPolicy
+newDescribeFirewallPolicy =
+  DescribeFirewallPolicy'
+    { firewallPolicyArn =
+        Prelude.Nothing,
+      firewallPolicyName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeFirewallPolicy_firewallPolicyArn :: Lens.Lens' DescribeFirewallPolicy (Prelude.Maybe Prelude.Text)
+describeFirewallPolicy_firewallPolicyArn = Lens.lens (\DescribeFirewallPolicy' {firewallPolicyArn} -> firewallPolicyArn) (\s@DescribeFirewallPolicy' {} a -> s {firewallPolicyArn = a} :: DescribeFirewallPolicy)
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeFirewallPolicy_firewallPolicyName :: Lens.Lens' DescribeFirewallPolicy (Prelude.Maybe Prelude.Text)
+describeFirewallPolicy_firewallPolicyName = Lens.lens (\DescribeFirewallPolicy' {firewallPolicyName} -> firewallPolicyName) (\s@DescribeFirewallPolicy' {} a -> s {firewallPolicyName = a} :: DescribeFirewallPolicy)
+
+instance Core.AWSRequest DescribeFirewallPolicy where
+  type
+    AWSResponse DescribeFirewallPolicy =
+      DescribeFirewallPolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeFirewallPolicyResponse'
+            Prelude.<$> (x Data..?> "FirewallPolicy")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "FirewallPolicyResponse")
+      )
+
+instance Prelude.Hashable DescribeFirewallPolicy where
+  hashWithSalt _salt DescribeFirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` firewallPolicyName
+
+instance Prelude.NFData DescribeFirewallPolicy where
+  rnf DescribeFirewallPolicy' {..} =
+    Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf firewallPolicyName
+
+instance Data.ToHeaders DescribeFirewallPolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeFirewallPolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeFirewallPolicy where
+  toJSON DescribeFirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallPolicyArn" Data..=)
+              Prelude.<$> firewallPolicyArn,
+            ("FirewallPolicyName" Data..=)
+              Prelude.<$> firewallPolicyName
+          ]
+      )
+
+instance Data.ToPath DescribeFirewallPolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeFirewallPolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeFirewallPolicyResponse' smart constructor.
+data DescribeFirewallPolicyResponse = DescribeFirewallPolicyResponse'
+  { -- | The policy for the specified firewall policy.
+    firewallPolicy :: Prelude.Maybe FirewallPolicy,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the firewall policy. The token marks the state
+    -- of the policy resource at the time of the request.
+    --
+    -- To make changes to the policy, you provide the token in your request.
+    -- Network Firewall uses the token to ensure that the policy hasn\'t
+    -- changed since you last retrieved it. If it has changed, the operation
+    -- fails with an @InvalidTokenException@. If this happens, retrieve the
+    -- firewall policy again to get a current copy of it with current token.
+    -- Reapply your changes as needed, then try the operation again using the
+    -- new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a firewall policy. This, along with the
+    -- FirewallPolicy, define the policy. You can retrieve all objects for a
+    -- firewall policy by calling DescribeFirewallPolicy.
+    firewallPolicyResponse :: FirewallPolicyResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeFirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallPolicy', 'describeFirewallPolicyResponse_firewallPolicy' - The policy for the specified firewall policy.
+--
+-- 'httpStatus', 'describeFirewallPolicyResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'describeFirewallPolicyResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+--
+-- 'firewallPolicyResponse', 'describeFirewallPolicyResponse_firewallPolicyResponse' - The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+newDescribeFirewallPolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'firewallPolicyResponse'
+  FirewallPolicyResponse ->
+  DescribeFirewallPolicyResponse
+newDescribeFirewallPolicyResponse
+  pHttpStatus_
+  pUpdateToken_
+  pFirewallPolicyResponse_ =
+    DescribeFirewallPolicyResponse'
+      { firewallPolicy =
+          Prelude.Nothing,
+        httpStatus = pHttpStatus_,
+        updateToken = pUpdateToken_,
+        firewallPolicyResponse =
+          pFirewallPolicyResponse_
+      }
+
+-- | The policy for the specified firewall policy.
+describeFirewallPolicyResponse_firewallPolicy :: Lens.Lens' DescribeFirewallPolicyResponse (Prelude.Maybe FirewallPolicy)
+describeFirewallPolicyResponse_firewallPolicy = Lens.lens (\DescribeFirewallPolicyResponse' {firewallPolicy} -> firewallPolicy) (\s@DescribeFirewallPolicyResponse' {} a -> s {firewallPolicy = a} :: DescribeFirewallPolicyResponse)
+
+-- | The response's http status code.
+describeFirewallPolicyResponse_httpStatus :: Lens.Lens' DescribeFirewallPolicyResponse Prelude.Int
+describeFirewallPolicyResponse_httpStatus = Lens.lens (\DescribeFirewallPolicyResponse' {httpStatus} -> httpStatus) (\s@DescribeFirewallPolicyResponse' {} a -> s {httpStatus = a} :: DescribeFirewallPolicyResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+describeFirewallPolicyResponse_updateToken :: Lens.Lens' DescribeFirewallPolicyResponse Prelude.Text
+describeFirewallPolicyResponse_updateToken = Lens.lens (\DescribeFirewallPolicyResponse' {updateToken} -> updateToken) (\s@DescribeFirewallPolicyResponse' {} a -> s {updateToken = a} :: DescribeFirewallPolicyResponse)
+
+-- | The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+describeFirewallPolicyResponse_firewallPolicyResponse :: Lens.Lens' DescribeFirewallPolicyResponse FirewallPolicyResponse
+describeFirewallPolicyResponse_firewallPolicyResponse = Lens.lens (\DescribeFirewallPolicyResponse' {firewallPolicyResponse} -> firewallPolicyResponse) (\s@DescribeFirewallPolicyResponse' {} a -> s {firewallPolicyResponse = a} :: DescribeFirewallPolicyResponse)
+
+instance
+  Prelude.NFData
+    DescribeFirewallPolicyResponse
+  where
+  rnf DescribeFirewallPolicyResponse' {..} =
+    Prelude.rnf firewallPolicy
+      `Prelude.seq` Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicyResponse
diff --git a/gen/Amazonka/NetworkFirewall/DescribeLoggingConfiguration.hs b/gen/Amazonka/NetworkFirewall/DescribeLoggingConfiguration.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeLoggingConfiguration.hs
@@ -0,0 +1,218 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeLoggingConfiguration
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns the logging configuration for the specified firewall.
+module Amazonka.NetworkFirewall.DescribeLoggingConfiguration
+  ( -- * Creating a Request
+    DescribeLoggingConfiguration (..),
+    newDescribeLoggingConfiguration,
+
+    -- * Request Lenses
+    describeLoggingConfiguration_firewallArn,
+    describeLoggingConfiguration_firewallName,
+
+    -- * Destructuring the Response
+    DescribeLoggingConfigurationResponse (..),
+    newDescribeLoggingConfigurationResponse,
+
+    -- * Response Lenses
+    describeLoggingConfigurationResponse_firewallArn,
+    describeLoggingConfigurationResponse_loggingConfiguration,
+    describeLoggingConfigurationResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeLoggingConfiguration' smart constructor.
+data DescribeLoggingConfiguration = DescribeLoggingConfiguration'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeLoggingConfiguration' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'describeLoggingConfiguration_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'describeLoggingConfiguration_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDescribeLoggingConfiguration ::
+  DescribeLoggingConfiguration
+newDescribeLoggingConfiguration =
+  DescribeLoggingConfiguration'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeLoggingConfiguration_firewallArn :: Lens.Lens' DescribeLoggingConfiguration (Prelude.Maybe Prelude.Text)
+describeLoggingConfiguration_firewallArn = Lens.lens (\DescribeLoggingConfiguration' {firewallArn} -> firewallArn) (\s@DescribeLoggingConfiguration' {} a -> s {firewallArn = a} :: DescribeLoggingConfiguration)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeLoggingConfiguration_firewallName :: Lens.Lens' DescribeLoggingConfiguration (Prelude.Maybe Prelude.Text)
+describeLoggingConfiguration_firewallName = Lens.lens (\DescribeLoggingConfiguration' {firewallName} -> firewallName) (\s@DescribeLoggingConfiguration' {} a -> s {firewallName = a} :: DescribeLoggingConfiguration)
+
+instance Core.AWSRequest DescribeLoggingConfiguration where
+  type
+    AWSResponse DescribeLoggingConfiguration =
+      DescribeLoggingConfigurationResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeLoggingConfigurationResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "LoggingConfiguration")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance
+  Prelude.Hashable
+    DescribeLoggingConfiguration
+  where
+  hashWithSalt _salt DescribeLoggingConfiguration' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+
+instance Prelude.NFData DescribeLoggingConfiguration where
+  rnf DescribeLoggingConfiguration' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+
+instance Data.ToHeaders DescribeLoggingConfiguration where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeLoggingConfiguration" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeLoggingConfiguration where
+  toJSON DescribeLoggingConfiguration' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName
+          ]
+      )
+
+instance Data.ToPath DescribeLoggingConfiguration where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeLoggingConfiguration where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeLoggingConfigurationResponse' smart constructor.
+data DescribeLoggingConfigurationResponse = DescribeLoggingConfigurationResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    loggingConfiguration :: Prelude.Maybe LoggingConfiguration,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeLoggingConfigurationResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'describeLoggingConfigurationResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'loggingConfiguration', 'describeLoggingConfigurationResponse_loggingConfiguration' - Undocumented member.
+--
+-- 'httpStatus', 'describeLoggingConfigurationResponse_httpStatus' - The response's http status code.
+newDescribeLoggingConfigurationResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DescribeLoggingConfigurationResponse
+newDescribeLoggingConfigurationResponse pHttpStatus_ =
+  DescribeLoggingConfigurationResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      loggingConfiguration =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+describeLoggingConfigurationResponse_firewallArn :: Lens.Lens' DescribeLoggingConfigurationResponse (Prelude.Maybe Prelude.Text)
+describeLoggingConfigurationResponse_firewallArn = Lens.lens (\DescribeLoggingConfigurationResponse' {firewallArn} -> firewallArn) (\s@DescribeLoggingConfigurationResponse' {} a -> s {firewallArn = a} :: DescribeLoggingConfigurationResponse)
+
+-- | Undocumented member.
+describeLoggingConfigurationResponse_loggingConfiguration :: Lens.Lens' DescribeLoggingConfigurationResponse (Prelude.Maybe LoggingConfiguration)
+describeLoggingConfigurationResponse_loggingConfiguration = Lens.lens (\DescribeLoggingConfigurationResponse' {loggingConfiguration} -> loggingConfiguration) (\s@DescribeLoggingConfigurationResponse' {} a -> s {loggingConfiguration = a} :: DescribeLoggingConfigurationResponse)
+
+-- | The response's http status code.
+describeLoggingConfigurationResponse_httpStatus :: Lens.Lens' DescribeLoggingConfigurationResponse Prelude.Int
+describeLoggingConfigurationResponse_httpStatus = Lens.lens (\DescribeLoggingConfigurationResponse' {httpStatus} -> httpStatus) (\s@DescribeLoggingConfigurationResponse' {} a -> s {httpStatus = a} :: DescribeLoggingConfigurationResponse)
+
+instance
+  Prelude.NFData
+    DescribeLoggingConfigurationResponse
+  where
+  rnf DescribeLoggingConfigurationResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf loggingConfiguration
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/DescribeResourcePolicy.hs b/gen/Amazonka/NetworkFirewall/DescribeResourcePolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeResourcePolicy.hs
@@ -0,0 +1,179 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeResourcePolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves a resource policy that you created in a PutResourcePolicy
+-- request.
+module Amazonka.NetworkFirewall.DescribeResourcePolicy
+  ( -- * Creating a Request
+    DescribeResourcePolicy (..),
+    newDescribeResourcePolicy,
+
+    -- * Request Lenses
+    describeResourcePolicy_resourceArn,
+
+    -- * Destructuring the Response
+    DescribeResourcePolicyResponse (..),
+    newDescribeResourcePolicyResponse,
+
+    -- * Response Lenses
+    describeResourcePolicyResponse_policy,
+    describeResourcePolicyResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeResourcePolicy' smart constructor.
+data DescribeResourcePolicy = DescribeResourcePolicy'
+  { -- | The Amazon Resource Name (ARN) of the rule group or firewall policy
+    -- whose resource policy you want to retrieve.
+    resourceArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeResourcePolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'describeResourcePolicy_resourceArn' - The Amazon Resource Name (ARN) of the rule group or firewall policy
+-- whose resource policy you want to retrieve.
+newDescribeResourcePolicy ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  DescribeResourcePolicy
+newDescribeResourcePolicy pResourceArn_ =
+  DescribeResourcePolicy'
+    { resourceArn =
+        pResourceArn_
+    }
+
+-- | The Amazon Resource Name (ARN) of the rule group or firewall policy
+-- whose resource policy you want to retrieve.
+describeResourcePolicy_resourceArn :: Lens.Lens' DescribeResourcePolicy Prelude.Text
+describeResourcePolicy_resourceArn = Lens.lens (\DescribeResourcePolicy' {resourceArn} -> resourceArn) (\s@DescribeResourcePolicy' {} a -> s {resourceArn = a} :: DescribeResourcePolicy)
+
+instance Core.AWSRequest DescribeResourcePolicy where
+  type
+    AWSResponse DescribeResourcePolicy =
+      DescribeResourcePolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeResourcePolicyResponse'
+            Prelude.<$> (x Data..?> "Policy")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DescribeResourcePolicy where
+  hashWithSalt _salt DescribeResourcePolicy' {..} =
+    _salt `Prelude.hashWithSalt` resourceArn
+
+instance Prelude.NFData DescribeResourcePolicy where
+  rnf DescribeResourcePolicy' {..} =
+    Prelude.rnf resourceArn
+
+instance Data.ToHeaders DescribeResourcePolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeResourcePolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeResourcePolicy where
+  toJSON DescribeResourcePolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("ResourceArn" Data..= resourceArn)]
+      )
+
+instance Data.ToPath DescribeResourcePolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeResourcePolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeResourcePolicyResponse' smart constructor.
+data DescribeResourcePolicyResponse = DescribeResourcePolicyResponse'
+  { -- | The IAM policy for the resource.
+    policy :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeResourcePolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'policy', 'describeResourcePolicyResponse_policy' - The IAM policy for the resource.
+--
+-- 'httpStatus', 'describeResourcePolicyResponse_httpStatus' - The response's http status code.
+newDescribeResourcePolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DescribeResourcePolicyResponse
+newDescribeResourcePolicyResponse pHttpStatus_ =
+  DescribeResourcePolicyResponse'
+    { policy =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The IAM policy for the resource.
+describeResourcePolicyResponse_policy :: Lens.Lens' DescribeResourcePolicyResponse (Prelude.Maybe Prelude.Text)
+describeResourcePolicyResponse_policy = Lens.lens (\DescribeResourcePolicyResponse' {policy} -> policy) (\s@DescribeResourcePolicyResponse' {} a -> s {policy = a} :: DescribeResourcePolicyResponse)
+
+-- | The response's http status code.
+describeResourcePolicyResponse_httpStatus :: Lens.Lens' DescribeResourcePolicyResponse Prelude.Int
+describeResourcePolicyResponse_httpStatus = Lens.lens (\DescribeResourcePolicyResponse' {httpStatus} -> httpStatus) (\s@DescribeResourcePolicyResponse' {} a -> s {httpStatus = a} :: DescribeResourcePolicyResponse)
+
+instance
+  Prelude.NFData
+    DescribeResourcePolicyResponse
+  where
+  rnf DescribeResourcePolicyResponse' {..} =
+    Prelude.rnf policy
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/DescribeRuleGroup.hs b/gen/Amazonka/NetworkFirewall/DescribeRuleGroup.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeRuleGroup.hs
@@ -0,0 +1,330 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeRuleGroup
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns the data objects for the specified rule group.
+module Amazonka.NetworkFirewall.DescribeRuleGroup
+  ( -- * Creating a Request
+    DescribeRuleGroup (..),
+    newDescribeRuleGroup,
+
+    -- * Request Lenses
+    describeRuleGroup_ruleGroupArn,
+    describeRuleGroup_ruleGroupName,
+    describeRuleGroup_type,
+
+    -- * Destructuring the Response
+    DescribeRuleGroupResponse (..),
+    newDescribeRuleGroupResponse,
+
+    -- * Response Lenses
+    describeRuleGroupResponse_ruleGroup,
+    describeRuleGroupResponse_httpStatus,
+    describeRuleGroupResponse_updateToken,
+    describeRuleGroupResponse_ruleGroupResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeRuleGroup' smart constructor.
+data DescribeRuleGroup = DescribeRuleGroup'
+  { -- | The Amazon Resource Name (ARN) of the rule group.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupName :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    --
+    -- This setting is required for requests that do not include the
+    -- @RuleGroupARN@.
+    type' :: Prelude.Maybe RuleGroupType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeRuleGroup' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleGroupArn', 'describeRuleGroup_ruleGroupArn' - The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'ruleGroupName', 'describeRuleGroup_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'type'', 'describeRuleGroup_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+newDescribeRuleGroup ::
+  DescribeRuleGroup
+newDescribeRuleGroup =
+  DescribeRuleGroup'
+    { ruleGroupArn = Prelude.Nothing,
+      ruleGroupName = Prelude.Nothing,
+      type' = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroup_ruleGroupArn :: Lens.Lens' DescribeRuleGroup (Prelude.Maybe Prelude.Text)
+describeRuleGroup_ruleGroupArn = Lens.lens (\DescribeRuleGroup' {ruleGroupArn} -> ruleGroupArn) (\s@DescribeRuleGroup' {} a -> s {ruleGroupArn = a} :: DescribeRuleGroup)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroup_ruleGroupName :: Lens.Lens' DescribeRuleGroup (Prelude.Maybe Prelude.Text)
+describeRuleGroup_ruleGroupName = Lens.lens (\DescribeRuleGroup' {ruleGroupName} -> ruleGroupName) (\s@DescribeRuleGroup' {} a -> s {ruleGroupName = a} :: DescribeRuleGroup)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+describeRuleGroup_type :: Lens.Lens' DescribeRuleGroup (Prelude.Maybe RuleGroupType)
+describeRuleGroup_type = Lens.lens (\DescribeRuleGroup' {type'} -> type') (\s@DescribeRuleGroup' {} a -> s {type' = a} :: DescribeRuleGroup)
+
+instance Core.AWSRequest DescribeRuleGroup where
+  type
+    AWSResponse DescribeRuleGroup =
+      DescribeRuleGroupResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeRuleGroupResponse'
+            Prelude.<$> (x Data..?> "RuleGroup")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "RuleGroupResponse")
+      )
+
+instance Prelude.Hashable DescribeRuleGroup where
+  hashWithSalt _salt DescribeRuleGroup' {..} =
+    _salt
+      `Prelude.hashWithSalt` ruleGroupArn
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` type'
+
+instance Prelude.NFData DescribeRuleGroup where
+  rnf DescribeRuleGroup' {..} =
+    Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf type'
+
+instance Data.ToHeaders DescribeRuleGroup where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeRuleGroup" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeRuleGroup where
+  toJSON DescribeRuleGroup' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("RuleGroupArn" Data..=) Prelude.<$> ruleGroupArn,
+            ("RuleGroupName" Data..=) Prelude.<$> ruleGroupName,
+            ("Type" Data..=) Prelude.<$> type'
+          ]
+      )
+
+instance Data.ToPath DescribeRuleGroup where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeRuleGroup where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeRuleGroupResponse' smart constructor.
+data DescribeRuleGroupResponse = DescribeRuleGroupResponse'
+  { -- | The object that defines the rules in a rule group. This, along with
+    -- RuleGroupResponse, define the rule group. You can retrieve all objects
+    -- for a rule group by calling DescribeRuleGroup.
+    --
+    -- Network Firewall uses a rule group to inspect and control network
+    -- traffic. You define stateless rule groups to inspect individual packets
+    -- and you define stateful rule groups to inspect packets in the context of
+    -- their traffic flow.
+    --
+    -- To use a rule group, you include it by reference in an Network Firewall
+    -- firewall policy, then you use the policy in a firewall. You can
+    -- reference a rule group from more than one firewall policy, and you can
+    -- use a firewall policy in more than one firewall.
+    ruleGroup :: Prelude.Maybe RuleGroup,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the rule group. The token marks the state of
+    -- the rule group resource at the time of the request.
+    --
+    -- To make changes to the rule group, you provide the token in your
+    -- request. Network Firewall uses the token to ensure that the rule group
+    -- hasn\'t changed since you last retrieved it. If it has changed, the
+    -- operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the rule group again to get a current copy of it with a current
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a rule group. This, along with the
+    -- RuleGroup, define the rule group. You can retrieve all objects for a
+    -- rule group by calling DescribeRuleGroup.
+    ruleGroupResponse :: RuleGroupResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeRuleGroupResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleGroup', 'describeRuleGroupResponse_ruleGroup' - The object that defines the rules in a rule group. This, along with
+-- RuleGroupResponse, define the rule group. You can retrieve all objects
+-- for a rule group by calling DescribeRuleGroup.
+--
+-- Network Firewall uses a rule group to inspect and control network
+-- traffic. You define stateless rule groups to inspect individual packets
+-- and you define stateful rule groups to inspect packets in the context of
+-- their traffic flow.
+--
+-- To use a rule group, you include it by reference in an Network Firewall
+-- firewall policy, then you use the policy in a firewall. You can
+-- reference a rule group from more than one firewall policy, and you can
+-- use a firewall policy in more than one firewall.
+--
+-- 'httpStatus', 'describeRuleGroupResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'describeRuleGroupResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'ruleGroupResponse', 'describeRuleGroupResponse_ruleGroupResponse' - The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+newDescribeRuleGroupResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'ruleGroupResponse'
+  RuleGroupResponse ->
+  DescribeRuleGroupResponse
+newDescribeRuleGroupResponse
+  pHttpStatus_
+  pUpdateToken_
+  pRuleGroupResponse_ =
+    DescribeRuleGroupResponse'
+      { ruleGroup =
+          Prelude.Nothing,
+        httpStatus = pHttpStatus_,
+        updateToken = pUpdateToken_,
+        ruleGroupResponse = pRuleGroupResponse_
+      }
+
+-- | The object that defines the rules in a rule group. This, along with
+-- RuleGroupResponse, define the rule group. You can retrieve all objects
+-- for a rule group by calling DescribeRuleGroup.
+--
+-- Network Firewall uses a rule group to inspect and control network
+-- traffic. You define stateless rule groups to inspect individual packets
+-- and you define stateful rule groups to inspect packets in the context of
+-- their traffic flow.
+--
+-- To use a rule group, you include it by reference in an Network Firewall
+-- firewall policy, then you use the policy in a firewall. You can
+-- reference a rule group from more than one firewall policy, and you can
+-- use a firewall policy in more than one firewall.
+describeRuleGroupResponse_ruleGroup :: Lens.Lens' DescribeRuleGroupResponse (Prelude.Maybe RuleGroup)
+describeRuleGroupResponse_ruleGroup = Lens.lens (\DescribeRuleGroupResponse' {ruleGroup} -> ruleGroup) (\s@DescribeRuleGroupResponse' {} a -> s {ruleGroup = a} :: DescribeRuleGroupResponse)
+
+-- | The response's http status code.
+describeRuleGroupResponse_httpStatus :: Lens.Lens' DescribeRuleGroupResponse Prelude.Int
+describeRuleGroupResponse_httpStatus = Lens.lens (\DescribeRuleGroupResponse' {httpStatus} -> httpStatus) (\s@DescribeRuleGroupResponse' {} a -> s {httpStatus = a} :: DescribeRuleGroupResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+describeRuleGroupResponse_updateToken :: Lens.Lens' DescribeRuleGroupResponse Prelude.Text
+describeRuleGroupResponse_updateToken = Lens.lens (\DescribeRuleGroupResponse' {updateToken} -> updateToken) (\s@DescribeRuleGroupResponse' {} a -> s {updateToken = a} :: DescribeRuleGroupResponse)
+
+-- | The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+describeRuleGroupResponse_ruleGroupResponse :: Lens.Lens' DescribeRuleGroupResponse RuleGroupResponse
+describeRuleGroupResponse_ruleGroupResponse = Lens.lens (\DescribeRuleGroupResponse' {ruleGroupResponse} -> ruleGroupResponse) (\s@DescribeRuleGroupResponse' {} a -> s {ruleGroupResponse = a} :: DescribeRuleGroupResponse)
+
+instance Prelude.NFData DescribeRuleGroupResponse where
+  rnf DescribeRuleGroupResponse' {..} =
+    Prelude.rnf ruleGroup
+      `Prelude.seq` Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf ruleGroupResponse
diff --git a/gen/Amazonka/NetworkFirewall/DescribeRuleGroupMetadata.hs b/gen/Amazonka/NetworkFirewall/DescribeRuleGroupMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DescribeRuleGroupMetadata.hs
@@ -0,0 +1,372 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DescribeRuleGroupMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- High-level information about a rule group, returned by operations like
+-- create and describe. You can use the information provided in the
+-- metadata to retrieve and manage a rule group. You can retrieve all
+-- objects for a rule group by calling DescribeRuleGroup.
+module Amazonka.NetworkFirewall.DescribeRuleGroupMetadata
+  ( -- * Creating a Request
+    DescribeRuleGroupMetadata (..),
+    newDescribeRuleGroupMetadata,
+
+    -- * Request Lenses
+    describeRuleGroupMetadata_ruleGroupArn,
+    describeRuleGroupMetadata_ruleGroupName,
+    describeRuleGroupMetadata_type,
+
+    -- * Destructuring the Response
+    DescribeRuleGroupMetadataResponse (..),
+    newDescribeRuleGroupMetadataResponse,
+
+    -- * Response Lenses
+    describeRuleGroupMetadataResponse_capacity,
+    describeRuleGroupMetadataResponse_description,
+    describeRuleGroupMetadataResponse_lastModifiedTime,
+    describeRuleGroupMetadataResponse_statefulRuleOptions,
+    describeRuleGroupMetadataResponse_type,
+    describeRuleGroupMetadataResponse_httpStatus,
+    describeRuleGroupMetadataResponse_ruleGroupArn,
+    describeRuleGroupMetadataResponse_ruleGroupName,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeRuleGroupMetadata' smart constructor.
+data DescribeRuleGroupMetadata = DescribeRuleGroupMetadata'
+  { -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupName :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    --
+    -- This setting is required for requests that do not include the
+    -- @RuleGroupARN@.
+    type' :: Prelude.Maybe RuleGroupType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeRuleGroupMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleGroupArn', 'describeRuleGroupMetadata_ruleGroupArn' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'ruleGroupName', 'describeRuleGroupMetadata_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'type'', 'describeRuleGroupMetadata_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+newDescribeRuleGroupMetadata ::
+  DescribeRuleGroupMetadata
+newDescribeRuleGroupMetadata =
+  DescribeRuleGroupMetadata'
+    { ruleGroupArn =
+        Prelude.Nothing,
+      ruleGroupName = Prelude.Nothing,
+      type' = Prelude.Nothing
+    }
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroupMetadata_ruleGroupArn :: Lens.Lens' DescribeRuleGroupMetadata (Prelude.Maybe Prelude.Text)
+describeRuleGroupMetadata_ruleGroupArn = Lens.lens (\DescribeRuleGroupMetadata' {ruleGroupArn} -> ruleGroupArn) (\s@DescribeRuleGroupMetadata' {} a -> s {ruleGroupArn = a} :: DescribeRuleGroupMetadata)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroupMetadata_ruleGroupName :: Lens.Lens' DescribeRuleGroupMetadata (Prelude.Maybe Prelude.Text)
+describeRuleGroupMetadata_ruleGroupName = Lens.lens (\DescribeRuleGroupMetadata' {ruleGroupName} -> ruleGroupName) (\s@DescribeRuleGroupMetadata' {} a -> s {ruleGroupName = a} :: DescribeRuleGroupMetadata)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+describeRuleGroupMetadata_type :: Lens.Lens' DescribeRuleGroupMetadata (Prelude.Maybe RuleGroupType)
+describeRuleGroupMetadata_type = Lens.lens (\DescribeRuleGroupMetadata' {type'} -> type') (\s@DescribeRuleGroupMetadata' {} a -> s {type' = a} :: DescribeRuleGroupMetadata)
+
+instance Core.AWSRequest DescribeRuleGroupMetadata where
+  type
+    AWSResponse DescribeRuleGroupMetadata =
+      DescribeRuleGroupMetadataResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeRuleGroupMetadataResponse'
+            Prelude.<$> (x Data..?> "Capacity")
+            Prelude.<*> (x Data..?> "Description")
+            Prelude.<*> (x Data..?> "LastModifiedTime")
+            Prelude.<*> (x Data..?> "StatefulRuleOptions")
+            Prelude.<*> (x Data..?> "Type")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "RuleGroupArn")
+            Prelude.<*> (x Data..:> "RuleGroupName")
+      )
+
+instance Prelude.Hashable DescribeRuleGroupMetadata where
+  hashWithSalt _salt DescribeRuleGroupMetadata' {..} =
+    _salt
+      `Prelude.hashWithSalt` ruleGroupArn
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` type'
+
+instance Prelude.NFData DescribeRuleGroupMetadata where
+  rnf DescribeRuleGroupMetadata' {..} =
+    Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf type'
+
+instance Data.ToHeaders DescribeRuleGroupMetadata where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DescribeRuleGroupMetadata" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeRuleGroupMetadata where
+  toJSON DescribeRuleGroupMetadata' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("RuleGroupArn" Data..=) Prelude.<$> ruleGroupArn,
+            ("RuleGroupName" Data..=) Prelude.<$> ruleGroupName,
+            ("Type" Data..=) Prelude.<$> type'
+          ]
+      )
+
+instance Data.ToPath DescribeRuleGroupMetadata where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeRuleGroupMetadata where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeRuleGroupMetadataResponse' smart constructor.
+data DescribeRuleGroupMetadataResponse = DescribeRuleGroupMetadataResponse'
+  { -- | The maximum operating resources that this rule group can use. Rule group
+    -- capacity is fixed at creation. When you update a rule group, you are
+    -- limited to this capacity. When you reference a rule group from a
+    -- firewall policy, Network Firewall reserves this capacity for the rule
+    -- group.
+    --
+    -- You can retrieve the capacity that would be required for a rule group
+    -- before you create the rule group by calling CreateRuleGroup with
+    -- @DryRun@ set to @TRUE@.
+    capacity :: Prelude.Maybe Prelude.Int,
+    -- | Returns the metadata objects for the specified rule group.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The last time that the rule group was changed.
+    lastModifiedTime :: Prelude.Maybe Data.POSIX,
+    statefulRuleOptions :: Prelude.Maybe StatefulRuleOptions,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    --
+    -- This setting is required for requests that do not include the
+    -- @RuleGroupARN@.
+    type' :: Prelude.Maybe RuleGroupType,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupArn :: Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupName :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeRuleGroupMetadataResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'capacity', 'describeRuleGroupMetadataResponse_capacity' - The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+--
+-- 'description', 'describeRuleGroupMetadataResponse_description' - Returns the metadata objects for the specified rule group.
+--
+-- 'lastModifiedTime', 'describeRuleGroupMetadataResponse_lastModifiedTime' - The last time that the rule group was changed.
+--
+-- 'statefulRuleOptions', 'describeRuleGroupMetadataResponse_statefulRuleOptions' - Undocumented member.
+--
+-- 'type'', 'describeRuleGroupMetadataResponse_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+--
+-- 'httpStatus', 'describeRuleGroupMetadataResponse_httpStatus' - The response's http status code.
+--
+-- 'ruleGroupArn', 'describeRuleGroupMetadataResponse_ruleGroupArn' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'ruleGroupName', 'describeRuleGroupMetadataResponse_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+newDescribeRuleGroupMetadataResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'ruleGroupArn'
+  Prelude.Text ->
+  -- | 'ruleGroupName'
+  Prelude.Text ->
+  DescribeRuleGroupMetadataResponse
+newDescribeRuleGroupMetadataResponse
+  pHttpStatus_
+  pRuleGroupArn_
+  pRuleGroupName_ =
+    DescribeRuleGroupMetadataResponse'
+      { capacity =
+          Prelude.Nothing,
+        description = Prelude.Nothing,
+        lastModifiedTime = Prelude.Nothing,
+        statefulRuleOptions = Prelude.Nothing,
+        type' = Prelude.Nothing,
+        httpStatus = pHttpStatus_,
+        ruleGroupArn = pRuleGroupArn_,
+        ruleGroupName = pRuleGroupName_
+      }
+
+-- | The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+describeRuleGroupMetadataResponse_capacity :: Lens.Lens' DescribeRuleGroupMetadataResponse (Prelude.Maybe Prelude.Int)
+describeRuleGroupMetadataResponse_capacity = Lens.lens (\DescribeRuleGroupMetadataResponse' {capacity} -> capacity) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {capacity = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | Returns the metadata objects for the specified rule group.
+describeRuleGroupMetadataResponse_description :: Lens.Lens' DescribeRuleGroupMetadataResponse (Prelude.Maybe Prelude.Text)
+describeRuleGroupMetadataResponse_description = Lens.lens (\DescribeRuleGroupMetadataResponse' {description} -> description) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {description = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | The last time that the rule group was changed.
+describeRuleGroupMetadataResponse_lastModifiedTime :: Lens.Lens' DescribeRuleGroupMetadataResponse (Prelude.Maybe Prelude.UTCTime)
+describeRuleGroupMetadataResponse_lastModifiedTime = Lens.lens (\DescribeRuleGroupMetadataResponse' {lastModifiedTime} -> lastModifiedTime) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {lastModifiedTime = a} :: DescribeRuleGroupMetadataResponse) Prelude.. Lens.mapping Data._Time
+
+-- | Undocumented member.
+describeRuleGroupMetadataResponse_statefulRuleOptions :: Lens.Lens' DescribeRuleGroupMetadataResponse (Prelude.Maybe StatefulRuleOptions)
+describeRuleGroupMetadataResponse_statefulRuleOptions = Lens.lens (\DescribeRuleGroupMetadataResponse' {statefulRuleOptions} -> statefulRuleOptions) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {statefulRuleOptions = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+describeRuleGroupMetadataResponse_type :: Lens.Lens' DescribeRuleGroupMetadataResponse (Prelude.Maybe RuleGroupType)
+describeRuleGroupMetadataResponse_type = Lens.lens (\DescribeRuleGroupMetadataResponse' {type'} -> type') (\s@DescribeRuleGroupMetadataResponse' {} a -> s {type' = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | The response's http status code.
+describeRuleGroupMetadataResponse_httpStatus :: Lens.Lens' DescribeRuleGroupMetadataResponse Prelude.Int
+describeRuleGroupMetadataResponse_httpStatus = Lens.lens (\DescribeRuleGroupMetadataResponse' {httpStatus} -> httpStatus) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {httpStatus = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroupMetadataResponse_ruleGroupArn :: Lens.Lens' DescribeRuleGroupMetadataResponse Prelude.Text
+describeRuleGroupMetadataResponse_ruleGroupArn = Lens.lens (\DescribeRuleGroupMetadataResponse' {ruleGroupArn} -> ruleGroupArn) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {ruleGroupArn = a} :: DescribeRuleGroupMetadataResponse)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+describeRuleGroupMetadataResponse_ruleGroupName :: Lens.Lens' DescribeRuleGroupMetadataResponse Prelude.Text
+describeRuleGroupMetadataResponse_ruleGroupName = Lens.lens (\DescribeRuleGroupMetadataResponse' {ruleGroupName} -> ruleGroupName) (\s@DescribeRuleGroupMetadataResponse' {} a -> s {ruleGroupName = a} :: DescribeRuleGroupMetadataResponse)
+
+instance
+  Prelude.NFData
+    DescribeRuleGroupMetadataResponse
+  where
+  rnf DescribeRuleGroupMetadataResponse' {..} =
+    Prelude.rnf capacity
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf lastModifiedTime
+      `Prelude.seq` Prelude.rnf statefulRuleOptions
+      `Prelude.seq` Prelude.rnf type'
+      `Prelude.seq` Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
diff --git a/gen/Amazonka/NetworkFirewall/DisassociateSubnets.hs b/gen/Amazonka/NetworkFirewall/DisassociateSubnets.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/DisassociateSubnets.hs
@@ -0,0 +1,362 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.DisassociateSubnets
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Removes the specified subnet associations from the firewall. This
+-- removes the firewall endpoints from the subnets and removes any network
+-- filtering protections that the endpoints were providing.
+module Amazonka.NetworkFirewall.DisassociateSubnets
+  ( -- * Creating a Request
+    DisassociateSubnets (..),
+    newDisassociateSubnets,
+
+    -- * Request Lenses
+    disassociateSubnets_firewallArn,
+    disassociateSubnets_firewallName,
+    disassociateSubnets_updateToken,
+    disassociateSubnets_subnetIds,
+
+    -- * Destructuring the Response
+    DisassociateSubnetsResponse (..),
+    newDisassociateSubnetsResponse,
+
+    -- * Response Lenses
+    disassociateSubnetsResponse_firewallArn,
+    disassociateSubnetsResponse_firewallName,
+    disassociateSubnetsResponse_subnetMappings,
+    disassociateSubnetsResponse_updateToken,
+    disassociateSubnetsResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDisassociateSubnets' smart constructor.
+data DisassociateSubnets = DisassociateSubnets'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The unique identifiers for the subnets that you want to disassociate.
+    subnetIds :: [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DisassociateSubnets' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'disassociateSubnets_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'disassociateSubnets_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'disassociateSubnets_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'subnetIds', 'disassociateSubnets_subnetIds' - The unique identifiers for the subnets that you want to disassociate.
+newDisassociateSubnets ::
+  DisassociateSubnets
+newDisassociateSubnets =
+  DisassociateSubnets'
+    { firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      subnetIds = Prelude.mempty
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+disassociateSubnets_firewallArn :: Lens.Lens' DisassociateSubnets (Prelude.Maybe Prelude.Text)
+disassociateSubnets_firewallArn = Lens.lens (\DisassociateSubnets' {firewallArn} -> firewallArn) (\s@DisassociateSubnets' {} a -> s {firewallArn = a} :: DisassociateSubnets)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+disassociateSubnets_firewallName :: Lens.Lens' DisassociateSubnets (Prelude.Maybe Prelude.Text)
+disassociateSubnets_firewallName = Lens.lens (\DisassociateSubnets' {firewallName} -> firewallName) (\s@DisassociateSubnets' {} a -> s {firewallName = a} :: DisassociateSubnets)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+disassociateSubnets_updateToken :: Lens.Lens' DisassociateSubnets (Prelude.Maybe Prelude.Text)
+disassociateSubnets_updateToken = Lens.lens (\DisassociateSubnets' {updateToken} -> updateToken) (\s@DisassociateSubnets' {} a -> s {updateToken = a} :: DisassociateSubnets)
+
+-- | The unique identifiers for the subnets that you want to disassociate.
+disassociateSubnets_subnetIds :: Lens.Lens' DisassociateSubnets [Prelude.Text]
+disassociateSubnets_subnetIds = Lens.lens (\DisassociateSubnets' {subnetIds} -> subnetIds) (\s@DisassociateSubnets' {} a -> s {subnetIds = a} :: DisassociateSubnets) Prelude.. Lens.coerced
+
+instance Core.AWSRequest DisassociateSubnets where
+  type
+    AWSResponse DisassociateSubnets =
+      DisassociateSubnetsResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DisassociateSubnetsResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "SubnetMappings" Core..!@ Prelude.mempty)
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DisassociateSubnets where
+  hashWithSalt _salt DisassociateSubnets' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` updateToken
+      `Prelude.hashWithSalt` subnetIds
+
+instance Prelude.NFData DisassociateSubnets where
+  rnf DisassociateSubnets' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf subnetIds
+
+instance Data.ToHeaders DisassociateSubnets where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.DisassociateSubnets" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DisassociateSubnets where
+  toJSON DisassociateSubnets' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just ("SubnetIds" Data..= subnetIds)
+          ]
+      )
+
+instance Data.ToPath DisassociateSubnets where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DisassociateSubnets where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDisassociateSubnetsResponse' smart constructor.
+data DisassociateSubnetsResponse = DisassociateSubnetsResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | The IDs of the subnets that are associated with the firewall.
+    subnetMappings :: Prelude.Maybe [SubnetMapping],
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DisassociateSubnetsResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'disassociateSubnetsResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'disassociateSubnetsResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'subnetMappings', 'disassociateSubnetsResponse_subnetMappings' - The IDs of the subnets that are associated with the firewall.
+--
+-- 'updateToken', 'disassociateSubnetsResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'disassociateSubnetsResponse_httpStatus' - The response's http status code.
+newDisassociateSubnetsResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DisassociateSubnetsResponse
+newDisassociateSubnetsResponse pHttpStatus_ =
+  DisassociateSubnetsResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      subnetMappings = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+disassociateSubnetsResponse_firewallArn :: Lens.Lens' DisassociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+disassociateSubnetsResponse_firewallArn = Lens.lens (\DisassociateSubnetsResponse' {firewallArn} -> firewallArn) (\s@DisassociateSubnetsResponse' {} a -> s {firewallArn = a} :: DisassociateSubnetsResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+disassociateSubnetsResponse_firewallName :: Lens.Lens' DisassociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+disassociateSubnetsResponse_firewallName = Lens.lens (\DisassociateSubnetsResponse' {firewallName} -> firewallName) (\s@DisassociateSubnetsResponse' {} a -> s {firewallName = a} :: DisassociateSubnetsResponse)
+
+-- | The IDs of the subnets that are associated with the firewall.
+disassociateSubnetsResponse_subnetMappings :: Lens.Lens' DisassociateSubnetsResponse (Prelude.Maybe [SubnetMapping])
+disassociateSubnetsResponse_subnetMappings = Lens.lens (\DisassociateSubnetsResponse' {subnetMappings} -> subnetMappings) (\s@DisassociateSubnetsResponse' {} a -> s {subnetMappings = a} :: DisassociateSubnetsResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+disassociateSubnetsResponse_updateToken :: Lens.Lens' DisassociateSubnetsResponse (Prelude.Maybe Prelude.Text)
+disassociateSubnetsResponse_updateToken = Lens.lens (\DisassociateSubnetsResponse' {updateToken} -> updateToken) (\s@DisassociateSubnetsResponse' {} a -> s {updateToken = a} :: DisassociateSubnetsResponse)
+
+-- | The response's http status code.
+disassociateSubnetsResponse_httpStatus :: Lens.Lens' DisassociateSubnetsResponse Prelude.Int
+disassociateSubnetsResponse_httpStatus = Lens.lens (\DisassociateSubnetsResponse' {httpStatus} -> httpStatus) (\s@DisassociateSubnetsResponse' {} a -> s {httpStatus = a} :: DisassociateSubnetsResponse)
+
+instance Prelude.NFData DisassociateSubnetsResponse where
+  rnf DisassociateSubnetsResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf subnetMappings
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/Lens.hs b/gen/Amazonka/NetworkFirewall/Lens.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Lens.hs
@@ -0,0 +1,616 @@
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Lens
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Lens
+  ( -- * Operations
+
+    -- ** AssociateFirewallPolicy
+    associateFirewallPolicy_firewallArn,
+    associateFirewallPolicy_firewallName,
+    associateFirewallPolicy_updateToken,
+    associateFirewallPolicy_firewallPolicyArn,
+    associateFirewallPolicyResponse_firewallArn,
+    associateFirewallPolicyResponse_firewallName,
+    associateFirewallPolicyResponse_firewallPolicyArn,
+    associateFirewallPolicyResponse_updateToken,
+    associateFirewallPolicyResponse_httpStatus,
+
+    -- ** AssociateSubnets
+    associateSubnets_firewallArn,
+    associateSubnets_firewallName,
+    associateSubnets_updateToken,
+    associateSubnets_subnetMappings,
+    associateSubnetsResponse_firewallArn,
+    associateSubnetsResponse_firewallName,
+    associateSubnetsResponse_subnetMappings,
+    associateSubnetsResponse_updateToken,
+    associateSubnetsResponse_httpStatus,
+
+    -- ** CreateFirewall
+    createFirewall_deleteProtection,
+    createFirewall_description,
+    createFirewall_encryptionConfiguration,
+    createFirewall_firewallPolicyChangeProtection,
+    createFirewall_subnetChangeProtection,
+    createFirewall_tags,
+    createFirewall_firewallName,
+    createFirewall_firewallPolicyArn,
+    createFirewall_vpcId,
+    createFirewall_subnetMappings,
+    createFirewallResponse_firewall,
+    createFirewallResponse_firewallStatus,
+    createFirewallResponse_httpStatus,
+
+    -- ** CreateFirewallPolicy
+    createFirewallPolicy_description,
+    createFirewallPolicy_dryRun,
+    createFirewallPolicy_encryptionConfiguration,
+    createFirewallPolicy_tags,
+    createFirewallPolicy_firewallPolicyName,
+    createFirewallPolicy_firewallPolicy,
+    createFirewallPolicyResponse_httpStatus,
+    createFirewallPolicyResponse_updateToken,
+    createFirewallPolicyResponse_firewallPolicyResponse,
+
+    -- ** CreateRuleGroup
+    createRuleGroup_description,
+    createRuleGroup_dryRun,
+    createRuleGroup_encryptionConfiguration,
+    createRuleGroup_ruleGroup,
+    createRuleGroup_rules,
+    createRuleGroup_sourceMetadata,
+    createRuleGroup_tags,
+    createRuleGroup_ruleGroupName,
+    createRuleGroup_type,
+    createRuleGroup_capacity,
+    createRuleGroupResponse_httpStatus,
+    createRuleGroupResponse_updateToken,
+    createRuleGroupResponse_ruleGroupResponse,
+
+    -- ** DeleteFirewall
+    deleteFirewall_firewallArn,
+    deleteFirewall_firewallName,
+    deleteFirewallResponse_firewall,
+    deleteFirewallResponse_firewallStatus,
+    deleteFirewallResponse_httpStatus,
+
+    -- ** DeleteFirewallPolicy
+    deleteFirewallPolicy_firewallPolicyArn,
+    deleteFirewallPolicy_firewallPolicyName,
+    deleteFirewallPolicyResponse_httpStatus,
+    deleteFirewallPolicyResponse_firewallPolicyResponse,
+
+    -- ** DeleteResourcePolicy
+    deleteResourcePolicy_resourceArn,
+    deleteResourcePolicyResponse_httpStatus,
+
+    -- ** DeleteRuleGroup
+    deleteRuleGroup_ruleGroupArn,
+    deleteRuleGroup_ruleGroupName,
+    deleteRuleGroup_type,
+    deleteRuleGroupResponse_httpStatus,
+    deleteRuleGroupResponse_ruleGroupResponse,
+
+    -- ** DescribeFirewall
+    describeFirewall_firewallArn,
+    describeFirewall_firewallName,
+    describeFirewallResponse_firewall,
+    describeFirewallResponse_firewallStatus,
+    describeFirewallResponse_updateToken,
+    describeFirewallResponse_httpStatus,
+
+    -- ** DescribeFirewallPolicy
+    describeFirewallPolicy_firewallPolicyArn,
+    describeFirewallPolicy_firewallPolicyName,
+    describeFirewallPolicyResponse_firewallPolicy,
+    describeFirewallPolicyResponse_httpStatus,
+    describeFirewallPolicyResponse_updateToken,
+    describeFirewallPolicyResponse_firewallPolicyResponse,
+
+    -- ** DescribeLoggingConfiguration
+    describeLoggingConfiguration_firewallArn,
+    describeLoggingConfiguration_firewallName,
+    describeLoggingConfigurationResponse_firewallArn,
+    describeLoggingConfigurationResponse_loggingConfiguration,
+    describeLoggingConfigurationResponse_httpStatus,
+
+    -- ** DescribeResourcePolicy
+    describeResourcePolicy_resourceArn,
+    describeResourcePolicyResponse_policy,
+    describeResourcePolicyResponse_httpStatus,
+
+    -- ** DescribeRuleGroup
+    describeRuleGroup_ruleGroupArn,
+    describeRuleGroup_ruleGroupName,
+    describeRuleGroup_type,
+    describeRuleGroupResponse_ruleGroup,
+    describeRuleGroupResponse_httpStatus,
+    describeRuleGroupResponse_updateToken,
+    describeRuleGroupResponse_ruleGroupResponse,
+
+    -- ** DescribeRuleGroupMetadata
+    describeRuleGroupMetadata_ruleGroupArn,
+    describeRuleGroupMetadata_ruleGroupName,
+    describeRuleGroupMetadata_type,
+    describeRuleGroupMetadataResponse_capacity,
+    describeRuleGroupMetadataResponse_description,
+    describeRuleGroupMetadataResponse_lastModifiedTime,
+    describeRuleGroupMetadataResponse_statefulRuleOptions,
+    describeRuleGroupMetadataResponse_type,
+    describeRuleGroupMetadataResponse_httpStatus,
+    describeRuleGroupMetadataResponse_ruleGroupArn,
+    describeRuleGroupMetadataResponse_ruleGroupName,
+
+    -- ** DisassociateSubnets
+    disassociateSubnets_firewallArn,
+    disassociateSubnets_firewallName,
+    disassociateSubnets_updateToken,
+    disassociateSubnets_subnetIds,
+    disassociateSubnetsResponse_firewallArn,
+    disassociateSubnetsResponse_firewallName,
+    disassociateSubnetsResponse_subnetMappings,
+    disassociateSubnetsResponse_updateToken,
+    disassociateSubnetsResponse_httpStatus,
+
+    -- ** ListFirewallPolicies
+    listFirewallPolicies_maxResults,
+    listFirewallPolicies_nextToken,
+    listFirewallPoliciesResponse_firewallPolicies,
+    listFirewallPoliciesResponse_nextToken,
+    listFirewallPoliciesResponse_httpStatus,
+
+    -- ** ListFirewalls
+    listFirewalls_maxResults,
+    listFirewalls_nextToken,
+    listFirewalls_vpcIds,
+    listFirewallsResponse_firewalls,
+    listFirewallsResponse_nextToken,
+    listFirewallsResponse_httpStatus,
+
+    -- ** ListRuleGroups
+    listRuleGroups_managedType,
+    listRuleGroups_maxResults,
+    listRuleGroups_nextToken,
+    listRuleGroups_scope,
+    listRuleGroups_type,
+    listRuleGroupsResponse_nextToken,
+    listRuleGroupsResponse_ruleGroups,
+    listRuleGroupsResponse_httpStatus,
+
+    -- ** ListTagsForResource
+    listTagsForResource_maxResults,
+    listTagsForResource_nextToken,
+    listTagsForResource_resourceArn,
+    listTagsForResourceResponse_nextToken,
+    listTagsForResourceResponse_tags,
+    listTagsForResourceResponse_httpStatus,
+
+    -- ** PutResourcePolicy
+    putResourcePolicy_resourceArn,
+    putResourcePolicy_policy,
+    putResourcePolicyResponse_httpStatus,
+
+    -- ** TagResource
+    tagResource_resourceArn,
+    tagResource_tags,
+    tagResourceResponse_httpStatus,
+
+    -- ** UntagResource
+    untagResource_resourceArn,
+    untagResource_tagKeys,
+    untagResourceResponse_httpStatus,
+
+    -- ** UpdateFirewallDeleteProtection
+    updateFirewallDeleteProtection_firewallArn,
+    updateFirewallDeleteProtection_firewallName,
+    updateFirewallDeleteProtection_updateToken,
+    updateFirewallDeleteProtection_deleteProtection,
+    updateFirewallDeleteProtectionResponse_deleteProtection,
+    updateFirewallDeleteProtectionResponse_firewallArn,
+    updateFirewallDeleteProtectionResponse_firewallName,
+    updateFirewallDeleteProtectionResponse_updateToken,
+    updateFirewallDeleteProtectionResponse_httpStatus,
+
+    -- ** UpdateFirewallDescription
+    updateFirewallDescription_description,
+    updateFirewallDescription_firewallArn,
+    updateFirewallDescription_firewallName,
+    updateFirewallDescription_updateToken,
+    updateFirewallDescriptionResponse_description,
+    updateFirewallDescriptionResponse_firewallArn,
+    updateFirewallDescriptionResponse_firewallName,
+    updateFirewallDescriptionResponse_updateToken,
+    updateFirewallDescriptionResponse_httpStatus,
+
+    -- ** UpdateFirewallEncryptionConfiguration
+    updateFirewallEncryptionConfiguration_encryptionConfiguration,
+    updateFirewallEncryptionConfiguration_firewallArn,
+    updateFirewallEncryptionConfiguration_firewallName,
+    updateFirewallEncryptionConfiguration_updateToken,
+    updateFirewallEncryptionConfigurationResponse_encryptionConfiguration,
+    updateFirewallEncryptionConfigurationResponse_firewallArn,
+    updateFirewallEncryptionConfigurationResponse_firewallName,
+    updateFirewallEncryptionConfigurationResponse_updateToken,
+    updateFirewallEncryptionConfigurationResponse_httpStatus,
+
+    -- ** UpdateFirewallPolicy
+    updateFirewallPolicy_description,
+    updateFirewallPolicy_dryRun,
+    updateFirewallPolicy_encryptionConfiguration,
+    updateFirewallPolicy_firewallPolicyArn,
+    updateFirewallPolicy_firewallPolicyName,
+    updateFirewallPolicy_updateToken,
+    updateFirewallPolicy_firewallPolicy,
+    updateFirewallPolicyResponse_httpStatus,
+    updateFirewallPolicyResponse_updateToken,
+    updateFirewallPolicyResponse_firewallPolicyResponse,
+
+    -- ** UpdateFirewallPolicyChangeProtection
+    updateFirewallPolicyChangeProtection_firewallArn,
+    updateFirewallPolicyChangeProtection_firewallName,
+    updateFirewallPolicyChangeProtection_updateToken,
+    updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection,
+    updateFirewallPolicyChangeProtectionResponse_firewallArn,
+    updateFirewallPolicyChangeProtectionResponse_firewallName,
+    updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection,
+    updateFirewallPolicyChangeProtectionResponse_updateToken,
+    updateFirewallPolicyChangeProtectionResponse_httpStatus,
+
+    -- ** UpdateLoggingConfiguration
+    updateLoggingConfiguration_firewallArn,
+    updateLoggingConfiguration_firewallName,
+    updateLoggingConfiguration_loggingConfiguration,
+    updateLoggingConfigurationResponse_firewallArn,
+    updateLoggingConfigurationResponse_firewallName,
+    updateLoggingConfigurationResponse_loggingConfiguration,
+    updateLoggingConfigurationResponse_httpStatus,
+
+    -- ** UpdateRuleGroup
+    updateRuleGroup_description,
+    updateRuleGroup_dryRun,
+    updateRuleGroup_encryptionConfiguration,
+    updateRuleGroup_ruleGroup,
+    updateRuleGroup_ruleGroupArn,
+    updateRuleGroup_ruleGroupName,
+    updateRuleGroup_rules,
+    updateRuleGroup_sourceMetadata,
+    updateRuleGroup_type,
+    updateRuleGroup_updateToken,
+    updateRuleGroupResponse_httpStatus,
+    updateRuleGroupResponse_updateToken,
+    updateRuleGroupResponse_ruleGroupResponse,
+
+    -- ** UpdateSubnetChangeProtection
+    updateSubnetChangeProtection_firewallArn,
+    updateSubnetChangeProtection_firewallName,
+    updateSubnetChangeProtection_updateToken,
+    updateSubnetChangeProtection_subnetChangeProtection,
+    updateSubnetChangeProtectionResponse_firewallArn,
+    updateSubnetChangeProtectionResponse_firewallName,
+    updateSubnetChangeProtectionResponse_subnetChangeProtection,
+    updateSubnetChangeProtectionResponse_updateToken,
+    updateSubnetChangeProtectionResponse_httpStatus,
+
+    -- * Types
+
+    -- ** ActionDefinition
+    actionDefinition_publishMetricAction,
+
+    -- ** Address
+    address_addressDefinition,
+
+    -- ** Attachment
+    attachment_endpointId,
+    attachment_status,
+    attachment_statusMessage,
+    attachment_subnetId,
+
+    -- ** CIDRSummary
+    cIDRSummary_availableCIDRCount,
+    cIDRSummary_iPSetReferences,
+    cIDRSummary_utilizedCIDRCount,
+
+    -- ** CapacityUsageSummary
+    capacityUsageSummary_cIDRs,
+
+    -- ** CustomAction
+    customAction_actionName,
+    customAction_actionDefinition,
+
+    -- ** Dimension
+    dimension_value,
+
+    -- ** EncryptionConfiguration
+    encryptionConfiguration_keyId,
+    encryptionConfiguration_type,
+
+    -- ** Firewall
+    firewall_deleteProtection,
+    firewall_description,
+    firewall_encryptionConfiguration,
+    firewall_firewallArn,
+    firewall_firewallName,
+    firewall_firewallPolicyChangeProtection,
+    firewall_subnetChangeProtection,
+    firewall_tags,
+    firewall_firewallPolicyArn,
+    firewall_vpcId,
+    firewall_subnetMappings,
+    firewall_firewallId,
+
+    -- ** FirewallMetadata
+    firewallMetadata_firewallArn,
+    firewallMetadata_firewallName,
+
+    -- ** FirewallPolicy
+    firewallPolicy_statefulDefaultActions,
+    firewallPolicy_statefulEngineOptions,
+    firewallPolicy_statefulRuleGroupReferences,
+    firewallPolicy_statelessCustomActions,
+    firewallPolicy_statelessRuleGroupReferences,
+    firewallPolicy_statelessDefaultActions,
+    firewallPolicy_statelessFragmentDefaultActions,
+
+    -- ** FirewallPolicyMetadata
+    firewallPolicyMetadata_arn,
+    firewallPolicyMetadata_name,
+
+    -- ** FirewallPolicyResponse
+    firewallPolicyResponse_consumedStatefulRuleCapacity,
+    firewallPolicyResponse_consumedStatelessRuleCapacity,
+    firewallPolicyResponse_description,
+    firewallPolicyResponse_encryptionConfiguration,
+    firewallPolicyResponse_firewallPolicyStatus,
+    firewallPolicyResponse_lastModifiedTime,
+    firewallPolicyResponse_numberOfAssociations,
+    firewallPolicyResponse_tags,
+    firewallPolicyResponse_firewallPolicyName,
+    firewallPolicyResponse_firewallPolicyArn,
+    firewallPolicyResponse_firewallPolicyId,
+
+    -- ** FirewallStatus
+    firewallStatus_capacityUsageSummary,
+    firewallStatus_syncStates,
+    firewallStatus_status,
+    firewallStatus_configurationSyncStateSummary,
+
+    -- ** Header
+    header_protocol,
+    header_source,
+    header_sourcePort,
+    header_direction,
+    header_destination,
+    header_destinationPort,
+
+    -- ** IPSet
+    iPSet_definition,
+
+    -- ** IPSetMetadata
+    iPSetMetadata_resolvedCIDRCount,
+
+    -- ** IPSetReference
+    iPSetReference_referenceArn,
+
+    -- ** LogDestinationConfig
+    logDestinationConfig_logType,
+    logDestinationConfig_logDestinationType,
+    logDestinationConfig_logDestination,
+
+    -- ** LoggingConfiguration
+    loggingConfiguration_logDestinationConfigs,
+
+    -- ** MatchAttributes
+    matchAttributes_destinationPorts,
+    matchAttributes_destinations,
+    matchAttributes_protocols,
+    matchAttributes_sourcePorts,
+    matchAttributes_sources,
+    matchAttributes_tCPFlags,
+
+    -- ** PerObjectStatus
+    perObjectStatus_syncStatus,
+    perObjectStatus_updateToken,
+
+    -- ** PortRange
+    portRange_fromPort,
+    portRange_toPort,
+
+    -- ** PortSet
+    portSet_definition,
+
+    -- ** PublishMetricAction
+    publishMetricAction_dimensions,
+
+    -- ** ReferenceSets
+    referenceSets_iPSetReferences,
+
+    -- ** RuleDefinition
+    ruleDefinition_matchAttributes,
+    ruleDefinition_actions,
+
+    -- ** RuleGroup
+    ruleGroup_referenceSets,
+    ruleGroup_ruleVariables,
+    ruleGroup_statefulRuleOptions,
+    ruleGroup_rulesSource,
+
+    -- ** RuleGroupMetadata
+    ruleGroupMetadata_arn,
+    ruleGroupMetadata_name,
+
+    -- ** RuleGroupResponse
+    ruleGroupResponse_capacity,
+    ruleGroupResponse_consumedCapacity,
+    ruleGroupResponse_description,
+    ruleGroupResponse_encryptionConfiguration,
+    ruleGroupResponse_lastModifiedTime,
+    ruleGroupResponse_numberOfAssociations,
+    ruleGroupResponse_ruleGroupStatus,
+    ruleGroupResponse_snsTopic,
+    ruleGroupResponse_sourceMetadata,
+    ruleGroupResponse_tags,
+    ruleGroupResponse_type,
+    ruleGroupResponse_ruleGroupArn,
+    ruleGroupResponse_ruleGroupName,
+    ruleGroupResponse_ruleGroupId,
+
+    -- ** RuleOption
+    ruleOption_settings,
+    ruleOption_keyword,
+
+    -- ** RuleVariables
+    ruleVariables_iPSets,
+    ruleVariables_portSets,
+
+    -- ** RulesSource
+    rulesSource_rulesSourceList,
+    rulesSource_rulesString,
+    rulesSource_statefulRules,
+    rulesSource_statelessRulesAndCustomActions,
+
+    -- ** RulesSourceList
+    rulesSourceList_targets,
+    rulesSourceList_targetTypes,
+    rulesSourceList_generatedRulesType,
+
+    -- ** SourceMetadata
+    sourceMetadata_sourceArn,
+    sourceMetadata_sourceUpdateToken,
+
+    -- ** StatefulEngineOptions
+    statefulEngineOptions_ruleOrder,
+    statefulEngineOptions_streamExceptionPolicy,
+
+    -- ** StatefulRule
+    statefulRule_action,
+    statefulRule_header,
+    statefulRule_ruleOptions,
+
+    -- ** StatefulRuleGroupOverride
+    statefulRuleGroupOverride_action,
+
+    -- ** StatefulRuleGroupReference
+    statefulRuleGroupReference_override,
+    statefulRuleGroupReference_priority,
+    statefulRuleGroupReference_resourceArn,
+
+    -- ** StatefulRuleOptions
+    statefulRuleOptions_ruleOrder,
+
+    -- ** StatelessRule
+    statelessRule_ruleDefinition,
+    statelessRule_priority,
+
+    -- ** StatelessRuleGroupReference
+    statelessRuleGroupReference_resourceArn,
+    statelessRuleGroupReference_priority,
+
+    -- ** StatelessRulesAndCustomActions
+    statelessRulesAndCustomActions_customActions,
+    statelessRulesAndCustomActions_statelessRules,
+
+    -- ** SubnetMapping
+    subnetMapping_subnetId,
+
+    -- ** SyncState
+    syncState_attachment,
+    syncState_config,
+
+    -- ** TCPFlagField
+    tCPFlagField_masks,
+    tCPFlagField_flags,
+
+    -- ** Tag
+    tag_key,
+    tag_value,
+  )
+where
+
+import Amazonka.NetworkFirewall.AssociateFirewallPolicy
+import Amazonka.NetworkFirewall.AssociateSubnets
+import Amazonka.NetworkFirewall.CreateFirewall
+import Amazonka.NetworkFirewall.CreateFirewallPolicy
+import Amazonka.NetworkFirewall.CreateRuleGroup
+import Amazonka.NetworkFirewall.DeleteFirewall
+import Amazonka.NetworkFirewall.DeleteFirewallPolicy
+import Amazonka.NetworkFirewall.DeleteResourcePolicy
+import Amazonka.NetworkFirewall.DeleteRuleGroup
+import Amazonka.NetworkFirewall.DescribeFirewall
+import Amazonka.NetworkFirewall.DescribeFirewallPolicy
+import Amazonka.NetworkFirewall.DescribeLoggingConfiguration
+import Amazonka.NetworkFirewall.DescribeResourcePolicy
+import Amazonka.NetworkFirewall.DescribeRuleGroup
+import Amazonka.NetworkFirewall.DescribeRuleGroupMetadata
+import Amazonka.NetworkFirewall.DisassociateSubnets
+import Amazonka.NetworkFirewall.ListFirewallPolicies
+import Amazonka.NetworkFirewall.ListFirewalls
+import Amazonka.NetworkFirewall.ListRuleGroups
+import Amazonka.NetworkFirewall.ListTagsForResource
+import Amazonka.NetworkFirewall.PutResourcePolicy
+import Amazonka.NetworkFirewall.TagResource
+import Amazonka.NetworkFirewall.Types.ActionDefinition
+import Amazonka.NetworkFirewall.Types.Address
+import Amazonka.NetworkFirewall.Types.Attachment
+import Amazonka.NetworkFirewall.Types.CIDRSummary
+import Amazonka.NetworkFirewall.Types.CapacityUsageSummary
+import Amazonka.NetworkFirewall.Types.CustomAction
+import Amazonka.NetworkFirewall.Types.Dimension
+import Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+import Amazonka.NetworkFirewall.Types.Firewall
+import Amazonka.NetworkFirewall.Types.FirewallMetadata
+import Amazonka.NetworkFirewall.Types.FirewallPolicy
+import Amazonka.NetworkFirewall.Types.FirewallPolicyMetadata
+import Amazonka.NetworkFirewall.Types.FirewallPolicyResponse
+import Amazonka.NetworkFirewall.Types.FirewallStatus
+import Amazonka.NetworkFirewall.Types.Header
+import Amazonka.NetworkFirewall.Types.IPSet
+import Amazonka.NetworkFirewall.Types.IPSetMetadata
+import Amazonka.NetworkFirewall.Types.IPSetReference
+import Amazonka.NetworkFirewall.Types.LogDestinationConfig
+import Amazonka.NetworkFirewall.Types.LoggingConfiguration
+import Amazonka.NetworkFirewall.Types.MatchAttributes
+import Amazonka.NetworkFirewall.Types.PerObjectStatus
+import Amazonka.NetworkFirewall.Types.PortRange
+import Amazonka.NetworkFirewall.Types.PortSet
+import Amazonka.NetworkFirewall.Types.PublishMetricAction
+import Amazonka.NetworkFirewall.Types.ReferenceSets
+import Amazonka.NetworkFirewall.Types.RuleDefinition
+import Amazonka.NetworkFirewall.Types.RuleGroup
+import Amazonka.NetworkFirewall.Types.RuleGroupMetadata
+import Amazonka.NetworkFirewall.Types.RuleGroupResponse
+import Amazonka.NetworkFirewall.Types.RuleOption
+import Amazonka.NetworkFirewall.Types.RuleVariables
+import Amazonka.NetworkFirewall.Types.RulesSource
+import Amazonka.NetworkFirewall.Types.RulesSourceList
+import Amazonka.NetworkFirewall.Types.SourceMetadata
+import Amazonka.NetworkFirewall.Types.StatefulEngineOptions
+import Amazonka.NetworkFirewall.Types.StatefulRule
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference
+import Amazonka.NetworkFirewall.Types.StatefulRuleOptions
+import Amazonka.NetworkFirewall.Types.StatelessRule
+import Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference
+import Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions
+import Amazonka.NetworkFirewall.Types.SubnetMapping
+import Amazonka.NetworkFirewall.Types.SyncState
+import Amazonka.NetworkFirewall.Types.TCPFlagField
+import Amazonka.NetworkFirewall.Types.Tag
+import Amazonka.NetworkFirewall.UntagResource
+import Amazonka.NetworkFirewall.UpdateFirewallDeleteProtection
+import Amazonka.NetworkFirewall.UpdateFirewallDescription
+import Amazonka.NetworkFirewall.UpdateFirewallEncryptionConfiguration
+import Amazonka.NetworkFirewall.UpdateFirewallPolicy
+import Amazonka.NetworkFirewall.UpdateFirewallPolicyChangeProtection
+import Amazonka.NetworkFirewall.UpdateLoggingConfiguration
+import Amazonka.NetworkFirewall.UpdateRuleGroup
+import Amazonka.NetworkFirewall.UpdateSubnetChangeProtection
diff --git a/gen/Amazonka/NetworkFirewall/ListFirewallPolicies.hs b/gen/Amazonka/NetworkFirewall/ListFirewallPolicies.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/ListFirewallPolicies.hs
@@ -0,0 +1,264 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.ListFirewallPolicies
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the metadata for the firewall policies that you have defined.
+-- Depending on your setting for max results and the number of firewall
+-- policies, a single call might not return the full list.
+--
+-- This operation returns paginated results.
+module Amazonka.NetworkFirewall.ListFirewallPolicies
+  ( -- * Creating a Request
+    ListFirewallPolicies (..),
+    newListFirewallPolicies,
+
+    -- * Request Lenses
+    listFirewallPolicies_maxResults,
+    listFirewallPolicies_nextToken,
+
+    -- * Destructuring the Response
+    ListFirewallPoliciesResponse (..),
+    newListFirewallPoliciesResponse,
+
+    -- * Response Lenses
+    listFirewallPoliciesResponse_firewallPolicies,
+    listFirewallPoliciesResponse_nextToken,
+    listFirewallPoliciesResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListFirewallPolicies' smart constructor.
+data ListFirewallPolicies = ListFirewallPolicies'
+  { -- | The maximum number of objects that you want Network Firewall to return
+    -- for this request. If more objects are available, in the response,
+    -- Network Firewall provides a @NextToken@ value that you can use in a
+    -- subsequent call to get the next batch of objects.
+    maxResults :: Prelude.Maybe Prelude.Natural,
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListFirewallPolicies' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'maxResults', 'listFirewallPolicies_maxResults' - The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+--
+-- 'nextToken', 'listFirewallPolicies_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+newListFirewallPolicies ::
+  ListFirewallPolicies
+newListFirewallPolicies =
+  ListFirewallPolicies'
+    { maxResults = Prelude.Nothing,
+      nextToken = Prelude.Nothing
+    }
+
+-- | The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+listFirewallPolicies_maxResults :: Lens.Lens' ListFirewallPolicies (Prelude.Maybe Prelude.Natural)
+listFirewallPolicies_maxResults = Lens.lens (\ListFirewallPolicies' {maxResults} -> maxResults) (\s@ListFirewallPolicies' {} a -> s {maxResults = a} :: ListFirewallPolicies)
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listFirewallPolicies_nextToken :: Lens.Lens' ListFirewallPolicies (Prelude.Maybe Prelude.Text)
+listFirewallPolicies_nextToken = Lens.lens (\ListFirewallPolicies' {nextToken} -> nextToken) (\s@ListFirewallPolicies' {} a -> s {nextToken = a} :: ListFirewallPolicies)
+
+instance Core.AWSPager ListFirewallPolicies where
+  page rq rs
+    | Core.stop
+        ( rs
+            Lens.^? listFirewallPoliciesResponse_nextToken
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Core.stop
+        ( rs
+            Lens.^? listFirewallPoliciesResponse_firewallPolicies
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Prelude.otherwise =
+        Prelude.Just
+          Prelude.$ rq
+          Prelude.& listFirewallPolicies_nextToken
+          Lens..~ rs
+          Lens.^? listFirewallPoliciesResponse_nextToken
+          Prelude.. Lens._Just
+
+instance Core.AWSRequest ListFirewallPolicies where
+  type
+    AWSResponse ListFirewallPolicies =
+      ListFirewallPoliciesResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListFirewallPoliciesResponse'
+            Prelude.<$> ( x
+                            Data..?> "FirewallPolicies"
+                            Core..!@ Prelude.mempty
+                        )
+            Prelude.<*> (x Data..?> "NextToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListFirewallPolicies where
+  hashWithSalt _salt ListFirewallPolicies' {..} =
+    _salt
+      `Prelude.hashWithSalt` maxResults
+      `Prelude.hashWithSalt` nextToken
+
+instance Prelude.NFData ListFirewallPolicies where
+  rnf ListFirewallPolicies' {..} =
+    Prelude.rnf maxResults
+      `Prelude.seq` Prelude.rnf nextToken
+
+instance Data.ToHeaders ListFirewallPolicies where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.ListFirewallPolicies" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListFirewallPolicies where
+  toJSON ListFirewallPolicies' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("MaxResults" Data..=) Prelude.<$> maxResults,
+            ("NextToken" Data..=) Prelude.<$> nextToken
+          ]
+      )
+
+instance Data.ToPath ListFirewallPolicies where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListFirewallPolicies where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListFirewallPoliciesResponse' smart constructor.
+data ListFirewallPoliciesResponse = ListFirewallPoliciesResponse'
+  { -- | The metadata for the firewall policies. Depending on your setting for
+    -- max results and the number of firewall policies that you have, this
+    -- might not be the full list.
+    firewallPolicies :: Prelude.Maybe [FirewallPolicyMetadata],
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListFirewallPoliciesResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallPolicies', 'listFirewallPoliciesResponse_firewallPolicies' - The metadata for the firewall policies. Depending on your setting for
+-- max results and the number of firewall policies that you have, this
+-- might not be the full list.
+--
+-- 'nextToken', 'listFirewallPoliciesResponse_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'httpStatus', 'listFirewallPoliciesResponse_httpStatus' - The response's http status code.
+newListFirewallPoliciesResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListFirewallPoliciesResponse
+newListFirewallPoliciesResponse pHttpStatus_ =
+  ListFirewallPoliciesResponse'
+    { firewallPolicies =
+        Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The metadata for the firewall policies. Depending on your setting for
+-- max results and the number of firewall policies that you have, this
+-- might not be the full list.
+listFirewallPoliciesResponse_firewallPolicies :: Lens.Lens' ListFirewallPoliciesResponse (Prelude.Maybe [FirewallPolicyMetadata])
+listFirewallPoliciesResponse_firewallPolicies = Lens.lens (\ListFirewallPoliciesResponse' {firewallPolicies} -> firewallPolicies) (\s@ListFirewallPoliciesResponse' {} a -> s {firewallPolicies = a} :: ListFirewallPoliciesResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listFirewallPoliciesResponse_nextToken :: Lens.Lens' ListFirewallPoliciesResponse (Prelude.Maybe Prelude.Text)
+listFirewallPoliciesResponse_nextToken = Lens.lens (\ListFirewallPoliciesResponse' {nextToken} -> nextToken) (\s@ListFirewallPoliciesResponse' {} a -> s {nextToken = a} :: ListFirewallPoliciesResponse)
+
+-- | The response's http status code.
+listFirewallPoliciesResponse_httpStatus :: Lens.Lens' ListFirewallPoliciesResponse Prelude.Int
+listFirewallPoliciesResponse_httpStatus = Lens.lens (\ListFirewallPoliciesResponse' {httpStatus} -> httpStatus) (\s@ListFirewallPoliciesResponse' {} a -> s {httpStatus = a} :: ListFirewallPoliciesResponse)
+
+instance Prelude.NFData ListFirewallPoliciesResponse where
+  rnf ListFirewallPoliciesResponse' {..} =
+    Prelude.rnf firewallPolicies
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/ListFirewalls.hs b/gen/Amazonka/NetworkFirewall/ListFirewalls.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/ListFirewalls.hs
@@ -0,0 +1,282 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.ListFirewalls
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the metadata for the firewalls that you have defined. If you
+-- provide VPC identifiers in your request, this returns only the firewalls
+-- for those VPCs.
+--
+-- Depending on your setting for max results and the number of firewalls, a
+-- single call might not return the full list.
+--
+-- This operation returns paginated results.
+module Amazonka.NetworkFirewall.ListFirewalls
+  ( -- * Creating a Request
+    ListFirewalls (..),
+    newListFirewalls,
+
+    -- * Request Lenses
+    listFirewalls_maxResults,
+    listFirewalls_nextToken,
+    listFirewalls_vpcIds,
+
+    -- * Destructuring the Response
+    ListFirewallsResponse (..),
+    newListFirewallsResponse,
+
+    -- * Response Lenses
+    listFirewallsResponse_firewalls,
+    listFirewallsResponse_nextToken,
+    listFirewallsResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListFirewalls' smart constructor.
+data ListFirewalls = ListFirewalls'
+  { -- | The maximum number of objects that you want Network Firewall to return
+    -- for this request. If more objects are available, in the response,
+    -- Network Firewall provides a @NextToken@ value that you can use in a
+    -- subsequent call to get the next batch of objects.
+    maxResults :: Prelude.Maybe Prelude.Natural,
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The unique identifiers of the VPCs that you want Network Firewall to
+    -- retrieve the firewalls for. Leave this blank to retrieve all firewalls
+    -- that you have defined.
+    vpcIds :: Prelude.Maybe [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListFirewalls' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'maxResults', 'listFirewalls_maxResults' - The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+--
+-- 'nextToken', 'listFirewalls_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'vpcIds', 'listFirewalls_vpcIds' - The unique identifiers of the VPCs that you want Network Firewall to
+-- retrieve the firewalls for. Leave this blank to retrieve all firewalls
+-- that you have defined.
+newListFirewalls ::
+  ListFirewalls
+newListFirewalls =
+  ListFirewalls'
+    { maxResults = Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      vpcIds = Prelude.Nothing
+    }
+
+-- | The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+listFirewalls_maxResults :: Lens.Lens' ListFirewalls (Prelude.Maybe Prelude.Natural)
+listFirewalls_maxResults = Lens.lens (\ListFirewalls' {maxResults} -> maxResults) (\s@ListFirewalls' {} a -> s {maxResults = a} :: ListFirewalls)
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listFirewalls_nextToken :: Lens.Lens' ListFirewalls (Prelude.Maybe Prelude.Text)
+listFirewalls_nextToken = Lens.lens (\ListFirewalls' {nextToken} -> nextToken) (\s@ListFirewalls' {} a -> s {nextToken = a} :: ListFirewalls)
+
+-- | The unique identifiers of the VPCs that you want Network Firewall to
+-- retrieve the firewalls for. Leave this blank to retrieve all firewalls
+-- that you have defined.
+listFirewalls_vpcIds :: Lens.Lens' ListFirewalls (Prelude.Maybe [Prelude.Text])
+listFirewalls_vpcIds = Lens.lens (\ListFirewalls' {vpcIds} -> vpcIds) (\s@ListFirewalls' {} a -> s {vpcIds = a} :: ListFirewalls) Prelude.. Lens.mapping Lens.coerced
+
+instance Core.AWSPager ListFirewalls where
+  page rq rs
+    | Core.stop
+        ( rs
+            Lens.^? listFirewallsResponse_nextToken
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Core.stop
+        ( rs
+            Lens.^? listFirewallsResponse_firewalls
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Prelude.otherwise =
+        Prelude.Just
+          Prelude.$ rq
+          Prelude.& listFirewalls_nextToken
+          Lens..~ rs
+          Lens.^? listFirewallsResponse_nextToken
+          Prelude.. Lens._Just
+
+instance Core.AWSRequest ListFirewalls where
+  type
+    AWSResponse ListFirewalls =
+      ListFirewallsResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListFirewallsResponse'
+            Prelude.<$> (x Data..?> "Firewalls" Core..!@ Prelude.mempty)
+            Prelude.<*> (x Data..?> "NextToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListFirewalls where
+  hashWithSalt _salt ListFirewalls' {..} =
+    _salt
+      `Prelude.hashWithSalt` maxResults
+      `Prelude.hashWithSalt` nextToken
+      `Prelude.hashWithSalt` vpcIds
+
+instance Prelude.NFData ListFirewalls where
+  rnf ListFirewalls' {..} =
+    Prelude.rnf maxResults
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf vpcIds
+
+instance Data.ToHeaders ListFirewalls where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.ListFirewalls" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListFirewalls where
+  toJSON ListFirewalls' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("MaxResults" Data..=) Prelude.<$> maxResults,
+            ("NextToken" Data..=) Prelude.<$> nextToken,
+            ("VpcIds" Data..=) Prelude.<$> vpcIds
+          ]
+      )
+
+instance Data.ToPath ListFirewalls where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListFirewalls where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListFirewallsResponse' smart constructor.
+data ListFirewallsResponse = ListFirewallsResponse'
+  { -- | The firewall metadata objects for the VPCs that you specified. Depending
+    -- on your setting for max results and the number of firewalls you have, a
+    -- single call might not be the full list.
+    firewalls :: Prelude.Maybe [FirewallMetadata],
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListFirewallsResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewalls', 'listFirewallsResponse_firewalls' - The firewall metadata objects for the VPCs that you specified. Depending
+-- on your setting for max results and the number of firewalls you have, a
+-- single call might not be the full list.
+--
+-- 'nextToken', 'listFirewallsResponse_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'httpStatus', 'listFirewallsResponse_httpStatus' - The response's http status code.
+newListFirewallsResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListFirewallsResponse
+newListFirewallsResponse pHttpStatus_ =
+  ListFirewallsResponse'
+    { firewalls = Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The firewall metadata objects for the VPCs that you specified. Depending
+-- on your setting for max results and the number of firewalls you have, a
+-- single call might not be the full list.
+listFirewallsResponse_firewalls :: Lens.Lens' ListFirewallsResponse (Prelude.Maybe [FirewallMetadata])
+listFirewallsResponse_firewalls = Lens.lens (\ListFirewallsResponse' {firewalls} -> firewalls) (\s@ListFirewallsResponse' {} a -> s {firewalls = a} :: ListFirewallsResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listFirewallsResponse_nextToken :: Lens.Lens' ListFirewallsResponse (Prelude.Maybe Prelude.Text)
+listFirewallsResponse_nextToken = Lens.lens (\ListFirewallsResponse' {nextToken} -> nextToken) (\s@ListFirewallsResponse' {} a -> s {nextToken = a} :: ListFirewallsResponse)
+
+-- | The response's http status code.
+listFirewallsResponse_httpStatus :: Lens.Lens' ListFirewallsResponse Prelude.Int
+listFirewallsResponse_httpStatus = Lens.lens (\ListFirewallsResponse' {httpStatus} -> httpStatus) (\s@ListFirewallsResponse' {} a -> s {httpStatus = a} :: ListFirewallsResponse)
+
+instance Prelude.NFData ListFirewallsResponse where
+  rnf ListFirewallsResponse' {..} =
+    Prelude.rnf firewalls
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/ListRuleGroups.hs b/gen/Amazonka/NetworkFirewall/ListRuleGroups.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/ListRuleGroups.hs
@@ -0,0 +1,315 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.ListRuleGroups
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the metadata for the rule groups that you have defined.
+-- Depending on your setting for max results and the number of rule groups,
+-- a single call might not return the full list.
+--
+-- This operation returns paginated results.
+module Amazonka.NetworkFirewall.ListRuleGroups
+  ( -- * Creating a Request
+    ListRuleGroups (..),
+    newListRuleGroups,
+
+    -- * Request Lenses
+    listRuleGroups_managedType,
+    listRuleGroups_maxResults,
+    listRuleGroups_nextToken,
+    listRuleGroups_scope,
+    listRuleGroups_type,
+
+    -- * Destructuring the Response
+    ListRuleGroupsResponse (..),
+    newListRuleGroupsResponse,
+
+    -- * Response Lenses
+    listRuleGroupsResponse_nextToken,
+    listRuleGroupsResponse_ruleGroups,
+    listRuleGroupsResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListRuleGroups' smart constructor.
+data ListRuleGroups = ListRuleGroups'
+  { -- | Indicates the general category of the Amazon Web Services managed rule
+    -- group.
+    managedType :: Prelude.Maybe ResourceManagedType,
+    -- | The maximum number of objects that you want Network Firewall to return
+    -- for this request. If more objects are available, in the response,
+    -- Network Firewall provides a @NextToken@ value that you can use in a
+    -- subsequent call to get the next batch of objects.
+    maxResults :: Prelude.Maybe Prelude.Natural,
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The scope of the request. The default setting of @ACCOUNT@ or a setting
+    -- of @NULL@ returns all of the rule groups in your account. A setting of
+    -- @MANAGED@ returns all available managed rule groups.
+    scope :: Prelude.Maybe ResourceManagedStatus,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    type' :: Prelude.Maybe RuleGroupType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListRuleGroups' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'managedType', 'listRuleGroups_managedType' - Indicates the general category of the Amazon Web Services managed rule
+-- group.
+--
+-- 'maxResults', 'listRuleGroups_maxResults' - The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+--
+-- 'nextToken', 'listRuleGroups_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'scope', 'listRuleGroups_scope' - The scope of the request. The default setting of @ACCOUNT@ or a setting
+-- of @NULL@ returns all of the rule groups in your account. A setting of
+-- @MANAGED@ returns all available managed rule groups.
+--
+-- 'type'', 'listRuleGroups_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+newListRuleGroups ::
+  ListRuleGroups
+newListRuleGroups =
+  ListRuleGroups'
+    { managedType = Prelude.Nothing,
+      maxResults = Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      scope = Prelude.Nothing,
+      type' = Prelude.Nothing
+    }
+
+-- | Indicates the general category of the Amazon Web Services managed rule
+-- group.
+listRuleGroups_managedType :: Lens.Lens' ListRuleGroups (Prelude.Maybe ResourceManagedType)
+listRuleGroups_managedType = Lens.lens (\ListRuleGroups' {managedType} -> managedType) (\s@ListRuleGroups' {} a -> s {managedType = a} :: ListRuleGroups)
+
+-- | The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+listRuleGroups_maxResults :: Lens.Lens' ListRuleGroups (Prelude.Maybe Prelude.Natural)
+listRuleGroups_maxResults = Lens.lens (\ListRuleGroups' {maxResults} -> maxResults) (\s@ListRuleGroups' {} a -> s {maxResults = a} :: ListRuleGroups)
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listRuleGroups_nextToken :: Lens.Lens' ListRuleGroups (Prelude.Maybe Prelude.Text)
+listRuleGroups_nextToken = Lens.lens (\ListRuleGroups' {nextToken} -> nextToken) (\s@ListRuleGroups' {} a -> s {nextToken = a} :: ListRuleGroups)
+
+-- | The scope of the request. The default setting of @ACCOUNT@ or a setting
+-- of @NULL@ returns all of the rule groups in your account. A setting of
+-- @MANAGED@ returns all available managed rule groups.
+listRuleGroups_scope :: Lens.Lens' ListRuleGroups (Prelude.Maybe ResourceManagedStatus)
+listRuleGroups_scope = Lens.lens (\ListRuleGroups' {scope} -> scope) (\s@ListRuleGroups' {} a -> s {scope = a} :: ListRuleGroups)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+listRuleGroups_type :: Lens.Lens' ListRuleGroups (Prelude.Maybe RuleGroupType)
+listRuleGroups_type = Lens.lens (\ListRuleGroups' {type'} -> type') (\s@ListRuleGroups' {} a -> s {type' = a} :: ListRuleGroups)
+
+instance Core.AWSPager ListRuleGroups where
+  page rq rs
+    | Core.stop
+        ( rs
+            Lens.^? listRuleGroupsResponse_nextToken
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Core.stop
+        ( rs
+            Lens.^? listRuleGroupsResponse_ruleGroups
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Prelude.otherwise =
+        Prelude.Just
+          Prelude.$ rq
+          Prelude.& listRuleGroups_nextToken
+          Lens..~ rs
+          Lens.^? listRuleGroupsResponse_nextToken
+          Prelude.. Lens._Just
+
+instance Core.AWSRequest ListRuleGroups where
+  type
+    AWSResponse ListRuleGroups =
+      ListRuleGroupsResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListRuleGroupsResponse'
+            Prelude.<$> (x Data..?> "NextToken")
+            Prelude.<*> (x Data..?> "RuleGroups" Core..!@ Prelude.mempty)
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListRuleGroups where
+  hashWithSalt _salt ListRuleGroups' {..} =
+    _salt
+      `Prelude.hashWithSalt` managedType
+      `Prelude.hashWithSalt` maxResults
+      `Prelude.hashWithSalt` nextToken
+      `Prelude.hashWithSalt` scope
+      `Prelude.hashWithSalt` type'
+
+instance Prelude.NFData ListRuleGroups where
+  rnf ListRuleGroups' {..} =
+    Prelude.rnf managedType
+      `Prelude.seq` Prelude.rnf maxResults
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf scope
+      `Prelude.seq` Prelude.rnf type'
+
+instance Data.ToHeaders ListRuleGroups where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.ListRuleGroups" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListRuleGroups where
+  toJSON ListRuleGroups' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("ManagedType" Data..=) Prelude.<$> managedType,
+            ("MaxResults" Data..=) Prelude.<$> maxResults,
+            ("NextToken" Data..=) Prelude.<$> nextToken,
+            ("Scope" Data..=) Prelude.<$> scope,
+            ("Type" Data..=) Prelude.<$> type'
+          ]
+      )
+
+instance Data.ToPath ListRuleGroups where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListRuleGroups where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListRuleGroupsResponse' smart constructor.
+data ListRuleGroupsResponse = ListRuleGroupsResponse'
+  { -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The rule group metadata objects that you\'ve defined. Depending on your
+    -- setting for max results and the number of rule groups, this might not be
+    -- the full list.
+    ruleGroups :: Prelude.Maybe [RuleGroupMetadata],
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListRuleGroupsResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'nextToken', 'listRuleGroupsResponse_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'ruleGroups', 'listRuleGroupsResponse_ruleGroups' - The rule group metadata objects that you\'ve defined. Depending on your
+-- setting for max results and the number of rule groups, this might not be
+-- the full list.
+--
+-- 'httpStatus', 'listRuleGroupsResponse_httpStatus' - The response's http status code.
+newListRuleGroupsResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListRuleGroupsResponse
+newListRuleGroupsResponse pHttpStatus_ =
+  ListRuleGroupsResponse'
+    { nextToken =
+        Prelude.Nothing,
+      ruleGroups = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listRuleGroupsResponse_nextToken :: Lens.Lens' ListRuleGroupsResponse (Prelude.Maybe Prelude.Text)
+listRuleGroupsResponse_nextToken = Lens.lens (\ListRuleGroupsResponse' {nextToken} -> nextToken) (\s@ListRuleGroupsResponse' {} a -> s {nextToken = a} :: ListRuleGroupsResponse)
+
+-- | The rule group metadata objects that you\'ve defined. Depending on your
+-- setting for max results and the number of rule groups, this might not be
+-- the full list.
+listRuleGroupsResponse_ruleGroups :: Lens.Lens' ListRuleGroupsResponse (Prelude.Maybe [RuleGroupMetadata])
+listRuleGroupsResponse_ruleGroups = Lens.lens (\ListRuleGroupsResponse' {ruleGroups} -> ruleGroups) (\s@ListRuleGroupsResponse' {} a -> s {ruleGroups = a} :: ListRuleGroupsResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | The response's http status code.
+listRuleGroupsResponse_httpStatus :: Lens.Lens' ListRuleGroupsResponse Prelude.Int
+listRuleGroupsResponse_httpStatus = Lens.lens (\ListRuleGroupsResponse' {httpStatus} -> httpStatus) (\s@ListRuleGroupsResponse' {} a -> s {httpStatus = a} :: ListRuleGroupsResponse)
+
+instance Prelude.NFData ListRuleGroupsResponse where
+  rnf ListRuleGroupsResponse' {..} =
+    Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf ruleGroups
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/ListTagsForResource.hs b/gen/Amazonka/NetworkFirewall/ListTagsForResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/ListTagsForResource.hs
@@ -0,0 +1,277 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.ListTagsForResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the tags associated with the specified resource. Tags are
+-- key:value pairs that you can use to categorize and manage your
+-- resources, for purposes like billing. For example, you might set the tag
+-- key to \"customer\" and the value to the customer name or ID. You can
+-- specify one or more tags to add to each Amazon Web Services resource, up
+-- to 50 tags for a resource.
+--
+-- You can tag the Amazon Web Services resources that you manage through
+-- Network Firewall: firewalls, firewall policies, and rule groups.
+--
+-- This operation returns paginated results.
+module Amazonka.NetworkFirewall.ListTagsForResource
+  ( -- * Creating a Request
+    ListTagsForResource (..),
+    newListTagsForResource,
+
+    -- * Request Lenses
+    listTagsForResource_maxResults,
+    listTagsForResource_nextToken,
+    listTagsForResource_resourceArn,
+
+    -- * Destructuring the Response
+    ListTagsForResourceResponse (..),
+    newListTagsForResourceResponse,
+
+    -- * Response Lenses
+    listTagsForResourceResponse_nextToken,
+    listTagsForResourceResponse_tags,
+    listTagsForResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListTagsForResource' smart constructor.
+data ListTagsForResource = ListTagsForResource'
+  { -- | The maximum number of objects that you want Network Firewall to return
+    -- for this request. If more objects are available, in the response,
+    -- Network Firewall provides a @NextToken@ value that you can use in a
+    -- subsequent call to get the next batch of objects.
+    maxResults :: Prelude.Maybe Prelude.Natural,
+    -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the resource.
+    resourceArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTagsForResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'maxResults', 'listTagsForResource_maxResults' - The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+--
+-- 'nextToken', 'listTagsForResource_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'resourceArn', 'listTagsForResource_resourceArn' - The Amazon Resource Name (ARN) of the resource.
+newListTagsForResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  ListTagsForResource
+newListTagsForResource pResourceArn_ =
+  ListTagsForResource'
+    { maxResults = Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      resourceArn = pResourceArn_
+    }
+
+-- | The maximum number of objects that you want Network Firewall to return
+-- for this request. If more objects are available, in the response,
+-- Network Firewall provides a @NextToken@ value that you can use in a
+-- subsequent call to get the next batch of objects.
+listTagsForResource_maxResults :: Lens.Lens' ListTagsForResource (Prelude.Maybe Prelude.Natural)
+listTagsForResource_maxResults = Lens.lens (\ListTagsForResource' {maxResults} -> maxResults) (\s@ListTagsForResource' {} a -> s {maxResults = a} :: ListTagsForResource)
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listTagsForResource_nextToken :: Lens.Lens' ListTagsForResource (Prelude.Maybe Prelude.Text)
+listTagsForResource_nextToken = Lens.lens (\ListTagsForResource' {nextToken} -> nextToken) (\s@ListTagsForResource' {} a -> s {nextToken = a} :: ListTagsForResource)
+
+-- | The Amazon Resource Name (ARN) of the resource.
+listTagsForResource_resourceArn :: Lens.Lens' ListTagsForResource Prelude.Text
+listTagsForResource_resourceArn = Lens.lens (\ListTagsForResource' {resourceArn} -> resourceArn) (\s@ListTagsForResource' {} a -> s {resourceArn = a} :: ListTagsForResource)
+
+instance Core.AWSPager ListTagsForResource where
+  page rq rs
+    | Core.stop
+        ( rs
+            Lens.^? listTagsForResourceResponse_nextToken
+            Prelude.. Lens._Just
+        ) =
+        Prelude.Nothing
+    | Core.stop
+        ( rs
+            Lens.^? listTagsForResourceResponse_tags
+            Prelude.. Lens._Just
+            Prelude.. Lens.to Prelude.toList
+        ) =
+        Prelude.Nothing
+    | Prelude.otherwise =
+        Prelude.Just
+          Prelude.$ rq
+          Prelude.& listTagsForResource_nextToken
+          Lens..~ rs
+          Lens.^? listTagsForResourceResponse_nextToken
+          Prelude.. Lens._Just
+
+instance Core.AWSRequest ListTagsForResource where
+  type
+    AWSResponse ListTagsForResource =
+      ListTagsForResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListTagsForResourceResponse'
+            Prelude.<$> (x Data..?> "NextToken")
+            Prelude.<*> (x Data..?> "Tags")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListTagsForResource where
+  hashWithSalt _salt ListTagsForResource' {..} =
+    _salt
+      `Prelude.hashWithSalt` maxResults
+      `Prelude.hashWithSalt` nextToken
+      `Prelude.hashWithSalt` resourceArn
+
+instance Prelude.NFData ListTagsForResource where
+  rnf ListTagsForResource' {..} =
+    Prelude.rnf maxResults
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf resourceArn
+
+instance Data.ToHeaders ListTagsForResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.ListTagsForResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListTagsForResource where
+  toJSON ListTagsForResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("MaxResults" Data..=) Prelude.<$> maxResults,
+            ("NextToken" Data..=) Prelude.<$> nextToken,
+            Prelude.Just ("ResourceArn" Data..= resourceArn)
+          ]
+      )
+
+instance Data.ToPath ListTagsForResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListTagsForResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListTagsForResourceResponse' smart constructor.
+data ListTagsForResourceResponse = ListTagsForResourceResponse'
+  { -- | When you request a list of objects with a @MaxResults@ setting, if the
+    -- number of objects that are still available for retrieval exceeds the
+    -- maximum you requested, Network Firewall returns a @NextToken@ value in
+    -- the response. To retrieve the next batch of objects, use the token
+    -- returned from the prior request in your next request.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The tags that are associated with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTagsForResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'nextToken', 'listTagsForResourceResponse_nextToken' - When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+--
+-- 'tags', 'listTagsForResourceResponse_tags' - The tags that are associated with the resource.
+--
+-- 'httpStatus', 'listTagsForResourceResponse_httpStatus' - The response's http status code.
+newListTagsForResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListTagsForResourceResponse
+newListTagsForResourceResponse pHttpStatus_ =
+  ListTagsForResourceResponse'
+    { nextToken =
+        Prelude.Nothing,
+      tags = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | When you request a list of objects with a @MaxResults@ setting, if the
+-- number of objects that are still available for retrieval exceeds the
+-- maximum you requested, Network Firewall returns a @NextToken@ value in
+-- the response. To retrieve the next batch of objects, use the token
+-- returned from the prior request in your next request.
+listTagsForResourceResponse_nextToken :: Lens.Lens' ListTagsForResourceResponse (Prelude.Maybe Prelude.Text)
+listTagsForResourceResponse_nextToken = Lens.lens (\ListTagsForResourceResponse' {nextToken} -> nextToken) (\s@ListTagsForResourceResponse' {} a -> s {nextToken = a} :: ListTagsForResourceResponse)
+
+-- | The tags that are associated with the resource.
+listTagsForResourceResponse_tags :: Lens.Lens' ListTagsForResourceResponse (Prelude.Maybe (Prelude.NonEmpty Tag))
+listTagsForResourceResponse_tags = Lens.lens (\ListTagsForResourceResponse' {tags} -> tags) (\s@ListTagsForResourceResponse' {} a -> s {tags = a} :: ListTagsForResourceResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | The response's http status code.
+listTagsForResourceResponse_httpStatus :: Lens.Lens' ListTagsForResourceResponse Prelude.Int
+listTagsForResourceResponse_httpStatus = Lens.lens (\ListTagsForResourceResponse' {httpStatus} -> httpStatus) (\s@ListTagsForResourceResponse' {} a -> s {httpStatus = a} :: ListTagsForResourceResponse)
+
+instance Prelude.NFData ListTagsForResourceResponse where
+  rnf ListTagsForResourceResponse' {..} =
+    Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/PutResourcePolicy.hs b/gen/Amazonka/NetworkFirewall/PutResourcePolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/PutResourcePolicy.hs
@@ -0,0 +1,280 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.PutResourcePolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates or updates an IAM policy for your rule group or firewall policy.
+-- Use this to share rule groups and firewall policies between accounts.
+-- This operation works in conjunction with the Amazon Web Services
+-- Resource Access Manager (RAM) service to manage resource sharing for
+-- Network Firewall.
+--
+-- Use this operation to create or update a resource policy for your rule
+-- group or firewall policy. In the policy, you specify the accounts that
+-- you want to share the resource with and the operations that you want the
+-- accounts to be able to perform.
+--
+-- When you add an account in the resource policy, you then run the
+-- following Resource Access Manager (RAM) operations to access and accept
+-- the shared rule group or firewall policy.
+--
+-- -   <https://docs.aws.amazon.com/ram/latest/APIReference/API_GetResourceShareInvitations.html GetResourceShareInvitations>
+--     - Returns the Amazon Resource Names (ARNs) of the resource share
+--     invitations.
+--
+-- -   <https://docs.aws.amazon.com/ram/latest/APIReference/API_AcceptResourceShareInvitation.html AcceptResourceShareInvitation>
+--     - Accepts the share invitation for a specified resource share.
+--
+-- For additional information about resource sharing using RAM, see
+-- <https://docs.aws.amazon.com/ram/latest/userguide/what-is.html Resource Access Manager User Guide>.
+module Amazonka.NetworkFirewall.PutResourcePolicy
+  ( -- * Creating a Request
+    PutResourcePolicy (..),
+    newPutResourcePolicy,
+
+    -- * Request Lenses
+    putResourcePolicy_resourceArn,
+    putResourcePolicy_policy,
+
+    -- * Destructuring the Response
+    PutResourcePolicyResponse (..),
+    newPutResourcePolicyResponse,
+
+    -- * Response Lenses
+    putResourcePolicyResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newPutResourcePolicy' smart constructor.
+data PutResourcePolicy = PutResourcePolicy'
+  { -- | The Amazon Resource Name (ARN) of the account that you want to share
+    -- rule groups and firewall policies with.
+    resourceArn :: Prelude.Text,
+    -- | The IAM policy statement that lists the accounts that you want to share
+    -- your rule group or firewall policy with and the operations that you want
+    -- the accounts to be able to perform.
+    --
+    -- For a rule group resource, you can specify the following operations in
+    -- the Actions section of the statement:
+    --
+    -- -   network-firewall:CreateFirewallPolicy
+    --
+    -- -   network-firewall:UpdateFirewallPolicy
+    --
+    -- -   network-firewall:ListRuleGroups
+    --
+    -- For a firewall policy resource, you can specify the following operations
+    -- in the Actions section of the statement:
+    --
+    -- -   network-firewall:CreateFirewall
+    --
+    -- -   network-firewall:UpdateFirewall
+    --
+    -- -   network-firewall:AssociateFirewallPolicy
+    --
+    -- -   network-firewall:ListFirewallPolicies
+    --
+    -- In the Resource section of the statement, you specify the ARNs for the
+    -- rule groups and firewall policies that you want to share with the
+    -- account that you specified in @Arn@.
+    policy :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PutResourcePolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'putResourcePolicy_resourceArn' - The Amazon Resource Name (ARN) of the account that you want to share
+-- rule groups and firewall policies with.
+--
+-- 'policy', 'putResourcePolicy_policy' - The IAM policy statement that lists the accounts that you want to share
+-- your rule group or firewall policy with and the operations that you want
+-- the accounts to be able to perform.
+--
+-- For a rule group resource, you can specify the following operations in
+-- the Actions section of the statement:
+--
+-- -   network-firewall:CreateFirewallPolicy
+--
+-- -   network-firewall:UpdateFirewallPolicy
+--
+-- -   network-firewall:ListRuleGroups
+--
+-- For a firewall policy resource, you can specify the following operations
+-- in the Actions section of the statement:
+--
+-- -   network-firewall:CreateFirewall
+--
+-- -   network-firewall:UpdateFirewall
+--
+-- -   network-firewall:AssociateFirewallPolicy
+--
+-- -   network-firewall:ListFirewallPolicies
+--
+-- In the Resource section of the statement, you specify the ARNs for the
+-- rule groups and firewall policies that you want to share with the
+-- account that you specified in @Arn@.
+newPutResourcePolicy ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  -- | 'policy'
+  Prelude.Text ->
+  PutResourcePolicy
+newPutResourcePolicy pResourceArn_ pPolicy_ =
+  PutResourcePolicy'
+    { resourceArn = pResourceArn_,
+      policy = pPolicy_
+    }
+
+-- | The Amazon Resource Name (ARN) of the account that you want to share
+-- rule groups and firewall policies with.
+putResourcePolicy_resourceArn :: Lens.Lens' PutResourcePolicy Prelude.Text
+putResourcePolicy_resourceArn = Lens.lens (\PutResourcePolicy' {resourceArn} -> resourceArn) (\s@PutResourcePolicy' {} a -> s {resourceArn = a} :: PutResourcePolicy)
+
+-- | The IAM policy statement that lists the accounts that you want to share
+-- your rule group or firewall policy with and the operations that you want
+-- the accounts to be able to perform.
+--
+-- For a rule group resource, you can specify the following operations in
+-- the Actions section of the statement:
+--
+-- -   network-firewall:CreateFirewallPolicy
+--
+-- -   network-firewall:UpdateFirewallPolicy
+--
+-- -   network-firewall:ListRuleGroups
+--
+-- For a firewall policy resource, you can specify the following operations
+-- in the Actions section of the statement:
+--
+-- -   network-firewall:CreateFirewall
+--
+-- -   network-firewall:UpdateFirewall
+--
+-- -   network-firewall:AssociateFirewallPolicy
+--
+-- -   network-firewall:ListFirewallPolicies
+--
+-- In the Resource section of the statement, you specify the ARNs for the
+-- rule groups and firewall policies that you want to share with the
+-- account that you specified in @Arn@.
+putResourcePolicy_policy :: Lens.Lens' PutResourcePolicy Prelude.Text
+putResourcePolicy_policy = Lens.lens (\PutResourcePolicy' {policy} -> policy) (\s@PutResourcePolicy' {} a -> s {policy = a} :: PutResourcePolicy)
+
+instance Core.AWSRequest PutResourcePolicy where
+  type
+    AWSResponse PutResourcePolicy =
+      PutResourcePolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          PutResourcePolicyResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable PutResourcePolicy where
+  hashWithSalt _salt PutResourcePolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` policy
+
+instance Prelude.NFData PutResourcePolicy where
+  rnf PutResourcePolicy' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf policy
+
+instance Data.ToHeaders PutResourcePolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.PutResourcePolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON PutResourcePolicy where
+  toJSON PutResourcePolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("ResourceArn" Data..= resourceArn),
+            Prelude.Just ("Policy" Data..= policy)
+          ]
+      )
+
+instance Data.ToPath PutResourcePolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery PutResourcePolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newPutResourcePolicyResponse' smart constructor.
+data PutResourcePolicyResponse = PutResourcePolicyResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PutResourcePolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'putResourcePolicyResponse_httpStatus' - The response's http status code.
+newPutResourcePolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  PutResourcePolicyResponse
+newPutResourcePolicyResponse pHttpStatus_ =
+  PutResourcePolicyResponse'
+    { httpStatus =
+        pHttpStatus_
+    }
+
+-- | The response's http status code.
+putResourcePolicyResponse_httpStatus :: Lens.Lens' PutResourcePolicyResponse Prelude.Int
+putResourcePolicyResponse_httpStatus = Lens.lens (\PutResourcePolicyResponse' {httpStatus} -> httpStatus) (\s@PutResourcePolicyResponse' {} a -> s {httpStatus = a} :: PutResourcePolicyResponse)
+
+instance Prelude.NFData PutResourcePolicyResponse where
+  rnf PutResourcePolicyResponse' {..} =
+    Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/TagResource.hs b/gen/Amazonka/NetworkFirewall/TagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/TagResource.hs
@@ -0,0 +1,176 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.TagResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Adds the specified tags to the specified resource. Tags are key:value
+-- pairs that you can use to categorize and manage your resources, for
+-- purposes like billing. For example, you might set the tag key to
+-- \"customer\" and the value to the customer name or ID. You can specify
+-- one or more tags to add to each Amazon Web Services resource, up to 50
+-- tags for a resource.
+--
+-- You can tag the Amazon Web Services resources that you manage through
+-- Network Firewall: firewalls, firewall policies, and rule groups.
+module Amazonka.NetworkFirewall.TagResource
+  ( -- * Creating a Request
+    TagResource (..),
+    newTagResource,
+
+    -- * Request Lenses
+    tagResource_resourceArn,
+    tagResource_tags,
+
+    -- * Destructuring the Response
+    TagResourceResponse (..),
+    newTagResourceResponse,
+
+    -- * Response Lenses
+    tagResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newTagResource' smart constructor.
+data TagResource = TagResource'
+  { -- | The Amazon Resource Name (ARN) of the resource.
+    resourceArn :: Prelude.Text,
+    tags :: Prelude.NonEmpty Tag
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TagResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'tagResource_resourceArn' - The Amazon Resource Name (ARN) of the resource.
+--
+-- 'tags', 'tagResource_tags' -
+newTagResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  -- | 'tags'
+  Prelude.NonEmpty Tag ->
+  TagResource
+newTagResource pResourceArn_ pTags_ =
+  TagResource'
+    { resourceArn = pResourceArn_,
+      tags = Lens.coerced Lens.# pTags_
+    }
+
+-- | The Amazon Resource Name (ARN) of the resource.
+tagResource_resourceArn :: Lens.Lens' TagResource Prelude.Text
+tagResource_resourceArn = Lens.lens (\TagResource' {resourceArn} -> resourceArn) (\s@TagResource' {} a -> s {resourceArn = a} :: TagResource)
+
+tagResource_tags :: Lens.Lens' TagResource (Prelude.NonEmpty Tag)
+tagResource_tags = Lens.lens (\TagResource' {tags} -> tags) (\s@TagResource' {} a -> s {tags = a} :: TagResource) Prelude.. Lens.coerced
+
+instance Core.AWSRequest TagResource where
+  type AWSResponse TagResource = TagResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          TagResourceResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable TagResource where
+  hashWithSalt _salt TagResource' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` tags
+
+instance Prelude.NFData TagResource where
+  rnf TagResource' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf tags
+
+instance Data.ToHeaders TagResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.TagResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON TagResource where
+  toJSON TagResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("ResourceArn" Data..= resourceArn),
+            Prelude.Just ("Tags" Data..= tags)
+          ]
+      )
+
+instance Data.ToPath TagResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery TagResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newTagResourceResponse' smart constructor.
+data TagResourceResponse = TagResourceResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TagResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'tagResourceResponse_httpStatus' - The response's http status code.
+newTagResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  TagResourceResponse
+newTagResourceResponse pHttpStatus_ =
+  TagResourceResponse' {httpStatus = pHttpStatus_}
+
+-- | The response's http status code.
+tagResourceResponse_httpStatus :: Lens.Lens' TagResourceResponse Prelude.Int
+tagResourceResponse_httpStatus = Lens.lens (\TagResourceResponse' {httpStatus} -> httpStatus) (\s@TagResourceResponse' {} a -> s {httpStatus = a} :: TagResourceResponse)
+
+instance Prelude.NFData TagResourceResponse where
+  rnf TagResourceResponse' {..} = Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/Types.hs b/gen/Amazonka/NetworkFirewall/Types.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types.hs
@@ -0,0 +1,658 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    _InsufficientCapacityException,
+    _InternalServerError,
+    _InvalidOperationException,
+    _InvalidRequestException,
+    _InvalidResourcePolicyException,
+    _InvalidTokenException,
+    _LimitExceededException,
+    _LogDestinationPermissionException,
+    _ResourceNotFoundException,
+    _ResourceOwnerCheckException,
+    _ThrottlingException,
+    _UnsupportedOperationException,
+
+    -- * AttachmentStatus
+    AttachmentStatus (..),
+
+    -- * ConfigurationSyncState
+    ConfigurationSyncState (..),
+
+    -- * EncryptionType
+    EncryptionType (..),
+
+    -- * FirewallStatusValue
+    FirewallStatusValue (..),
+
+    -- * GeneratedRulesType
+    GeneratedRulesType (..),
+
+    -- * LogDestinationType
+    LogDestinationType (..),
+
+    -- * LogType
+    LogType (..),
+
+    -- * OverrideAction
+    OverrideAction (..),
+
+    -- * PerObjectSyncStatus
+    PerObjectSyncStatus (..),
+
+    -- * ResourceManagedStatus
+    ResourceManagedStatus (..),
+
+    -- * ResourceManagedType
+    ResourceManagedType (..),
+
+    -- * ResourceStatus
+    ResourceStatus (..),
+
+    -- * RuleGroupType
+    RuleGroupType (..),
+
+    -- * RuleOrder
+    RuleOrder (..),
+
+    -- * StatefulAction
+    StatefulAction (..),
+
+    -- * StatefulRuleDirection
+    StatefulRuleDirection (..),
+
+    -- * StatefulRuleProtocol
+    StatefulRuleProtocol (..),
+
+    -- * StreamExceptionPolicy
+    StreamExceptionPolicy (..),
+
+    -- * TCPFlag
+    TCPFlag (..),
+
+    -- * TargetType
+    TargetType (..),
+
+    -- * ActionDefinition
+    ActionDefinition (..),
+    newActionDefinition,
+    actionDefinition_publishMetricAction,
+
+    -- * Address
+    Address (..),
+    newAddress,
+    address_addressDefinition,
+
+    -- * Attachment
+    Attachment (..),
+    newAttachment,
+    attachment_endpointId,
+    attachment_status,
+    attachment_statusMessage,
+    attachment_subnetId,
+
+    -- * CIDRSummary
+    CIDRSummary (..),
+    newCIDRSummary,
+    cIDRSummary_availableCIDRCount,
+    cIDRSummary_iPSetReferences,
+    cIDRSummary_utilizedCIDRCount,
+
+    -- * CapacityUsageSummary
+    CapacityUsageSummary (..),
+    newCapacityUsageSummary,
+    capacityUsageSummary_cIDRs,
+
+    -- * CustomAction
+    CustomAction (..),
+    newCustomAction,
+    customAction_actionName,
+    customAction_actionDefinition,
+
+    -- * Dimension
+    Dimension (..),
+    newDimension,
+    dimension_value,
+
+    -- * EncryptionConfiguration
+    EncryptionConfiguration (..),
+    newEncryptionConfiguration,
+    encryptionConfiguration_keyId,
+    encryptionConfiguration_type,
+
+    -- * Firewall
+    Firewall (..),
+    newFirewall,
+    firewall_deleteProtection,
+    firewall_description,
+    firewall_encryptionConfiguration,
+    firewall_firewallArn,
+    firewall_firewallName,
+    firewall_firewallPolicyChangeProtection,
+    firewall_subnetChangeProtection,
+    firewall_tags,
+    firewall_firewallPolicyArn,
+    firewall_vpcId,
+    firewall_subnetMappings,
+    firewall_firewallId,
+
+    -- * FirewallMetadata
+    FirewallMetadata (..),
+    newFirewallMetadata,
+    firewallMetadata_firewallArn,
+    firewallMetadata_firewallName,
+
+    -- * FirewallPolicy
+    FirewallPolicy (..),
+    newFirewallPolicy,
+    firewallPolicy_statefulDefaultActions,
+    firewallPolicy_statefulEngineOptions,
+    firewallPolicy_statefulRuleGroupReferences,
+    firewallPolicy_statelessCustomActions,
+    firewallPolicy_statelessRuleGroupReferences,
+    firewallPolicy_statelessDefaultActions,
+    firewallPolicy_statelessFragmentDefaultActions,
+
+    -- * FirewallPolicyMetadata
+    FirewallPolicyMetadata (..),
+    newFirewallPolicyMetadata,
+    firewallPolicyMetadata_arn,
+    firewallPolicyMetadata_name,
+
+    -- * FirewallPolicyResponse
+    FirewallPolicyResponse (..),
+    newFirewallPolicyResponse,
+    firewallPolicyResponse_consumedStatefulRuleCapacity,
+    firewallPolicyResponse_consumedStatelessRuleCapacity,
+    firewallPolicyResponse_description,
+    firewallPolicyResponse_encryptionConfiguration,
+    firewallPolicyResponse_firewallPolicyStatus,
+    firewallPolicyResponse_lastModifiedTime,
+    firewallPolicyResponse_numberOfAssociations,
+    firewallPolicyResponse_tags,
+    firewallPolicyResponse_firewallPolicyName,
+    firewallPolicyResponse_firewallPolicyArn,
+    firewallPolicyResponse_firewallPolicyId,
+
+    -- * FirewallStatus
+    FirewallStatus (..),
+    newFirewallStatus,
+    firewallStatus_capacityUsageSummary,
+    firewallStatus_syncStates,
+    firewallStatus_status,
+    firewallStatus_configurationSyncStateSummary,
+
+    -- * Header
+    Header (..),
+    newHeader,
+    header_protocol,
+    header_source,
+    header_sourcePort,
+    header_direction,
+    header_destination,
+    header_destinationPort,
+
+    -- * IPSet
+    IPSet (..),
+    newIPSet,
+    iPSet_definition,
+
+    -- * IPSetMetadata
+    IPSetMetadata (..),
+    newIPSetMetadata,
+    iPSetMetadata_resolvedCIDRCount,
+
+    -- * IPSetReference
+    IPSetReference (..),
+    newIPSetReference,
+    iPSetReference_referenceArn,
+
+    -- * LogDestinationConfig
+    LogDestinationConfig (..),
+    newLogDestinationConfig,
+    logDestinationConfig_logType,
+    logDestinationConfig_logDestinationType,
+    logDestinationConfig_logDestination,
+
+    -- * LoggingConfiguration
+    LoggingConfiguration (..),
+    newLoggingConfiguration,
+    loggingConfiguration_logDestinationConfigs,
+
+    -- * MatchAttributes
+    MatchAttributes (..),
+    newMatchAttributes,
+    matchAttributes_destinationPorts,
+    matchAttributes_destinations,
+    matchAttributes_protocols,
+    matchAttributes_sourcePorts,
+    matchAttributes_sources,
+    matchAttributes_tCPFlags,
+
+    -- * PerObjectStatus
+    PerObjectStatus (..),
+    newPerObjectStatus,
+    perObjectStatus_syncStatus,
+    perObjectStatus_updateToken,
+
+    -- * PortRange
+    PortRange (..),
+    newPortRange,
+    portRange_fromPort,
+    portRange_toPort,
+
+    -- * PortSet
+    PortSet (..),
+    newPortSet,
+    portSet_definition,
+
+    -- * PublishMetricAction
+    PublishMetricAction (..),
+    newPublishMetricAction,
+    publishMetricAction_dimensions,
+
+    -- * ReferenceSets
+    ReferenceSets (..),
+    newReferenceSets,
+    referenceSets_iPSetReferences,
+
+    -- * RuleDefinition
+    RuleDefinition (..),
+    newRuleDefinition,
+    ruleDefinition_matchAttributes,
+    ruleDefinition_actions,
+
+    -- * RuleGroup
+    RuleGroup (..),
+    newRuleGroup,
+    ruleGroup_referenceSets,
+    ruleGroup_ruleVariables,
+    ruleGroup_statefulRuleOptions,
+    ruleGroup_rulesSource,
+
+    -- * RuleGroupMetadata
+    RuleGroupMetadata (..),
+    newRuleGroupMetadata,
+    ruleGroupMetadata_arn,
+    ruleGroupMetadata_name,
+
+    -- * RuleGroupResponse
+    RuleGroupResponse (..),
+    newRuleGroupResponse,
+    ruleGroupResponse_capacity,
+    ruleGroupResponse_consumedCapacity,
+    ruleGroupResponse_description,
+    ruleGroupResponse_encryptionConfiguration,
+    ruleGroupResponse_lastModifiedTime,
+    ruleGroupResponse_numberOfAssociations,
+    ruleGroupResponse_ruleGroupStatus,
+    ruleGroupResponse_snsTopic,
+    ruleGroupResponse_sourceMetadata,
+    ruleGroupResponse_tags,
+    ruleGroupResponse_type,
+    ruleGroupResponse_ruleGroupArn,
+    ruleGroupResponse_ruleGroupName,
+    ruleGroupResponse_ruleGroupId,
+
+    -- * RuleOption
+    RuleOption (..),
+    newRuleOption,
+    ruleOption_settings,
+    ruleOption_keyword,
+
+    -- * RuleVariables
+    RuleVariables (..),
+    newRuleVariables,
+    ruleVariables_iPSets,
+    ruleVariables_portSets,
+
+    -- * RulesSource
+    RulesSource (..),
+    newRulesSource,
+    rulesSource_rulesSourceList,
+    rulesSource_rulesString,
+    rulesSource_statefulRules,
+    rulesSource_statelessRulesAndCustomActions,
+
+    -- * RulesSourceList
+    RulesSourceList (..),
+    newRulesSourceList,
+    rulesSourceList_targets,
+    rulesSourceList_targetTypes,
+    rulesSourceList_generatedRulesType,
+
+    -- * SourceMetadata
+    SourceMetadata (..),
+    newSourceMetadata,
+    sourceMetadata_sourceArn,
+    sourceMetadata_sourceUpdateToken,
+
+    -- * StatefulEngineOptions
+    StatefulEngineOptions (..),
+    newStatefulEngineOptions,
+    statefulEngineOptions_ruleOrder,
+    statefulEngineOptions_streamExceptionPolicy,
+
+    -- * StatefulRule
+    StatefulRule (..),
+    newStatefulRule,
+    statefulRule_action,
+    statefulRule_header,
+    statefulRule_ruleOptions,
+
+    -- * StatefulRuleGroupOverride
+    StatefulRuleGroupOverride (..),
+    newStatefulRuleGroupOverride,
+    statefulRuleGroupOverride_action,
+
+    -- * StatefulRuleGroupReference
+    StatefulRuleGroupReference (..),
+    newStatefulRuleGroupReference,
+    statefulRuleGroupReference_override,
+    statefulRuleGroupReference_priority,
+    statefulRuleGroupReference_resourceArn,
+
+    -- * StatefulRuleOptions
+    StatefulRuleOptions (..),
+    newStatefulRuleOptions,
+    statefulRuleOptions_ruleOrder,
+
+    -- * StatelessRule
+    StatelessRule (..),
+    newStatelessRule,
+    statelessRule_ruleDefinition,
+    statelessRule_priority,
+
+    -- * StatelessRuleGroupReference
+    StatelessRuleGroupReference (..),
+    newStatelessRuleGroupReference,
+    statelessRuleGroupReference_resourceArn,
+    statelessRuleGroupReference_priority,
+
+    -- * StatelessRulesAndCustomActions
+    StatelessRulesAndCustomActions (..),
+    newStatelessRulesAndCustomActions,
+    statelessRulesAndCustomActions_customActions,
+    statelessRulesAndCustomActions_statelessRules,
+
+    -- * SubnetMapping
+    SubnetMapping (..),
+    newSubnetMapping,
+    subnetMapping_subnetId,
+
+    -- * SyncState
+    SyncState (..),
+    newSyncState,
+    syncState_attachment,
+    syncState_config,
+
+    -- * TCPFlagField
+    TCPFlagField (..),
+    newTCPFlagField,
+    tCPFlagField_masks,
+    tCPFlagField_flags,
+
+    -- * Tag
+    Tag (..),
+    newTag,
+    tag_key,
+    tag_value,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import Amazonka.NetworkFirewall.Types.ActionDefinition
+import Amazonka.NetworkFirewall.Types.Address
+import Amazonka.NetworkFirewall.Types.Attachment
+import Amazonka.NetworkFirewall.Types.AttachmentStatus
+import Amazonka.NetworkFirewall.Types.CIDRSummary
+import Amazonka.NetworkFirewall.Types.CapacityUsageSummary
+import Amazonka.NetworkFirewall.Types.ConfigurationSyncState
+import Amazonka.NetworkFirewall.Types.CustomAction
+import Amazonka.NetworkFirewall.Types.Dimension
+import Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+import Amazonka.NetworkFirewall.Types.EncryptionType
+import Amazonka.NetworkFirewall.Types.Firewall
+import Amazonka.NetworkFirewall.Types.FirewallMetadata
+import Amazonka.NetworkFirewall.Types.FirewallPolicy
+import Amazonka.NetworkFirewall.Types.FirewallPolicyMetadata
+import Amazonka.NetworkFirewall.Types.FirewallPolicyResponse
+import Amazonka.NetworkFirewall.Types.FirewallStatus
+import Amazonka.NetworkFirewall.Types.FirewallStatusValue
+import Amazonka.NetworkFirewall.Types.GeneratedRulesType
+import Amazonka.NetworkFirewall.Types.Header
+import Amazonka.NetworkFirewall.Types.IPSet
+import Amazonka.NetworkFirewall.Types.IPSetMetadata
+import Amazonka.NetworkFirewall.Types.IPSetReference
+import Amazonka.NetworkFirewall.Types.LogDestinationConfig
+import Amazonka.NetworkFirewall.Types.LogDestinationType
+import Amazonka.NetworkFirewall.Types.LogType
+import Amazonka.NetworkFirewall.Types.LoggingConfiguration
+import Amazonka.NetworkFirewall.Types.MatchAttributes
+import Amazonka.NetworkFirewall.Types.OverrideAction
+import Amazonka.NetworkFirewall.Types.PerObjectStatus
+import Amazonka.NetworkFirewall.Types.PerObjectSyncStatus
+import Amazonka.NetworkFirewall.Types.PortRange
+import Amazonka.NetworkFirewall.Types.PortSet
+import Amazonka.NetworkFirewall.Types.PublishMetricAction
+import Amazonka.NetworkFirewall.Types.ReferenceSets
+import Amazonka.NetworkFirewall.Types.ResourceManagedStatus
+import Amazonka.NetworkFirewall.Types.ResourceManagedType
+import Amazonka.NetworkFirewall.Types.ResourceStatus
+import Amazonka.NetworkFirewall.Types.RuleDefinition
+import Amazonka.NetworkFirewall.Types.RuleGroup
+import Amazonka.NetworkFirewall.Types.RuleGroupMetadata
+import Amazonka.NetworkFirewall.Types.RuleGroupResponse
+import Amazonka.NetworkFirewall.Types.RuleGroupType
+import Amazonka.NetworkFirewall.Types.RuleOption
+import Amazonka.NetworkFirewall.Types.RuleOrder
+import Amazonka.NetworkFirewall.Types.RuleVariables
+import Amazonka.NetworkFirewall.Types.RulesSource
+import Amazonka.NetworkFirewall.Types.RulesSourceList
+import Amazonka.NetworkFirewall.Types.SourceMetadata
+import Amazonka.NetworkFirewall.Types.StatefulAction
+import Amazonka.NetworkFirewall.Types.StatefulEngineOptions
+import Amazonka.NetworkFirewall.Types.StatefulRule
+import Amazonka.NetworkFirewall.Types.StatefulRuleDirection
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference
+import Amazonka.NetworkFirewall.Types.StatefulRuleOptions
+import Amazonka.NetworkFirewall.Types.StatefulRuleProtocol
+import Amazonka.NetworkFirewall.Types.StatelessRule
+import Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference
+import Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions
+import Amazonka.NetworkFirewall.Types.StreamExceptionPolicy
+import Amazonka.NetworkFirewall.Types.SubnetMapping
+import Amazonka.NetworkFirewall.Types.SyncState
+import Amazonka.NetworkFirewall.Types.TCPFlag
+import Amazonka.NetworkFirewall.Types.TCPFlagField
+import Amazonka.NetworkFirewall.Types.Tag
+import Amazonka.NetworkFirewall.Types.TargetType
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Sign.V4 as Sign
+
+-- | API version @2020-11-12@ of the Amazon Network Firewall SDK configuration.
+defaultService :: Core.Service
+defaultService =
+  Core.Service
+    { Core.abbrev = "NetworkFirewall",
+      Core.signer = Sign.v4,
+      Core.endpointPrefix = "network-firewall",
+      Core.signingName = "network-firewall",
+      Core.version = "2020-11-12",
+      Core.s3AddressingStyle = Core.S3AddressingStyleAuto,
+      Core.endpoint = Core.defaultEndpoint defaultService,
+      Core.timeout = Prelude.Just 70,
+      Core.check = Core.statusSuccess,
+      Core.error = Core.parseJSONError "NetworkFirewall",
+      Core.retry = retry
+    }
+  where
+    retry =
+      Core.Exponential
+        { Core.base = 5.0e-2,
+          Core.growth = 2,
+          Core.attempts = 5,
+          Core.check = check
+        }
+    check e
+      | Lens.has (Core.hasStatus 502) e =
+          Prelude.Just "bad_gateway"
+      | Lens.has (Core.hasStatus 504) e =
+          Prelude.Just "gateway_timeout"
+      | Lens.has (Core.hasStatus 500) e =
+          Prelude.Just "general_server_error"
+      | Lens.has (Core.hasStatus 509) e =
+          Prelude.Just "limit_exceeded"
+      | Lens.has
+          ( Core.hasCode "RequestThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "request_throttled_exception"
+      | Lens.has (Core.hasStatus 503) e =
+          Prelude.Just "service_unavailable"
+      | Lens.has
+          ( Core.hasCode "ThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttled_exception"
+      | Lens.has
+          ( Core.hasCode "Throttling"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling"
+      | Lens.has
+          ( Core.hasCode "ThrottlingException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling_exception"
+      | Lens.has
+          ( Core.hasCode
+              "ProvisionedThroughputExceededException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throughput_exceeded"
+      | Lens.has (Core.hasStatus 429) e =
+          Prelude.Just "too_many_requests"
+      | Prelude.otherwise = Prelude.Nothing
+
+-- | Amazon Web Services doesn\'t currently have enough available capacity to
+-- fulfill your request. Try your request later.
+_InsufficientCapacityException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InsufficientCapacityException =
+  Core._MatchServiceError
+    defaultService
+    "InsufficientCapacityException"
+
+-- | Your request is valid, but Network Firewall couldn’t perform the
+-- operation because of a system problem. Retry your request.
+_InternalServerError :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InternalServerError =
+  Core._MatchServiceError
+    defaultService
+    "InternalServerError"
+
+-- | The operation failed because it\'s not valid. For example, you might
+-- have tried to delete a rule group or firewall policy that\'s in use.
+_InvalidOperationException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidOperationException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidOperationException"
+
+-- | The operation failed because of a problem with your request. Examples
+-- include:
+--
+-- -   You specified an unsupported parameter name or value.
+--
+-- -   You tried to update a property with a value that isn\'t among the
+--     available types.
+--
+-- -   Your request references an ARN that is malformed, or corresponds to
+--     a resource that isn\'t valid in the context of the request.
+_InvalidRequestException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidRequestException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidRequestException"
+
+-- | The policy statement failed validation.
+_InvalidResourcePolicyException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidResourcePolicyException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidResourcePolicyException"
+
+-- | The token you provided is stale or isn\'t valid for the operation.
+_InvalidTokenException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidTokenException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidTokenException"
+
+-- | Unable to perform the operation because doing so would violate a limit
+-- setting.
+_LimitExceededException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_LimitExceededException =
+  Core._MatchServiceError
+    defaultService
+    "LimitExceededException"
+
+-- | Unable to send logs to a configured logging destination.
+_LogDestinationPermissionException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_LogDestinationPermissionException =
+  Core._MatchServiceError
+    defaultService
+    "LogDestinationPermissionException"
+
+-- | Unable to locate a resource using the parameters that you provided.
+_ResourceNotFoundException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_ResourceNotFoundException =
+  Core._MatchServiceError
+    defaultService
+    "ResourceNotFoundException"
+
+-- | Unable to change the resource because your account doesn\'t own it.
+_ResourceOwnerCheckException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_ResourceOwnerCheckException =
+  Core._MatchServiceError
+    defaultService
+    "ResourceOwnerCheckException"
+
+-- | Unable to process the request due to throttling limitations.
+_ThrottlingException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_ThrottlingException =
+  Core._MatchServiceError
+    defaultService
+    "ThrottlingException"
+
+-- | The operation you requested isn\'t supported by Network Firewall.
+_UnsupportedOperationException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_UnsupportedOperationException =
+  Core._MatchServiceError
+    defaultService
+    "UnsupportedOperationException"
diff --git a/gen/Amazonka/NetworkFirewall/Types/ActionDefinition.hs b/gen/Amazonka/NetworkFirewall/Types/ActionDefinition.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ActionDefinition.hs
@@ -0,0 +1,107 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ActionDefinition
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ActionDefinition where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.PublishMetricAction
+import qualified Amazonka.Prelude as Prelude
+
+-- | A custom action to use in stateless rule actions settings. This is used
+-- in CustomAction.
+--
+-- /See:/ 'newActionDefinition' smart constructor.
+data ActionDefinition = ActionDefinition'
+  { -- | Stateless inspection criteria that publishes the specified metrics to
+    -- Amazon CloudWatch for the matching packet. This setting defines a
+    -- CloudWatch dimension value to be published.
+    --
+    -- You can pair this custom action with any of the standard stateless rule
+    -- actions. For example, you could pair this in a rule action with the
+    -- standard action that forwards the packet for stateful inspection. Then,
+    -- when a packet matches the rule, Network Firewall publishes metrics for
+    -- the packet and forwards it.
+    publishMetricAction :: Prelude.Maybe PublishMetricAction
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ActionDefinition' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'publishMetricAction', 'actionDefinition_publishMetricAction' - Stateless inspection criteria that publishes the specified metrics to
+-- Amazon CloudWatch for the matching packet. This setting defines a
+-- CloudWatch dimension value to be published.
+--
+-- You can pair this custom action with any of the standard stateless rule
+-- actions. For example, you could pair this in a rule action with the
+-- standard action that forwards the packet for stateful inspection. Then,
+-- when a packet matches the rule, Network Firewall publishes metrics for
+-- the packet and forwards it.
+newActionDefinition ::
+  ActionDefinition
+newActionDefinition =
+  ActionDefinition'
+    { publishMetricAction =
+        Prelude.Nothing
+    }
+
+-- | Stateless inspection criteria that publishes the specified metrics to
+-- Amazon CloudWatch for the matching packet. This setting defines a
+-- CloudWatch dimension value to be published.
+--
+-- You can pair this custom action with any of the standard stateless rule
+-- actions. For example, you could pair this in a rule action with the
+-- standard action that forwards the packet for stateful inspection. Then,
+-- when a packet matches the rule, Network Firewall publishes metrics for
+-- the packet and forwards it.
+actionDefinition_publishMetricAction :: Lens.Lens' ActionDefinition (Prelude.Maybe PublishMetricAction)
+actionDefinition_publishMetricAction = Lens.lens (\ActionDefinition' {publishMetricAction} -> publishMetricAction) (\s@ActionDefinition' {} a -> s {publishMetricAction = a} :: ActionDefinition)
+
+instance Data.FromJSON ActionDefinition where
+  parseJSON =
+    Data.withObject
+      "ActionDefinition"
+      ( \x ->
+          ActionDefinition'
+            Prelude.<$> (x Data..:? "PublishMetricAction")
+      )
+
+instance Prelude.Hashable ActionDefinition where
+  hashWithSalt _salt ActionDefinition' {..} =
+    _salt `Prelude.hashWithSalt` publishMetricAction
+
+instance Prelude.NFData ActionDefinition where
+  rnf ActionDefinition' {..} =
+    Prelude.rnf publishMetricAction
+
+instance Data.ToJSON ActionDefinition where
+  toJSON ActionDefinition' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("PublishMetricAction" Data..=)
+              Prelude.<$> publishMetricAction
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/Address.hs b/gen/Amazonka/NetworkFirewall/Types/Address.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Address.hs
@@ -0,0 +1,118 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Address
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Address where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A single IP address specification. This is used in the MatchAttributes
+-- source and destination specifications.
+--
+-- /See:/ 'newAddress' smart constructor.
+data Address = Address'
+  { -- | Specify an IP address or a block of IP addresses in Classless
+    -- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+    -- address ranges for IPv4.
+    --
+    -- Examples:
+    --
+    -- -   To configure Network Firewall to inspect for the IP address
+    --     192.0.2.44, specify @192.0.2.44\/32@.
+    --
+    -- -   To configure Network Firewall to inspect for IP addresses from
+    --     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+    --
+    -- For more information about CIDR notation, see the Wikipedia entry
+    -- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+    addressDefinition :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Address' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'addressDefinition', 'address_addressDefinition' - Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+newAddress ::
+  -- | 'addressDefinition'
+  Prelude.Text ->
+  Address
+newAddress pAddressDefinition_ =
+  Address' {addressDefinition = pAddressDefinition_}
+
+-- | Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+address_addressDefinition :: Lens.Lens' Address Prelude.Text
+address_addressDefinition = Lens.lens (\Address' {addressDefinition} -> addressDefinition) (\s@Address' {} a -> s {addressDefinition = a} :: Address)
+
+instance Data.FromJSON Address where
+  parseJSON =
+    Data.withObject
+      "Address"
+      ( \x ->
+          Address' Prelude.<$> (x Data..: "AddressDefinition")
+      )
+
+instance Prelude.Hashable Address where
+  hashWithSalt _salt Address' {..} =
+    _salt `Prelude.hashWithSalt` addressDefinition
+
+instance Prelude.NFData Address where
+  rnf Address' {..} = Prelude.rnf addressDefinition
+
+instance Data.ToJSON Address where
+  toJSON Address' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just
+              ("AddressDefinition" Data..= addressDefinition)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/Attachment.hs b/gen/Amazonka/NetworkFirewall/Types/Attachment.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Attachment.hs
@@ -0,0 +1,156 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Attachment
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Attachment where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.AttachmentStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | The configuration and status for a single subnet that you\'ve specified
+-- for use by the Network Firewall firewall. This is part of the
+-- FirewallStatus.
+--
+-- /See:/ 'newAttachment' smart constructor.
+data Attachment = Attachment'
+  { -- | The identifier of the firewall endpoint that Network Firewall has
+    -- instantiated in the subnet. You use this to identify the firewall
+    -- endpoint in the VPC route tables, when you redirect the VPC traffic
+    -- through the endpoint.
+    endpointId :: Prelude.Maybe Prelude.Text,
+    -- | The current status of the firewall endpoint in the subnet. This value
+    -- reflects both the instantiation of the endpoint in the VPC subnet and
+    -- the sync states that are reported in the @Config@ settings. When this
+    -- value is @READY@, the endpoint is available and configured properly to
+    -- handle network traffic. When the endpoint isn\'t available for traffic,
+    -- this value will reflect its state, for example @CREATING@ or @DELETING@.
+    status :: Prelude.Maybe AttachmentStatus,
+    -- | If Network Firewall fails to create or delete the firewall endpoint in
+    -- the subnet, it populates this with the reason for the failure and how to
+    -- resolve it. Depending on the error, it can take as many as 15 minutes to
+    -- populate this field. For more information about the errors and solutions
+    -- available for this field, see
+    -- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html Troubleshooting firewall endpoint failures>
+    -- in the /Network Firewall Developer Guide/.
+    statusMessage :: Prelude.Maybe Prelude.Text,
+    -- | The unique identifier of the subnet that you\'ve specified to be used
+    -- for a firewall endpoint.
+    subnetId :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Attachment' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'endpointId', 'attachment_endpointId' - The identifier of the firewall endpoint that Network Firewall has
+-- instantiated in the subnet. You use this to identify the firewall
+-- endpoint in the VPC route tables, when you redirect the VPC traffic
+-- through the endpoint.
+--
+-- 'status', 'attachment_status' - The current status of the firewall endpoint in the subnet. This value
+-- reflects both the instantiation of the endpoint in the VPC subnet and
+-- the sync states that are reported in the @Config@ settings. When this
+-- value is @READY@, the endpoint is available and configured properly to
+-- handle network traffic. When the endpoint isn\'t available for traffic,
+-- this value will reflect its state, for example @CREATING@ or @DELETING@.
+--
+-- 'statusMessage', 'attachment_statusMessage' - If Network Firewall fails to create or delete the firewall endpoint in
+-- the subnet, it populates this with the reason for the failure and how to
+-- resolve it. Depending on the error, it can take as many as 15 minutes to
+-- populate this field. For more information about the errors and solutions
+-- available for this field, see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html Troubleshooting firewall endpoint failures>
+-- in the /Network Firewall Developer Guide/.
+--
+-- 'subnetId', 'attachment_subnetId' - The unique identifier of the subnet that you\'ve specified to be used
+-- for a firewall endpoint.
+newAttachment ::
+  Attachment
+newAttachment =
+  Attachment'
+    { endpointId = Prelude.Nothing,
+      status = Prelude.Nothing,
+      statusMessage = Prelude.Nothing,
+      subnetId = Prelude.Nothing
+    }
+
+-- | The identifier of the firewall endpoint that Network Firewall has
+-- instantiated in the subnet. You use this to identify the firewall
+-- endpoint in the VPC route tables, when you redirect the VPC traffic
+-- through the endpoint.
+attachment_endpointId :: Lens.Lens' Attachment (Prelude.Maybe Prelude.Text)
+attachment_endpointId = Lens.lens (\Attachment' {endpointId} -> endpointId) (\s@Attachment' {} a -> s {endpointId = a} :: Attachment)
+
+-- | The current status of the firewall endpoint in the subnet. This value
+-- reflects both the instantiation of the endpoint in the VPC subnet and
+-- the sync states that are reported in the @Config@ settings. When this
+-- value is @READY@, the endpoint is available and configured properly to
+-- handle network traffic. When the endpoint isn\'t available for traffic,
+-- this value will reflect its state, for example @CREATING@ or @DELETING@.
+attachment_status :: Lens.Lens' Attachment (Prelude.Maybe AttachmentStatus)
+attachment_status = Lens.lens (\Attachment' {status} -> status) (\s@Attachment' {} a -> s {status = a} :: Attachment)
+
+-- | If Network Firewall fails to create or delete the firewall endpoint in
+-- the subnet, it populates this with the reason for the failure and how to
+-- resolve it. Depending on the error, it can take as many as 15 minutes to
+-- populate this field. For more information about the errors and solutions
+-- available for this field, see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html Troubleshooting firewall endpoint failures>
+-- in the /Network Firewall Developer Guide/.
+attachment_statusMessage :: Lens.Lens' Attachment (Prelude.Maybe Prelude.Text)
+attachment_statusMessage = Lens.lens (\Attachment' {statusMessage} -> statusMessage) (\s@Attachment' {} a -> s {statusMessage = a} :: Attachment)
+
+-- | The unique identifier of the subnet that you\'ve specified to be used
+-- for a firewall endpoint.
+attachment_subnetId :: Lens.Lens' Attachment (Prelude.Maybe Prelude.Text)
+attachment_subnetId = Lens.lens (\Attachment' {subnetId} -> subnetId) (\s@Attachment' {} a -> s {subnetId = a} :: Attachment)
+
+instance Data.FromJSON Attachment where
+  parseJSON =
+    Data.withObject
+      "Attachment"
+      ( \x ->
+          Attachment'
+            Prelude.<$> (x Data..:? "EndpointId")
+            Prelude.<*> (x Data..:? "Status")
+            Prelude.<*> (x Data..:? "StatusMessage")
+            Prelude.<*> (x Data..:? "SubnetId")
+      )
+
+instance Prelude.Hashable Attachment where
+  hashWithSalt _salt Attachment' {..} =
+    _salt
+      `Prelude.hashWithSalt` endpointId
+      `Prelude.hashWithSalt` status
+      `Prelude.hashWithSalt` statusMessage
+      `Prelude.hashWithSalt` subnetId
+
+instance Prelude.NFData Attachment where
+  rnf Attachment' {..} =
+    Prelude.rnf endpointId
+      `Prelude.seq` Prelude.rnf status
+      `Prelude.seq` Prelude.rnf statusMessage
+      `Prelude.seq` Prelude.rnf subnetId
diff --git a/gen/Amazonka/NetworkFirewall/Types/AttachmentStatus.hs b/gen/Amazonka/NetworkFirewall/Types/AttachmentStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/AttachmentStatus.hs
@@ -0,0 +1,81 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.AttachmentStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.AttachmentStatus
+  ( AttachmentStatus
+      ( ..,
+        AttachmentStatus_CREATING,
+        AttachmentStatus_DELETING,
+        AttachmentStatus_READY,
+        AttachmentStatus_SCALING
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype AttachmentStatus = AttachmentStatus'
+  { fromAttachmentStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern AttachmentStatus_CREATING :: AttachmentStatus
+pattern AttachmentStatus_CREATING = AttachmentStatus' "CREATING"
+
+pattern AttachmentStatus_DELETING :: AttachmentStatus
+pattern AttachmentStatus_DELETING = AttachmentStatus' "DELETING"
+
+pattern AttachmentStatus_READY :: AttachmentStatus
+pattern AttachmentStatus_READY = AttachmentStatus' "READY"
+
+pattern AttachmentStatus_SCALING :: AttachmentStatus
+pattern AttachmentStatus_SCALING = AttachmentStatus' "SCALING"
+
+{-# COMPLETE
+  AttachmentStatus_CREATING,
+  AttachmentStatus_DELETING,
+  AttachmentStatus_READY,
+  AttachmentStatus_SCALING,
+  AttachmentStatus'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/CIDRSummary.hs b/gen/Amazonka/NetworkFirewall/Types/CIDRSummary.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/CIDRSummary.hs
@@ -0,0 +1,105 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.CIDRSummary
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.CIDRSummary where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.IPSetMetadata
+import qualified Amazonka.Prelude as Prelude
+
+-- | Summarizes the CIDR blocks used by the IP set references in a firewall.
+-- Network Firewall calculates the number of CIDRs by taking an aggregated
+-- count of all CIDRs used by the IP sets you are referencing.
+--
+-- /See:/ 'newCIDRSummary' smart constructor.
+data CIDRSummary = CIDRSummary'
+  { -- | The number of CIDR blocks available for use by the IP set references in
+    -- a firewall.
+    availableCIDRCount :: Prelude.Maybe Prelude.Natural,
+    -- | The list of the IP set references used by a firewall.
+    iPSetReferences :: Prelude.Maybe (Prelude.HashMap Prelude.Text IPSetMetadata),
+    -- | The number of CIDR blocks used by the IP set references in a firewall.
+    utilizedCIDRCount :: Prelude.Maybe Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CIDRSummary' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'availableCIDRCount', 'cIDRSummary_availableCIDRCount' - The number of CIDR blocks available for use by the IP set references in
+-- a firewall.
+--
+-- 'iPSetReferences', 'cIDRSummary_iPSetReferences' - The list of the IP set references used by a firewall.
+--
+-- 'utilizedCIDRCount', 'cIDRSummary_utilizedCIDRCount' - The number of CIDR blocks used by the IP set references in a firewall.
+newCIDRSummary ::
+  CIDRSummary
+newCIDRSummary =
+  CIDRSummary'
+    { availableCIDRCount = Prelude.Nothing,
+      iPSetReferences = Prelude.Nothing,
+      utilizedCIDRCount = Prelude.Nothing
+    }
+
+-- | The number of CIDR blocks available for use by the IP set references in
+-- a firewall.
+cIDRSummary_availableCIDRCount :: Lens.Lens' CIDRSummary (Prelude.Maybe Prelude.Natural)
+cIDRSummary_availableCIDRCount = Lens.lens (\CIDRSummary' {availableCIDRCount} -> availableCIDRCount) (\s@CIDRSummary' {} a -> s {availableCIDRCount = a} :: CIDRSummary)
+
+-- | The list of the IP set references used by a firewall.
+cIDRSummary_iPSetReferences :: Lens.Lens' CIDRSummary (Prelude.Maybe (Prelude.HashMap Prelude.Text IPSetMetadata))
+cIDRSummary_iPSetReferences = Lens.lens (\CIDRSummary' {iPSetReferences} -> iPSetReferences) (\s@CIDRSummary' {} a -> s {iPSetReferences = a} :: CIDRSummary) Prelude.. Lens.mapping Lens.coerced
+
+-- | The number of CIDR blocks used by the IP set references in a firewall.
+cIDRSummary_utilizedCIDRCount :: Lens.Lens' CIDRSummary (Prelude.Maybe Prelude.Natural)
+cIDRSummary_utilizedCIDRCount = Lens.lens (\CIDRSummary' {utilizedCIDRCount} -> utilizedCIDRCount) (\s@CIDRSummary' {} a -> s {utilizedCIDRCount = a} :: CIDRSummary)
+
+instance Data.FromJSON CIDRSummary where
+  parseJSON =
+    Data.withObject
+      "CIDRSummary"
+      ( \x ->
+          CIDRSummary'
+            Prelude.<$> (x Data..:? "AvailableCIDRCount")
+            Prelude.<*> ( x
+                            Data..:? "IPSetReferences"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> (x Data..:? "UtilizedCIDRCount")
+      )
+
+instance Prelude.Hashable CIDRSummary where
+  hashWithSalt _salt CIDRSummary' {..} =
+    _salt
+      `Prelude.hashWithSalt` availableCIDRCount
+      `Prelude.hashWithSalt` iPSetReferences
+      `Prelude.hashWithSalt` utilizedCIDRCount
+
+instance Prelude.NFData CIDRSummary where
+  rnf CIDRSummary' {..} =
+    Prelude.rnf availableCIDRCount
+      `Prelude.seq` Prelude.rnf iPSetReferences
+      `Prelude.seq` Prelude.rnf utilizedCIDRCount
diff --git a/gen/Amazonka/NetworkFirewall/Types/CapacityUsageSummary.hs b/gen/Amazonka/NetworkFirewall/Types/CapacityUsageSummary.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/CapacityUsageSummary.hs
@@ -0,0 +1,73 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.CapacityUsageSummary
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.CapacityUsageSummary where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.CIDRSummary
+import qualified Amazonka.Prelude as Prelude
+
+-- | The capacity usage summary of the resources used by the ReferenceSets in
+-- a firewall.
+--
+-- /See:/ 'newCapacityUsageSummary' smart constructor.
+data CapacityUsageSummary = CapacityUsageSummary'
+  { -- | Describes the capacity usage of the CIDR blocks used by the IP set
+    -- references in a firewall.
+    cIDRs :: Prelude.Maybe CIDRSummary
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CapacityUsageSummary' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'cIDRs', 'capacityUsageSummary_cIDRs' - Describes the capacity usage of the CIDR blocks used by the IP set
+-- references in a firewall.
+newCapacityUsageSummary ::
+  CapacityUsageSummary
+newCapacityUsageSummary =
+  CapacityUsageSummary' {cIDRs = Prelude.Nothing}
+
+-- | Describes the capacity usage of the CIDR blocks used by the IP set
+-- references in a firewall.
+capacityUsageSummary_cIDRs :: Lens.Lens' CapacityUsageSummary (Prelude.Maybe CIDRSummary)
+capacityUsageSummary_cIDRs = Lens.lens (\CapacityUsageSummary' {cIDRs} -> cIDRs) (\s@CapacityUsageSummary' {} a -> s {cIDRs = a} :: CapacityUsageSummary)
+
+instance Data.FromJSON CapacityUsageSummary where
+  parseJSON =
+    Data.withObject
+      "CapacityUsageSummary"
+      ( \x ->
+          CapacityUsageSummary'
+            Prelude.<$> (x Data..:? "CIDRs")
+      )
+
+instance Prelude.Hashable CapacityUsageSummary where
+  hashWithSalt _salt CapacityUsageSummary' {..} =
+    _salt `Prelude.hashWithSalt` cIDRs
+
+instance Prelude.NFData CapacityUsageSummary where
+  rnf CapacityUsageSummary' {..} = Prelude.rnf cIDRs
diff --git a/gen/Amazonka/NetworkFirewall/Types/ConfigurationSyncState.hs b/gen/Amazonka/NetworkFirewall/Types/ConfigurationSyncState.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ConfigurationSyncState.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ConfigurationSyncState
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ConfigurationSyncState
+  ( ConfigurationSyncState
+      ( ..,
+        ConfigurationSyncState_CAPACITY_CONSTRAINED,
+        ConfigurationSyncState_IN_SYNC,
+        ConfigurationSyncState_PENDING
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ConfigurationSyncState = ConfigurationSyncState'
+  { fromConfigurationSyncState ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ConfigurationSyncState_CAPACITY_CONSTRAINED :: ConfigurationSyncState
+pattern ConfigurationSyncState_CAPACITY_CONSTRAINED = ConfigurationSyncState' "CAPACITY_CONSTRAINED"
+
+pattern ConfigurationSyncState_IN_SYNC :: ConfigurationSyncState
+pattern ConfigurationSyncState_IN_SYNC = ConfigurationSyncState' "IN_SYNC"
+
+pattern ConfigurationSyncState_PENDING :: ConfigurationSyncState
+pattern ConfigurationSyncState_PENDING = ConfigurationSyncState' "PENDING"
+
+{-# COMPLETE
+  ConfigurationSyncState_CAPACITY_CONSTRAINED,
+  ConfigurationSyncState_IN_SYNC,
+  ConfigurationSyncState_PENDING,
+  ConfigurationSyncState'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/CustomAction.hs b/gen/Amazonka/NetworkFirewall/Types/CustomAction.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/CustomAction.hs
@@ -0,0 +1,121 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.CustomAction
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.CustomAction where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.ActionDefinition
+import qualified Amazonka.Prelude as Prelude
+
+-- | An optional, non-standard action to use for stateless packet handling.
+-- You can define this in addition to the standard action that you must
+-- specify.
+--
+-- You define and name the custom actions that you want to be able to use,
+-- and then you reference them by name in your actions settings.
+--
+-- You can use custom actions in the following places:
+--
+-- -   In a rule group\'s StatelessRulesAndCustomActions specification. The
+--     custom actions are available for use by name inside the
+--     @StatelessRulesAndCustomActions@ where you define them. You can use
+--     them for your stateless rule actions to specify what to do with a
+--     packet that matches the rule\'s match attributes.
+--
+-- -   In a FirewallPolicy specification, in @StatelessCustomActions@. The
+--     custom actions are available for use inside the policy where you
+--     define them. You can use them for the policy\'s default stateless
+--     actions settings to specify what to do with packets that don\'t
+--     match any of the policy\'s stateless rules.
+--
+-- /See:/ 'newCustomAction' smart constructor.
+data CustomAction = CustomAction'
+  { -- | The descriptive name of the custom action. You can\'t change the name of
+    -- a custom action after you create it.
+    actionName :: Prelude.Text,
+    -- | The custom action associated with the action name.
+    actionDefinition :: ActionDefinition
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CustomAction' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'actionName', 'customAction_actionName' - The descriptive name of the custom action. You can\'t change the name of
+-- a custom action after you create it.
+--
+-- 'actionDefinition', 'customAction_actionDefinition' - The custom action associated with the action name.
+newCustomAction ::
+  -- | 'actionName'
+  Prelude.Text ->
+  -- | 'actionDefinition'
+  ActionDefinition ->
+  CustomAction
+newCustomAction pActionName_ pActionDefinition_ =
+  CustomAction'
+    { actionName = pActionName_,
+      actionDefinition = pActionDefinition_
+    }
+
+-- | The descriptive name of the custom action. You can\'t change the name of
+-- a custom action after you create it.
+customAction_actionName :: Lens.Lens' CustomAction Prelude.Text
+customAction_actionName = Lens.lens (\CustomAction' {actionName} -> actionName) (\s@CustomAction' {} a -> s {actionName = a} :: CustomAction)
+
+-- | The custom action associated with the action name.
+customAction_actionDefinition :: Lens.Lens' CustomAction ActionDefinition
+customAction_actionDefinition = Lens.lens (\CustomAction' {actionDefinition} -> actionDefinition) (\s@CustomAction' {} a -> s {actionDefinition = a} :: CustomAction)
+
+instance Data.FromJSON CustomAction where
+  parseJSON =
+    Data.withObject
+      "CustomAction"
+      ( \x ->
+          CustomAction'
+            Prelude.<$> (x Data..: "ActionName")
+            Prelude.<*> (x Data..: "ActionDefinition")
+      )
+
+instance Prelude.Hashable CustomAction where
+  hashWithSalt _salt CustomAction' {..} =
+    _salt
+      `Prelude.hashWithSalt` actionName
+      `Prelude.hashWithSalt` actionDefinition
+
+instance Prelude.NFData CustomAction where
+  rnf CustomAction' {..} =
+    Prelude.rnf actionName
+      `Prelude.seq` Prelude.rnf actionDefinition
+
+instance Data.ToJSON CustomAction where
+  toJSON CustomAction' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("ActionName" Data..= actionName),
+            Prelude.Just
+              ("ActionDefinition" Data..= actionDefinition)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/Dimension.hs b/gen/Amazonka/NetworkFirewall/Types/Dimension.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Dimension.hs
@@ -0,0 +1,84 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Dimension
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Dimension where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | The value to use in an Amazon CloudWatch custom metric dimension. This
+-- is used in the @PublishMetrics@ CustomAction. A CloudWatch custom metric
+-- dimension is a name\/value pair that\'s part of the identity of a
+-- metric.
+--
+-- Network Firewall sets the dimension name to @CustomAction@ and you
+-- provide the dimension value.
+--
+-- For more information about CloudWatch custom metric dimensions, see
+-- <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html#usingDimensions Publishing Custom Metrics>
+-- in the
+-- <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html Amazon CloudWatch User Guide>.
+--
+-- /See:/ 'newDimension' smart constructor.
+data Dimension = Dimension'
+  { -- | The value to use in the custom metric dimension.
+    value :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Dimension' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'value', 'dimension_value' - The value to use in the custom metric dimension.
+newDimension ::
+  -- | 'value'
+  Prelude.Text ->
+  Dimension
+newDimension pValue_ = Dimension' {value = pValue_}
+
+-- | The value to use in the custom metric dimension.
+dimension_value :: Lens.Lens' Dimension Prelude.Text
+dimension_value = Lens.lens (\Dimension' {value} -> value) (\s@Dimension' {} a -> s {value = a} :: Dimension)
+
+instance Data.FromJSON Dimension where
+  parseJSON =
+    Data.withObject
+      "Dimension"
+      (\x -> Dimension' Prelude.<$> (x Data..: "Value"))
+
+instance Prelude.Hashable Dimension where
+  hashWithSalt _salt Dimension' {..} =
+    _salt `Prelude.hashWithSalt` value
+
+instance Prelude.NFData Dimension where
+  rnf Dimension' {..} = Prelude.rnf value
+
+instance Data.ToJSON Dimension where
+  toJSON Dimension' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("Value" Data..= value)]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/EncryptionConfiguration.hs b/gen/Amazonka/NetworkFirewall/Types/EncryptionConfiguration.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/EncryptionConfiguration.hs
@@ -0,0 +1,124 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.EncryptionConfiguration where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.EncryptionType
+import qualified Amazonka.Prelude as Prelude
+
+-- | A complex type that contains optional Amazon Web Services Key Management
+-- Service (KMS) encryption settings for your Network Firewall resources.
+-- Your data is encrypted by default with an Amazon Web Services owned key
+-- that Amazon Web Services owns and manages for you. You can use either
+-- the Amazon Web Services owned key, or provide your own customer managed
+-- key. To learn more about KMS encryption of your Network Firewall
+-- resources, see
+-- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html Encryption at rest with Amazon Web Services Key Managment Service>
+-- in the /Network Firewall Developer Guide/.
+--
+-- /See:/ 'newEncryptionConfiguration' smart constructor.
+data EncryptionConfiguration = EncryptionConfiguration'
+  { -- | The ID of the Amazon Web Services Key Management Service (KMS) customer
+    -- managed key. You can use any of the key identifiers that KMS supports,
+    -- unless you\'re using a key that\'s managed by another account. If
+    -- you\'re using a key managed by another account, then specify the key
+    -- ARN. For more information, see
+    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id Key ID>
+    -- in the /Amazon Web Services KMS Developer Guide/.
+    keyId :: Prelude.Maybe Prelude.Text,
+    -- | The type of Amazon Web Services KMS key to use for encryption of your
+    -- Network Firewall resources.
+    type' :: EncryptionType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'EncryptionConfiguration' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'keyId', 'encryptionConfiguration_keyId' - The ID of the Amazon Web Services Key Management Service (KMS) customer
+-- managed key. You can use any of the key identifiers that KMS supports,
+-- unless you\'re using a key that\'s managed by another account. If
+-- you\'re using a key managed by another account, then specify the key
+-- ARN. For more information, see
+-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id Key ID>
+-- in the /Amazon Web Services KMS Developer Guide/.
+--
+-- 'type'', 'encryptionConfiguration_type' - The type of Amazon Web Services KMS key to use for encryption of your
+-- Network Firewall resources.
+newEncryptionConfiguration ::
+  -- | 'type''
+  EncryptionType ->
+  EncryptionConfiguration
+newEncryptionConfiguration pType_ =
+  EncryptionConfiguration'
+    { keyId = Prelude.Nothing,
+      type' = pType_
+    }
+
+-- | The ID of the Amazon Web Services Key Management Service (KMS) customer
+-- managed key. You can use any of the key identifiers that KMS supports,
+-- unless you\'re using a key that\'s managed by another account. If
+-- you\'re using a key managed by another account, then specify the key
+-- ARN. For more information, see
+-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id Key ID>
+-- in the /Amazon Web Services KMS Developer Guide/.
+encryptionConfiguration_keyId :: Lens.Lens' EncryptionConfiguration (Prelude.Maybe Prelude.Text)
+encryptionConfiguration_keyId = Lens.lens (\EncryptionConfiguration' {keyId} -> keyId) (\s@EncryptionConfiguration' {} a -> s {keyId = a} :: EncryptionConfiguration)
+
+-- | The type of Amazon Web Services KMS key to use for encryption of your
+-- Network Firewall resources.
+encryptionConfiguration_type :: Lens.Lens' EncryptionConfiguration EncryptionType
+encryptionConfiguration_type = Lens.lens (\EncryptionConfiguration' {type'} -> type') (\s@EncryptionConfiguration' {} a -> s {type' = a} :: EncryptionConfiguration)
+
+instance Data.FromJSON EncryptionConfiguration where
+  parseJSON =
+    Data.withObject
+      "EncryptionConfiguration"
+      ( \x ->
+          EncryptionConfiguration'
+            Prelude.<$> (x Data..:? "KeyId")
+            Prelude.<*> (x Data..: "Type")
+      )
+
+instance Prelude.Hashable EncryptionConfiguration where
+  hashWithSalt _salt EncryptionConfiguration' {..} =
+    _salt
+      `Prelude.hashWithSalt` keyId
+      `Prelude.hashWithSalt` type'
+
+instance Prelude.NFData EncryptionConfiguration where
+  rnf EncryptionConfiguration' {..} =
+    Prelude.rnf keyId `Prelude.seq` Prelude.rnf type'
+
+instance Data.ToJSON EncryptionConfiguration where
+  toJSON EncryptionConfiguration' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("KeyId" Data..=) Prelude.<$> keyId,
+            Prelude.Just ("Type" Data..= type')
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/EncryptionType.hs b/gen/Amazonka/NetworkFirewall/Types/EncryptionType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/EncryptionType.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.EncryptionType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.EncryptionType
+  ( EncryptionType
+      ( ..,
+        EncryptionType_AWS_OWNED_KMS_KEY,
+        EncryptionType_CUSTOMER_KMS
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype EncryptionType = EncryptionType'
+  { fromEncryptionType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern EncryptionType_AWS_OWNED_KMS_KEY :: EncryptionType
+pattern EncryptionType_AWS_OWNED_KMS_KEY = EncryptionType' "AWS_OWNED_KMS_KEY"
+
+pattern EncryptionType_CUSTOMER_KMS :: EncryptionType
+pattern EncryptionType_CUSTOMER_KMS = EncryptionType' "CUSTOMER_KMS"
+
+{-# COMPLETE
+  EncryptionType_AWS_OWNED_KMS_KEY,
+  EncryptionType_CUSTOMER_KMS,
+  EncryptionType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/Firewall.hs b/gen/Amazonka/NetworkFirewall/Types/Firewall.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Firewall.hs
@@ -0,0 +1,275 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Firewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Firewall where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+import Amazonka.NetworkFirewall.Types.SubnetMapping
+import Amazonka.NetworkFirewall.Types.Tag
+import qualified Amazonka.Prelude as Prelude
+
+-- | The firewall defines the configuration settings for an Network Firewall
+-- firewall. These settings include the firewall policy, the subnets in
+-- your VPC to use for the firewall endpoints, and any tags that are
+-- attached to the firewall Amazon Web Services resource.
+--
+-- The status of the firewall, for example whether it\'s ready to filter
+-- network traffic, is provided in the corresponding FirewallStatus. You
+-- can retrieve both objects by calling DescribeFirewall.
+--
+-- /See:/ 'newFirewall' smart constructor.
+data Firewall = Firewall'
+  { -- | A flag indicating whether it is possible to delete the firewall. A
+    -- setting of @TRUE@ indicates that the firewall is protected against
+    -- deletion. Use this setting to protect against accidentally deleting a
+    -- firewall that is in use. When you create a firewall, the operation
+    -- initializes this flag to @TRUE@.
+    deleteProtection :: Prelude.Maybe Prelude.Bool,
+    -- | A description of the firewall.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains the Amazon Web Services KMS encryption
+    -- configuration settings for your firewall.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | A setting indicating whether the firewall is protected against a change
+    -- to the firewall policy association. Use this setting to protect against
+    -- accidentally modifying the firewall policy for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    firewallPolicyChangeProtection :: Prelude.Maybe Prelude.Bool,
+    -- | A setting indicating whether the firewall is protected against changes
+    -- to the subnet associations. Use this setting to protect against
+    -- accidentally modifying the subnet associations for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    subnetChangeProtection :: Prelude.Maybe Prelude.Bool,
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The Amazon Resource Name (ARN) of the firewall policy.
+    --
+    -- The relationship of firewall to firewall policy is many to one. Each
+    -- firewall requires one firewall policy association, and you can use the
+    -- same firewall policy for multiple firewalls.
+    firewallPolicyArn :: Prelude.Text,
+    -- | The unique identifier of the VPC where the firewall is in use.
+    vpcId :: Prelude.Text,
+    -- | The public subnets that Network Firewall is using for the firewall. Each
+    -- subnet must belong to a different Availability Zone.
+    subnetMappings :: [SubnetMapping],
+    -- | The unique identifier for the firewall.
+    firewallId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Firewall' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'deleteProtection', 'firewall_deleteProtection' - A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+--
+-- 'description', 'firewall_description' - A description of the firewall.
+--
+-- 'encryptionConfiguration', 'firewall_encryptionConfiguration' - A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your firewall.
+--
+-- 'firewallArn', 'firewall_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'firewall_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'firewallPolicyChangeProtection', 'firewall_firewallPolicyChangeProtection' - A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'subnetChangeProtection', 'firewall_subnetChangeProtection' - A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'tags', 'firewall_tags' -
+--
+-- 'firewallPolicyArn', 'firewall_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- The relationship of firewall to firewall policy is many to one. Each
+-- firewall requires one firewall policy association, and you can use the
+-- same firewall policy for multiple firewalls.
+--
+-- 'vpcId', 'firewall_vpcId' - The unique identifier of the VPC where the firewall is in use.
+--
+-- 'subnetMappings', 'firewall_subnetMappings' - The public subnets that Network Firewall is using for the firewall. Each
+-- subnet must belong to a different Availability Zone.
+--
+-- 'firewallId', 'firewall_firewallId' - The unique identifier for the firewall.
+newFirewall ::
+  -- | 'firewallPolicyArn'
+  Prelude.Text ->
+  -- | 'vpcId'
+  Prelude.Text ->
+  -- | 'firewallId'
+  Prelude.Text ->
+  Firewall
+newFirewall pFirewallPolicyArn_ pVpcId_ pFirewallId_ =
+  Firewall'
+    { deleteProtection = Prelude.Nothing,
+      description = Prelude.Nothing,
+      encryptionConfiguration = Prelude.Nothing,
+      firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      firewallPolicyChangeProtection = Prelude.Nothing,
+      subnetChangeProtection = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      firewallPolicyArn = pFirewallPolicyArn_,
+      vpcId = pVpcId_,
+      subnetMappings = Prelude.mempty,
+      firewallId = pFirewallId_
+    }
+
+-- | A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+firewall_deleteProtection :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Bool)
+firewall_deleteProtection = Lens.lens (\Firewall' {deleteProtection} -> deleteProtection) (\s@Firewall' {} a -> s {deleteProtection = a} :: Firewall)
+
+-- | A description of the firewall.
+firewall_description :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Text)
+firewall_description = Lens.lens (\Firewall' {description} -> description) (\s@Firewall' {} a -> s {description = a} :: Firewall)
+
+-- | A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your firewall.
+firewall_encryptionConfiguration :: Lens.Lens' Firewall (Prelude.Maybe EncryptionConfiguration)
+firewall_encryptionConfiguration = Lens.lens (\Firewall' {encryptionConfiguration} -> encryptionConfiguration) (\s@Firewall' {} a -> s {encryptionConfiguration = a} :: Firewall)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+firewall_firewallArn :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Text)
+firewall_firewallArn = Lens.lens (\Firewall' {firewallArn} -> firewallArn) (\s@Firewall' {} a -> s {firewallArn = a} :: Firewall)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+firewall_firewallName :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Text)
+firewall_firewallName = Lens.lens (\Firewall' {firewallName} -> firewallName) (\s@Firewall' {} a -> s {firewallName = a} :: Firewall)
+
+-- | A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+firewall_firewallPolicyChangeProtection :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Bool)
+firewall_firewallPolicyChangeProtection = Lens.lens (\Firewall' {firewallPolicyChangeProtection} -> firewallPolicyChangeProtection) (\s@Firewall' {} a -> s {firewallPolicyChangeProtection = a} :: Firewall)
+
+-- | A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+firewall_subnetChangeProtection :: Lens.Lens' Firewall (Prelude.Maybe Prelude.Bool)
+firewall_subnetChangeProtection = Lens.lens (\Firewall' {subnetChangeProtection} -> subnetChangeProtection) (\s@Firewall' {} a -> s {subnetChangeProtection = a} :: Firewall)
+
+firewall_tags :: Lens.Lens' Firewall (Prelude.Maybe (Prelude.NonEmpty Tag))
+firewall_tags = Lens.lens (\Firewall' {tags} -> tags) (\s@Firewall' {} a -> s {tags = a} :: Firewall) Prelude.. Lens.mapping Lens.coerced
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- The relationship of firewall to firewall policy is many to one. Each
+-- firewall requires one firewall policy association, and you can use the
+-- same firewall policy for multiple firewalls.
+firewall_firewallPolicyArn :: Lens.Lens' Firewall Prelude.Text
+firewall_firewallPolicyArn = Lens.lens (\Firewall' {firewallPolicyArn} -> firewallPolicyArn) (\s@Firewall' {} a -> s {firewallPolicyArn = a} :: Firewall)
+
+-- | The unique identifier of the VPC where the firewall is in use.
+firewall_vpcId :: Lens.Lens' Firewall Prelude.Text
+firewall_vpcId = Lens.lens (\Firewall' {vpcId} -> vpcId) (\s@Firewall' {} a -> s {vpcId = a} :: Firewall)
+
+-- | The public subnets that Network Firewall is using for the firewall. Each
+-- subnet must belong to a different Availability Zone.
+firewall_subnetMappings :: Lens.Lens' Firewall [SubnetMapping]
+firewall_subnetMappings = Lens.lens (\Firewall' {subnetMappings} -> subnetMappings) (\s@Firewall' {} a -> s {subnetMappings = a} :: Firewall) Prelude.. Lens.coerced
+
+-- | The unique identifier for the firewall.
+firewall_firewallId :: Lens.Lens' Firewall Prelude.Text
+firewall_firewallId = Lens.lens (\Firewall' {firewallId} -> firewallId) (\s@Firewall' {} a -> s {firewallId = a} :: Firewall)
+
+instance Data.FromJSON Firewall where
+  parseJSON =
+    Data.withObject
+      "Firewall"
+      ( \x ->
+          Firewall'
+            Prelude.<$> (x Data..:? "DeleteProtection")
+            Prelude.<*> (x Data..:? "Description")
+            Prelude.<*> (x Data..:? "EncryptionConfiguration")
+            Prelude.<*> (x Data..:? "FirewallArn")
+            Prelude.<*> (x Data..:? "FirewallName")
+            Prelude.<*> (x Data..:? "FirewallPolicyChangeProtection")
+            Prelude.<*> (x Data..:? "SubnetChangeProtection")
+            Prelude.<*> (x Data..:? "Tags")
+            Prelude.<*> (x Data..: "FirewallPolicyArn")
+            Prelude.<*> (x Data..: "VpcId")
+            Prelude.<*> (x Data..:? "SubnetMappings" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..: "FirewallId")
+      )
+
+instance Prelude.Hashable Firewall where
+  hashWithSalt _salt Firewall' {..} =
+    _salt
+      `Prelude.hashWithSalt` deleteProtection
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` firewallPolicyChangeProtection
+      `Prelude.hashWithSalt` subnetChangeProtection
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` vpcId
+      `Prelude.hashWithSalt` subnetMappings
+      `Prelude.hashWithSalt` firewallId
+
+instance Prelude.NFData Firewall where
+  rnf Firewall' {..} =
+    Prelude.rnf deleteProtection
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf firewallPolicyChangeProtection
+      `Prelude.seq` Prelude.rnf subnetChangeProtection
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf vpcId
+      `Prelude.seq` Prelude.rnf subnetMappings
+      `Prelude.seq` Prelude.rnf firewallId
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallMetadata.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallMetadata.hs
@@ -0,0 +1,89 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallMetadata where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | High-level information about a firewall, returned by operations like
+-- create and describe. You can use the information provided in the
+-- metadata to retrieve and manage a firewall.
+--
+-- /See:/ 'newFirewallMetadata' smart constructor.
+data FirewallMetadata = FirewallMetadata'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FirewallMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'firewallMetadata_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'firewallMetadata_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+newFirewallMetadata ::
+  FirewallMetadata
+newFirewallMetadata =
+  FirewallMetadata'
+    { firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+firewallMetadata_firewallArn :: Lens.Lens' FirewallMetadata (Prelude.Maybe Prelude.Text)
+firewallMetadata_firewallArn = Lens.lens (\FirewallMetadata' {firewallArn} -> firewallArn) (\s@FirewallMetadata' {} a -> s {firewallArn = a} :: FirewallMetadata)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+firewallMetadata_firewallName :: Lens.Lens' FirewallMetadata (Prelude.Maybe Prelude.Text)
+firewallMetadata_firewallName = Lens.lens (\FirewallMetadata' {firewallName} -> firewallName) (\s@FirewallMetadata' {} a -> s {firewallName = a} :: FirewallMetadata)
+
+instance Data.FromJSON FirewallMetadata where
+  parseJSON =
+    Data.withObject
+      "FirewallMetadata"
+      ( \x ->
+          FirewallMetadata'
+            Prelude.<$> (x Data..:? "FirewallArn")
+            Prelude.<*> (x Data..:? "FirewallName")
+      )
+
+instance Prelude.Hashable FirewallMetadata where
+  hashWithSalt _salt FirewallMetadata' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+
+instance Prelude.NFData FirewallMetadata where
+  rnf FirewallMetadata' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicy.hs
@@ -0,0 +1,333 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallPolicy where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.CustomAction
+import Amazonka.NetworkFirewall.Types.StatefulEngineOptions
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference
+import Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference
+import qualified Amazonka.Prelude as Prelude
+
+-- | The firewall policy defines the behavior of a firewall using a
+-- collection of stateless and stateful rule groups and other settings. You
+-- can use one firewall policy for multiple firewalls.
+--
+-- This, along with FirewallPolicyResponse, define the policy. You can
+-- retrieve all objects for a firewall policy by calling
+-- DescribeFirewallPolicy.
+--
+-- /See:/ 'newFirewallPolicy' smart constructor.
+data FirewallPolicy = FirewallPolicy'
+  { -- | The default actions to take on a packet that doesn\'t match any stateful
+    -- rules. The stateful default action is optional, and is only valid when
+    -- using the strict rule order.
+    --
+    -- Valid values of the stateful default action:
+    --
+    -- -   aws:drop_strict
+    --
+    -- -   aws:drop_established
+    --
+    -- -   aws:alert_strict
+    --
+    -- -   aws:alert_established
+    --
+    -- For more information, see
+    -- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order.html Strict evaluation order>
+    -- in the /Network Firewall Developer Guide/.
+    statefulDefaultActions :: Prelude.Maybe [Prelude.Text],
+    -- | Additional options governing how Network Firewall handles stateful
+    -- rules. The stateful rule groups that you use in your policy must have
+    -- stateful rule options settings that are compatible with these settings.
+    statefulEngineOptions :: Prelude.Maybe StatefulEngineOptions,
+    -- | References to the stateful rule groups that are used in the policy.
+    -- These define the inspection criteria in stateful rules.
+    statefulRuleGroupReferences :: Prelude.Maybe [StatefulRuleGroupReference],
+    -- | The custom action definitions that are available for use in the firewall
+    -- policy\'s @StatelessDefaultActions@ setting. You name each custom action
+    -- that you define, and then you can use it by name in your default actions
+    -- specifications.
+    statelessCustomActions :: Prelude.Maybe [CustomAction],
+    -- | References to the stateless rule groups that are used in the policy.
+    -- These define the matching criteria in stateless rules.
+    statelessRuleGroupReferences :: Prelude.Maybe [StatelessRuleGroupReference],
+    -- | The actions to take on a packet if it doesn\'t match any of the
+    -- stateless rules in the policy. If you want non-matching packets to be
+    -- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+    --
+    -- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+    -- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+    -- are compatible with your standard section choice.
+    --
+    -- For example, you could specify @[\"aws:pass\"]@ or you could specify
+    -- @[\"aws:pass\", “customActionName”]@. For information about
+    -- compatibility, see the custom action descriptions under CustomAction.
+    statelessDefaultActions :: [Prelude.Text],
+    -- | The actions to take on a fragmented UDP packet if it doesn\'t match any
+    -- of the stateless rules in the policy. Network Firewall only manages UDP
+    -- packet fragments and silently drops packet fragments for other
+    -- protocols. If you want non-matching fragmented UDP packets to be
+    -- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+    --
+    -- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+    -- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+    -- are compatible with your standard section choice.
+    --
+    -- For example, you could specify @[\"aws:pass\"]@ or you could specify
+    -- @[\"aws:pass\", “customActionName”]@. For information about
+    -- compatibility, see the custom action descriptions under CustomAction.
+    statelessFragmentDefaultActions :: [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'statefulDefaultActions', 'firewallPolicy_statefulDefaultActions' - The default actions to take on a packet that doesn\'t match any stateful
+-- rules. The stateful default action is optional, and is only valid when
+-- using the strict rule order.
+--
+-- Valid values of the stateful default action:
+--
+-- -   aws:drop_strict
+--
+-- -   aws:drop_established
+--
+-- -   aws:alert_strict
+--
+-- -   aws:alert_established
+--
+-- For more information, see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order.html Strict evaluation order>
+-- in the /Network Firewall Developer Guide/.
+--
+-- 'statefulEngineOptions', 'firewallPolicy_statefulEngineOptions' - Additional options governing how Network Firewall handles stateful
+-- rules. The stateful rule groups that you use in your policy must have
+-- stateful rule options settings that are compatible with these settings.
+--
+-- 'statefulRuleGroupReferences', 'firewallPolicy_statefulRuleGroupReferences' - References to the stateful rule groups that are used in the policy.
+-- These define the inspection criteria in stateful rules.
+--
+-- 'statelessCustomActions', 'firewallPolicy_statelessCustomActions' - The custom action definitions that are available for use in the firewall
+-- policy\'s @StatelessDefaultActions@ setting. You name each custom action
+-- that you define, and then you can use it by name in your default actions
+-- specifications.
+--
+-- 'statelessRuleGroupReferences', 'firewallPolicy_statelessRuleGroupReferences' - References to the stateless rule groups that are used in the policy.
+-- These define the matching criteria in stateless rules.
+--
+-- 'statelessDefaultActions', 'firewallPolicy_statelessDefaultActions' - The actions to take on a packet if it doesn\'t match any of the
+-- stateless rules in the policy. If you want non-matching packets to be
+-- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+--
+-- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+-- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+-- are compatible with your standard section choice.
+--
+-- For example, you could specify @[\"aws:pass\"]@ or you could specify
+-- @[\"aws:pass\", “customActionName”]@. For information about
+-- compatibility, see the custom action descriptions under CustomAction.
+--
+-- 'statelessFragmentDefaultActions', 'firewallPolicy_statelessFragmentDefaultActions' - The actions to take on a fragmented UDP packet if it doesn\'t match any
+-- of the stateless rules in the policy. Network Firewall only manages UDP
+-- packet fragments and silently drops packet fragments for other
+-- protocols. If you want non-matching fragmented UDP packets to be
+-- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+--
+-- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+-- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+-- are compatible with your standard section choice.
+--
+-- For example, you could specify @[\"aws:pass\"]@ or you could specify
+-- @[\"aws:pass\", “customActionName”]@. For information about
+-- compatibility, see the custom action descriptions under CustomAction.
+newFirewallPolicy ::
+  FirewallPolicy
+newFirewallPolicy =
+  FirewallPolicy'
+    { statefulDefaultActions =
+        Prelude.Nothing,
+      statefulEngineOptions = Prelude.Nothing,
+      statefulRuleGroupReferences = Prelude.Nothing,
+      statelessCustomActions = Prelude.Nothing,
+      statelessRuleGroupReferences = Prelude.Nothing,
+      statelessDefaultActions = Prelude.mempty,
+      statelessFragmentDefaultActions = Prelude.mempty
+    }
+
+-- | The default actions to take on a packet that doesn\'t match any stateful
+-- rules. The stateful default action is optional, and is only valid when
+-- using the strict rule order.
+--
+-- Valid values of the stateful default action:
+--
+-- -   aws:drop_strict
+--
+-- -   aws:drop_established
+--
+-- -   aws:alert_strict
+--
+-- -   aws:alert_established
+--
+-- For more information, see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order.html Strict evaluation order>
+-- in the /Network Firewall Developer Guide/.
+firewallPolicy_statefulDefaultActions :: Lens.Lens' FirewallPolicy (Prelude.Maybe [Prelude.Text])
+firewallPolicy_statefulDefaultActions = Lens.lens (\FirewallPolicy' {statefulDefaultActions} -> statefulDefaultActions) (\s@FirewallPolicy' {} a -> s {statefulDefaultActions = a} :: FirewallPolicy) Prelude.. Lens.mapping Lens.coerced
+
+-- | Additional options governing how Network Firewall handles stateful
+-- rules. The stateful rule groups that you use in your policy must have
+-- stateful rule options settings that are compatible with these settings.
+firewallPolicy_statefulEngineOptions :: Lens.Lens' FirewallPolicy (Prelude.Maybe StatefulEngineOptions)
+firewallPolicy_statefulEngineOptions = Lens.lens (\FirewallPolicy' {statefulEngineOptions} -> statefulEngineOptions) (\s@FirewallPolicy' {} a -> s {statefulEngineOptions = a} :: FirewallPolicy)
+
+-- | References to the stateful rule groups that are used in the policy.
+-- These define the inspection criteria in stateful rules.
+firewallPolicy_statefulRuleGroupReferences :: Lens.Lens' FirewallPolicy (Prelude.Maybe [StatefulRuleGroupReference])
+firewallPolicy_statefulRuleGroupReferences = Lens.lens (\FirewallPolicy' {statefulRuleGroupReferences} -> statefulRuleGroupReferences) (\s@FirewallPolicy' {} a -> s {statefulRuleGroupReferences = a} :: FirewallPolicy) Prelude.. Lens.mapping Lens.coerced
+
+-- | The custom action definitions that are available for use in the firewall
+-- policy\'s @StatelessDefaultActions@ setting. You name each custom action
+-- that you define, and then you can use it by name in your default actions
+-- specifications.
+firewallPolicy_statelessCustomActions :: Lens.Lens' FirewallPolicy (Prelude.Maybe [CustomAction])
+firewallPolicy_statelessCustomActions = Lens.lens (\FirewallPolicy' {statelessCustomActions} -> statelessCustomActions) (\s@FirewallPolicy' {} a -> s {statelessCustomActions = a} :: FirewallPolicy) Prelude.. Lens.mapping Lens.coerced
+
+-- | References to the stateless rule groups that are used in the policy.
+-- These define the matching criteria in stateless rules.
+firewallPolicy_statelessRuleGroupReferences :: Lens.Lens' FirewallPolicy (Prelude.Maybe [StatelessRuleGroupReference])
+firewallPolicy_statelessRuleGroupReferences = Lens.lens (\FirewallPolicy' {statelessRuleGroupReferences} -> statelessRuleGroupReferences) (\s@FirewallPolicy' {} a -> s {statelessRuleGroupReferences = a} :: FirewallPolicy) Prelude.. Lens.mapping Lens.coerced
+
+-- | The actions to take on a packet if it doesn\'t match any of the
+-- stateless rules in the policy. If you want non-matching packets to be
+-- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+--
+-- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+-- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+-- are compatible with your standard section choice.
+--
+-- For example, you could specify @[\"aws:pass\"]@ or you could specify
+-- @[\"aws:pass\", “customActionName”]@. For information about
+-- compatibility, see the custom action descriptions under CustomAction.
+firewallPolicy_statelessDefaultActions :: Lens.Lens' FirewallPolicy [Prelude.Text]
+firewallPolicy_statelessDefaultActions = Lens.lens (\FirewallPolicy' {statelessDefaultActions} -> statelessDefaultActions) (\s@FirewallPolicy' {} a -> s {statelessDefaultActions = a} :: FirewallPolicy) Prelude.. Lens.coerced
+
+-- | The actions to take on a fragmented UDP packet if it doesn\'t match any
+-- of the stateless rules in the policy. Network Firewall only manages UDP
+-- packet fragments and silently drops packet fragments for other
+-- protocols. If you want non-matching fragmented UDP packets to be
+-- forwarded for stateful inspection, specify @aws:forward_to_sfe@.
+--
+-- You must specify one of the standard actions: @aws:pass@, @aws:drop@, or
+-- @aws:forward_to_sfe@. In addition, you can specify custom actions that
+-- are compatible with your standard section choice.
+--
+-- For example, you could specify @[\"aws:pass\"]@ or you could specify
+-- @[\"aws:pass\", “customActionName”]@. For information about
+-- compatibility, see the custom action descriptions under CustomAction.
+firewallPolicy_statelessFragmentDefaultActions :: Lens.Lens' FirewallPolicy [Prelude.Text]
+firewallPolicy_statelessFragmentDefaultActions = Lens.lens (\FirewallPolicy' {statelessFragmentDefaultActions} -> statelessFragmentDefaultActions) (\s@FirewallPolicy' {} a -> s {statelessFragmentDefaultActions = a} :: FirewallPolicy) Prelude.. Lens.coerced
+
+instance Data.FromJSON FirewallPolicy where
+  parseJSON =
+    Data.withObject
+      "FirewallPolicy"
+      ( \x ->
+          FirewallPolicy'
+            Prelude.<$> ( x
+                            Data..:? "StatefulDefaultActions"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> (x Data..:? "StatefulEngineOptions")
+            Prelude.<*> ( x
+                            Data..:? "StatefulRuleGroupReferences"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> ( x
+                            Data..:? "StatelessCustomActions"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> ( x
+                            Data..:? "StatelessRuleGroupReferences"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> ( x
+                            Data..:? "StatelessDefaultActions"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> ( x
+                            Data..:? "StatelessFragmentDefaultActions"
+                            Data..!= Prelude.mempty
+                        )
+      )
+
+instance Prelude.Hashable FirewallPolicy where
+  hashWithSalt _salt FirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` statefulDefaultActions
+      `Prelude.hashWithSalt` statefulEngineOptions
+      `Prelude.hashWithSalt` statefulRuleGroupReferences
+      `Prelude.hashWithSalt` statelessCustomActions
+      `Prelude.hashWithSalt` statelessRuleGroupReferences
+      `Prelude.hashWithSalt` statelessDefaultActions
+      `Prelude.hashWithSalt` statelessFragmentDefaultActions
+
+instance Prelude.NFData FirewallPolicy where
+  rnf FirewallPolicy' {..} =
+    Prelude.rnf statefulDefaultActions
+      `Prelude.seq` Prelude.rnf statefulEngineOptions
+      `Prelude.seq` Prelude.rnf statefulRuleGroupReferences
+      `Prelude.seq` Prelude.rnf statelessCustomActions
+      `Prelude.seq` Prelude.rnf statelessRuleGroupReferences
+      `Prelude.seq` Prelude.rnf statelessDefaultActions
+      `Prelude.seq` Prelude.rnf statelessFragmentDefaultActions
+
+instance Data.ToJSON FirewallPolicy where
+  toJSON FirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("StatefulDefaultActions" Data..=)
+              Prelude.<$> statefulDefaultActions,
+            ("StatefulEngineOptions" Data..=)
+              Prelude.<$> statefulEngineOptions,
+            ("StatefulRuleGroupReferences" Data..=)
+              Prelude.<$> statefulRuleGroupReferences,
+            ("StatelessCustomActions" Data..=)
+              Prelude.<$> statelessCustomActions,
+            ("StatelessRuleGroupReferences" Data..=)
+              Prelude.<$> statelessRuleGroupReferences,
+            Prelude.Just
+              ( "StatelessDefaultActions"
+                  Data..= statelessDefaultActions
+              ),
+            Prelude.Just
+              ( "StatelessFragmentDefaultActions"
+                  Data..= statelessFragmentDefaultActions
+              )
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyMetadata.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyMetadata.hs
@@ -0,0 +1,89 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallPolicyMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallPolicyMetadata where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | High-level information about a firewall policy, returned by operations
+-- like create and describe. You can use the information provided in the
+-- metadata to retrieve and manage a firewall policy. You can retrieve all
+-- objects for a firewall policy by calling DescribeFirewallPolicy.
+--
+-- /See:/ 'newFirewallPolicyMetadata' smart constructor.
+data FirewallPolicyMetadata = FirewallPolicyMetadata'
+  { -- | The Amazon Resource Name (ARN) of the firewall policy.
+    arn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    name :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FirewallPolicyMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'arn', 'firewallPolicyMetadata_arn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- 'name', 'firewallPolicyMetadata_name' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+newFirewallPolicyMetadata ::
+  FirewallPolicyMetadata
+newFirewallPolicyMetadata =
+  FirewallPolicyMetadata'
+    { arn = Prelude.Nothing,
+      name = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+firewallPolicyMetadata_arn :: Lens.Lens' FirewallPolicyMetadata (Prelude.Maybe Prelude.Text)
+firewallPolicyMetadata_arn = Lens.lens (\FirewallPolicyMetadata' {arn} -> arn) (\s@FirewallPolicyMetadata' {} a -> s {arn = a} :: FirewallPolicyMetadata)
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+firewallPolicyMetadata_name :: Lens.Lens' FirewallPolicyMetadata (Prelude.Maybe Prelude.Text)
+firewallPolicyMetadata_name = Lens.lens (\FirewallPolicyMetadata' {name} -> name) (\s@FirewallPolicyMetadata' {} a -> s {name = a} :: FirewallPolicyMetadata)
+
+instance Data.FromJSON FirewallPolicyMetadata where
+  parseJSON =
+    Data.withObject
+      "FirewallPolicyMetadata"
+      ( \x ->
+          FirewallPolicyMetadata'
+            Prelude.<$> (x Data..:? "Arn")
+            Prelude.<*> (x Data..:? "Name")
+      )
+
+instance Prelude.Hashable FirewallPolicyMetadata where
+  hashWithSalt _salt FirewallPolicyMetadata' {..} =
+    _salt
+      `Prelude.hashWithSalt` arn
+      `Prelude.hashWithSalt` name
+
+instance Prelude.NFData FirewallPolicyMetadata where
+  rnf FirewallPolicyMetadata' {..} =
+    Prelude.rnf arn `Prelude.seq` Prelude.rnf name
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyResponse.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyResponse.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallPolicyResponse.hs
@@ -0,0 +1,237 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallPolicyResponse
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallPolicyResponse where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+import Amazonka.NetworkFirewall.Types.ResourceStatus
+import Amazonka.NetworkFirewall.Types.Tag
+import qualified Amazonka.Prelude as Prelude
+
+-- | The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+--
+-- /See:/ 'newFirewallPolicyResponse' smart constructor.
+data FirewallPolicyResponse = FirewallPolicyResponse'
+  { -- | The number of capacity units currently consumed by the policy\'s
+    -- stateful rules.
+    consumedStatefulRuleCapacity :: Prelude.Maybe Prelude.Int,
+    -- | The number of capacity units currently consumed by the policy\'s
+    -- stateless rules.
+    consumedStatelessRuleCapacity :: Prelude.Maybe Prelude.Int,
+    -- | A description of the firewall policy.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains the Amazon Web Services KMS encryption
+    -- configuration settings for your firewall policy.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The current status of the firewall policy. You can retrieve this for a
+    -- firewall policy by calling DescribeFirewallPolicy and providing the
+    -- firewall policy\'s name or ARN.
+    firewallPolicyStatus :: Prelude.Maybe ResourceStatus,
+    -- | The last time that the firewall policy was changed.
+    lastModifiedTime :: Prelude.Maybe Data.POSIX,
+    -- | The number of firewalls that are associated with this firewall policy.
+    numberOfAssociations :: Prelude.Maybe Prelude.Int,
+    -- | The key:value pairs to associate with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    firewallPolicyName :: Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the firewall policy.
+    --
+    -- If this response is for a create request that had @DryRun@ set to
+    -- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+    -- resource.
+    firewallPolicyArn :: Prelude.Text,
+    -- | The unique identifier for the firewall policy.
+    firewallPolicyId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'consumedStatefulRuleCapacity', 'firewallPolicyResponse_consumedStatefulRuleCapacity' - The number of capacity units currently consumed by the policy\'s
+-- stateful rules.
+--
+-- 'consumedStatelessRuleCapacity', 'firewallPolicyResponse_consumedStatelessRuleCapacity' - The number of capacity units currently consumed by the policy\'s
+-- stateless rules.
+--
+-- 'description', 'firewallPolicyResponse_description' - A description of the firewall policy.
+--
+-- 'encryptionConfiguration', 'firewallPolicyResponse_encryptionConfiguration' - A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your firewall policy.
+--
+-- 'firewallPolicyStatus', 'firewallPolicyResponse_firewallPolicyStatus' - The current status of the firewall policy. You can retrieve this for a
+-- firewall policy by calling DescribeFirewallPolicy and providing the
+-- firewall policy\'s name or ARN.
+--
+-- 'lastModifiedTime', 'firewallPolicyResponse_lastModifiedTime' - The last time that the firewall policy was changed.
+--
+-- 'numberOfAssociations', 'firewallPolicyResponse_numberOfAssociations' - The number of firewalls that are associated with this firewall policy.
+--
+-- 'tags', 'firewallPolicyResponse_tags' - The key:value pairs to associate with the resource.
+--
+-- 'firewallPolicyName', 'firewallPolicyResponse_firewallPolicyName' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- 'firewallPolicyArn', 'firewallPolicyResponse_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- If this response is for a create request that had @DryRun@ set to
+-- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+-- resource.
+--
+-- 'firewallPolicyId', 'firewallPolicyResponse_firewallPolicyId' - The unique identifier for the firewall policy.
+newFirewallPolicyResponse ::
+  -- | 'firewallPolicyName'
+  Prelude.Text ->
+  -- | 'firewallPolicyArn'
+  Prelude.Text ->
+  -- | 'firewallPolicyId'
+  Prelude.Text ->
+  FirewallPolicyResponse
+newFirewallPolicyResponse
+  pFirewallPolicyName_
+  pFirewallPolicyArn_
+  pFirewallPolicyId_ =
+    FirewallPolicyResponse'
+      { consumedStatefulRuleCapacity =
+          Prelude.Nothing,
+        consumedStatelessRuleCapacity = Prelude.Nothing,
+        description = Prelude.Nothing,
+        encryptionConfiguration = Prelude.Nothing,
+        firewallPolicyStatus = Prelude.Nothing,
+        lastModifiedTime = Prelude.Nothing,
+        numberOfAssociations = Prelude.Nothing,
+        tags = Prelude.Nothing,
+        firewallPolicyName = pFirewallPolicyName_,
+        firewallPolicyArn = pFirewallPolicyArn_,
+        firewallPolicyId = pFirewallPolicyId_
+      }
+
+-- | The number of capacity units currently consumed by the policy\'s
+-- stateful rules.
+firewallPolicyResponse_consumedStatefulRuleCapacity :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe Prelude.Int)
+firewallPolicyResponse_consumedStatefulRuleCapacity = Lens.lens (\FirewallPolicyResponse' {consumedStatefulRuleCapacity} -> consumedStatefulRuleCapacity) (\s@FirewallPolicyResponse' {} a -> s {consumedStatefulRuleCapacity = a} :: FirewallPolicyResponse)
+
+-- | The number of capacity units currently consumed by the policy\'s
+-- stateless rules.
+firewallPolicyResponse_consumedStatelessRuleCapacity :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe Prelude.Int)
+firewallPolicyResponse_consumedStatelessRuleCapacity = Lens.lens (\FirewallPolicyResponse' {consumedStatelessRuleCapacity} -> consumedStatelessRuleCapacity) (\s@FirewallPolicyResponse' {} a -> s {consumedStatelessRuleCapacity = a} :: FirewallPolicyResponse)
+
+-- | A description of the firewall policy.
+firewallPolicyResponse_description :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe Prelude.Text)
+firewallPolicyResponse_description = Lens.lens (\FirewallPolicyResponse' {description} -> description) (\s@FirewallPolicyResponse' {} a -> s {description = a} :: FirewallPolicyResponse)
+
+-- | A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your firewall policy.
+firewallPolicyResponse_encryptionConfiguration :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe EncryptionConfiguration)
+firewallPolicyResponse_encryptionConfiguration = Lens.lens (\FirewallPolicyResponse' {encryptionConfiguration} -> encryptionConfiguration) (\s@FirewallPolicyResponse' {} a -> s {encryptionConfiguration = a} :: FirewallPolicyResponse)
+
+-- | The current status of the firewall policy. You can retrieve this for a
+-- firewall policy by calling DescribeFirewallPolicy and providing the
+-- firewall policy\'s name or ARN.
+firewallPolicyResponse_firewallPolicyStatus :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe ResourceStatus)
+firewallPolicyResponse_firewallPolicyStatus = Lens.lens (\FirewallPolicyResponse' {firewallPolicyStatus} -> firewallPolicyStatus) (\s@FirewallPolicyResponse' {} a -> s {firewallPolicyStatus = a} :: FirewallPolicyResponse)
+
+-- | The last time that the firewall policy was changed.
+firewallPolicyResponse_lastModifiedTime :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe Prelude.UTCTime)
+firewallPolicyResponse_lastModifiedTime = Lens.lens (\FirewallPolicyResponse' {lastModifiedTime} -> lastModifiedTime) (\s@FirewallPolicyResponse' {} a -> s {lastModifiedTime = a} :: FirewallPolicyResponse) Prelude.. Lens.mapping Data._Time
+
+-- | The number of firewalls that are associated with this firewall policy.
+firewallPolicyResponse_numberOfAssociations :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe Prelude.Int)
+firewallPolicyResponse_numberOfAssociations = Lens.lens (\FirewallPolicyResponse' {numberOfAssociations} -> numberOfAssociations) (\s@FirewallPolicyResponse' {} a -> s {numberOfAssociations = a} :: FirewallPolicyResponse)
+
+-- | The key:value pairs to associate with the resource.
+firewallPolicyResponse_tags :: Lens.Lens' FirewallPolicyResponse (Prelude.Maybe (Prelude.NonEmpty Tag))
+firewallPolicyResponse_tags = Lens.lens (\FirewallPolicyResponse' {tags} -> tags) (\s@FirewallPolicyResponse' {} a -> s {tags = a} :: FirewallPolicyResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+firewallPolicyResponse_firewallPolicyName :: Lens.Lens' FirewallPolicyResponse Prelude.Text
+firewallPolicyResponse_firewallPolicyName = Lens.lens (\FirewallPolicyResponse' {firewallPolicyName} -> firewallPolicyName) (\s@FirewallPolicyResponse' {} a -> s {firewallPolicyName = a} :: FirewallPolicyResponse)
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- If this response is for a create request that had @DryRun@ set to
+-- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+-- resource.
+firewallPolicyResponse_firewallPolicyArn :: Lens.Lens' FirewallPolicyResponse Prelude.Text
+firewallPolicyResponse_firewallPolicyArn = Lens.lens (\FirewallPolicyResponse' {firewallPolicyArn} -> firewallPolicyArn) (\s@FirewallPolicyResponse' {} a -> s {firewallPolicyArn = a} :: FirewallPolicyResponse)
+
+-- | The unique identifier for the firewall policy.
+firewallPolicyResponse_firewallPolicyId :: Lens.Lens' FirewallPolicyResponse Prelude.Text
+firewallPolicyResponse_firewallPolicyId = Lens.lens (\FirewallPolicyResponse' {firewallPolicyId} -> firewallPolicyId) (\s@FirewallPolicyResponse' {} a -> s {firewallPolicyId = a} :: FirewallPolicyResponse)
+
+instance Data.FromJSON FirewallPolicyResponse where
+  parseJSON =
+    Data.withObject
+      "FirewallPolicyResponse"
+      ( \x ->
+          FirewallPolicyResponse'
+            Prelude.<$> (x Data..:? "ConsumedStatefulRuleCapacity")
+            Prelude.<*> (x Data..:? "ConsumedStatelessRuleCapacity")
+            Prelude.<*> (x Data..:? "Description")
+            Prelude.<*> (x Data..:? "EncryptionConfiguration")
+            Prelude.<*> (x Data..:? "FirewallPolicyStatus")
+            Prelude.<*> (x Data..:? "LastModifiedTime")
+            Prelude.<*> (x Data..:? "NumberOfAssociations")
+            Prelude.<*> (x Data..:? "Tags")
+            Prelude.<*> (x Data..: "FirewallPolicyName")
+            Prelude.<*> (x Data..: "FirewallPolicyArn")
+            Prelude.<*> (x Data..: "FirewallPolicyId")
+      )
+
+instance Prelude.Hashable FirewallPolicyResponse where
+  hashWithSalt _salt FirewallPolicyResponse' {..} =
+    _salt
+      `Prelude.hashWithSalt` consumedStatefulRuleCapacity
+      `Prelude.hashWithSalt` consumedStatelessRuleCapacity
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` firewallPolicyStatus
+      `Prelude.hashWithSalt` lastModifiedTime
+      `Prelude.hashWithSalt` numberOfAssociations
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` firewallPolicyName
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` firewallPolicyId
+
+instance Prelude.NFData FirewallPolicyResponse where
+  rnf FirewallPolicyResponse' {..} =
+    Prelude.rnf consumedStatefulRuleCapacity
+      `Prelude.seq` Prelude.rnf consumedStatelessRuleCapacity
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf firewallPolicyStatus
+      `Prelude.seq` Prelude.rnf lastModifiedTime
+      `Prelude.seq` Prelude.rnf numberOfAssociations
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf firewallPolicyName
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf firewallPolicyId
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallStatus.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallStatus.hs
@@ -0,0 +1,191 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallStatus where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.CapacityUsageSummary
+import Amazonka.NetworkFirewall.Types.ConfigurationSyncState
+import Amazonka.NetworkFirewall.Types.FirewallStatusValue
+import Amazonka.NetworkFirewall.Types.SyncState
+import qualified Amazonka.Prelude as Prelude
+
+-- | Detailed information about the current status of a Firewall. You can
+-- retrieve this for a firewall by calling DescribeFirewall and providing
+-- the firewall name and ARN.
+--
+-- /See:/ 'newFirewallStatus' smart constructor.
+data FirewallStatus = FirewallStatus'
+  { -- | Describes the capacity usage of the resources contained in a firewall\'s
+    -- reference sets. Network Firewall calclulates the capacity usage by
+    -- taking an aggregated count of all of the resources used by all of the
+    -- reference sets in a firewall.
+    capacityUsageSummary :: Prelude.Maybe CapacityUsageSummary,
+    -- | The subnets that you\'ve configured for use by the Network Firewall
+    -- firewall. This contains one array element per Availability Zone where
+    -- you\'ve configured a subnet. These objects provide details of the
+    -- information that is summarized in the @ConfigurationSyncStateSummary@
+    -- and @Status@, broken down by zone and configuration object.
+    syncStates :: Prelude.Maybe (Prelude.HashMap Prelude.Text SyncState),
+    -- | The readiness of the configured firewall to handle network traffic
+    -- across all of the Availability Zones where you\'ve configured it. This
+    -- setting is @READY@ only when the @ConfigurationSyncStateSummary@ value
+    -- is @IN_SYNC@ and the @Attachment@ @Status@ values for all of the
+    -- configured subnets are @READY@.
+    status :: FirewallStatusValue,
+    -- | The configuration sync state for the firewall. This summarizes the sync
+    -- states reported in the @Config@ settings for all of the Availability
+    -- Zones where you have configured the firewall.
+    --
+    -- When you create a firewall or update its configuration, for example by
+    -- adding a rule group to its firewall policy, Network Firewall distributes
+    -- the configuration changes to all zones where the firewall is in use.
+    -- This summary indicates whether the configuration changes have been
+    -- applied everywhere.
+    --
+    -- This status must be @IN_SYNC@ for the firewall to be ready for use, but
+    -- it doesn\'t indicate that the firewall is ready. The @Status@ setting
+    -- indicates firewall readiness.
+    configurationSyncStateSummary :: ConfigurationSyncState
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FirewallStatus' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'capacityUsageSummary', 'firewallStatus_capacityUsageSummary' - Describes the capacity usage of the resources contained in a firewall\'s
+-- reference sets. Network Firewall calclulates the capacity usage by
+-- taking an aggregated count of all of the resources used by all of the
+-- reference sets in a firewall.
+--
+-- 'syncStates', 'firewallStatus_syncStates' - The subnets that you\'ve configured for use by the Network Firewall
+-- firewall. This contains one array element per Availability Zone where
+-- you\'ve configured a subnet. These objects provide details of the
+-- information that is summarized in the @ConfigurationSyncStateSummary@
+-- and @Status@, broken down by zone and configuration object.
+--
+-- 'status', 'firewallStatus_status' - The readiness of the configured firewall to handle network traffic
+-- across all of the Availability Zones where you\'ve configured it. This
+-- setting is @READY@ only when the @ConfigurationSyncStateSummary@ value
+-- is @IN_SYNC@ and the @Attachment@ @Status@ values for all of the
+-- configured subnets are @READY@.
+--
+-- 'configurationSyncStateSummary', 'firewallStatus_configurationSyncStateSummary' - The configuration sync state for the firewall. This summarizes the sync
+-- states reported in the @Config@ settings for all of the Availability
+-- Zones where you have configured the firewall.
+--
+-- When you create a firewall or update its configuration, for example by
+-- adding a rule group to its firewall policy, Network Firewall distributes
+-- the configuration changes to all zones where the firewall is in use.
+-- This summary indicates whether the configuration changes have been
+-- applied everywhere.
+--
+-- This status must be @IN_SYNC@ for the firewall to be ready for use, but
+-- it doesn\'t indicate that the firewall is ready. The @Status@ setting
+-- indicates firewall readiness.
+newFirewallStatus ::
+  -- | 'status'
+  FirewallStatusValue ->
+  -- | 'configurationSyncStateSummary'
+  ConfigurationSyncState ->
+  FirewallStatus
+newFirewallStatus
+  pStatus_
+  pConfigurationSyncStateSummary_ =
+    FirewallStatus'
+      { capacityUsageSummary =
+          Prelude.Nothing,
+        syncStates = Prelude.Nothing,
+        status = pStatus_,
+        configurationSyncStateSummary =
+          pConfigurationSyncStateSummary_
+      }
+
+-- | Describes the capacity usage of the resources contained in a firewall\'s
+-- reference sets. Network Firewall calclulates the capacity usage by
+-- taking an aggregated count of all of the resources used by all of the
+-- reference sets in a firewall.
+firewallStatus_capacityUsageSummary :: Lens.Lens' FirewallStatus (Prelude.Maybe CapacityUsageSummary)
+firewallStatus_capacityUsageSummary = Lens.lens (\FirewallStatus' {capacityUsageSummary} -> capacityUsageSummary) (\s@FirewallStatus' {} a -> s {capacityUsageSummary = a} :: FirewallStatus)
+
+-- | The subnets that you\'ve configured for use by the Network Firewall
+-- firewall. This contains one array element per Availability Zone where
+-- you\'ve configured a subnet. These objects provide details of the
+-- information that is summarized in the @ConfigurationSyncStateSummary@
+-- and @Status@, broken down by zone and configuration object.
+firewallStatus_syncStates :: Lens.Lens' FirewallStatus (Prelude.Maybe (Prelude.HashMap Prelude.Text SyncState))
+firewallStatus_syncStates = Lens.lens (\FirewallStatus' {syncStates} -> syncStates) (\s@FirewallStatus' {} a -> s {syncStates = a} :: FirewallStatus) Prelude.. Lens.mapping Lens.coerced
+
+-- | The readiness of the configured firewall to handle network traffic
+-- across all of the Availability Zones where you\'ve configured it. This
+-- setting is @READY@ only when the @ConfigurationSyncStateSummary@ value
+-- is @IN_SYNC@ and the @Attachment@ @Status@ values for all of the
+-- configured subnets are @READY@.
+firewallStatus_status :: Lens.Lens' FirewallStatus FirewallStatusValue
+firewallStatus_status = Lens.lens (\FirewallStatus' {status} -> status) (\s@FirewallStatus' {} a -> s {status = a} :: FirewallStatus)
+
+-- | The configuration sync state for the firewall. This summarizes the sync
+-- states reported in the @Config@ settings for all of the Availability
+-- Zones where you have configured the firewall.
+--
+-- When you create a firewall or update its configuration, for example by
+-- adding a rule group to its firewall policy, Network Firewall distributes
+-- the configuration changes to all zones where the firewall is in use.
+-- This summary indicates whether the configuration changes have been
+-- applied everywhere.
+--
+-- This status must be @IN_SYNC@ for the firewall to be ready for use, but
+-- it doesn\'t indicate that the firewall is ready. The @Status@ setting
+-- indicates firewall readiness.
+firewallStatus_configurationSyncStateSummary :: Lens.Lens' FirewallStatus ConfigurationSyncState
+firewallStatus_configurationSyncStateSummary = Lens.lens (\FirewallStatus' {configurationSyncStateSummary} -> configurationSyncStateSummary) (\s@FirewallStatus' {} a -> s {configurationSyncStateSummary = a} :: FirewallStatus)
+
+instance Data.FromJSON FirewallStatus where
+  parseJSON =
+    Data.withObject
+      "FirewallStatus"
+      ( \x ->
+          FirewallStatus'
+            Prelude.<$> (x Data..:? "CapacityUsageSummary")
+            Prelude.<*> (x Data..:? "SyncStates" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..: "Status")
+            Prelude.<*> (x Data..: "ConfigurationSyncStateSummary")
+      )
+
+instance Prelude.Hashable FirewallStatus where
+  hashWithSalt _salt FirewallStatus' {..} =
+    _salt
+      `Prelude.hashWithSalt` capacityUsageSummary
+      `Prelude.hashWithSalt` syncStates
+      `Prelude.hashWithSalt` status
+      `Prelude.hashWithSalt` configurationSyncStateSummary
+
+instance Prelude.NFData FirewallStatus where
+  rnf FirewallStatus' {..} =
+    Prelude.rnf capacityUsageSummary
+      `Prelude.seq` Prelude.rnf syncStates
+      `Prelude.seq` Prelude.rnf status
+      `Prelude.seq` Prelude.rnf configurationSyncStateSummary
diff --git a/gen/Amazonka/NetworkFirewall/Types/FirewallStatusValue.hs b/gen/Amazonka/NetworkFirewall/Types/FirewallStatusValue.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/FirewallStatusValue.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.FirewallStatusValue
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.FirewallStatusValue
+  ( FirewallStatusValue
+      ( ..,
+        FirewallStatusValue_DELETING,
+        FirewallStatusValue_PROVISIONING,
+        FirewallStatusValue_READY
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype FirewallStatusValue = FirewallStatusValue'
+  { fromFirewallStatusValue ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern FirewallStatusValue_DELETING :: FirewallStatusValue
+pattern FirewallStatusValue_DELETING = FirewallStatusValue' "DELETING"
+
+pattern FirewallStatusValue_PROVISIONING :: FirewallStatusValue
+pattern FirewallStatusValue_PROVISIONING = FirewallStatusValue' "PROVISIONING"
+
+pattern FirewallStatusValue_READY :: FirewallStatusValue
+pattern FirewallStatusValue_READY = FirewallStatusValue' "READY"
+
+{-# COMPLETE
+  FirewallStatusValue_DELETING,
+  FirewallStatusValue_PROVISIONING,
+  FirewallStatusValue_READY,
+  FirewallStatusValue'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/GeneratedRulesType.hs b/gen/Amazonka/NetworkFirewall/Types/GeneratedRulesType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/GeneratedRulesType.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.GeneratedRulesType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.GeneratedRulesType
+  ( GeneratedRulesType
+      ( ..,
+        GeneratedRulesType_ALLOWLIST,
+        GeneratedRulesType_DENYLIST
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype GeneratedRulesType = GeneratedRulesType'
+  { fromGeneratedRulesType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern GeneratedRulesType_ALLOWLIST :: GeneratedRulesType
+pattern GeneratedRulesType_ALLOWLIST = GeneratedRulesType' "ALLOWLIST"
+
+pattern GeneratedRulesType_DENYLIST :: GeneratedRulesType
+pattern GeneratedRulesType_DENYLIST = GeneratedRulesType' "DENYLIST"
+
+{-# COMPLETE
+  GeneratedRulesType_ALLOWLIST,
+  GeneratedRulesType_DENYLIST,
+  GeneratedRulesType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/Header.hs b/gen/Amazonka/NetworkFirewall/Types/Header.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Header.hs
@@ -0,0 +1,291 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Header
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Header where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.StatefulRuleDirection
+import Amazonka.NetworkFirewall.Types.StatefulRuleProtocol
+import qualified Amazonka.Prelude as Prelude
+
+-- | The basic rule criteria for Network Firewall to use to inspect packet
+-- headers in stateful traffic flow inspection. Traffic flows that match
+-- the criteria are a match for the corresponding StatefulRule.
+--
+-- /See:/ 'newHeader' smart constructor.
+data Header = Header'
+  { -- | The protocol to inspect for. To specify all, you can use @IP@, because
+    -- all traffic on Amazon Web Services and on the internet is IP.
+    protocol :: StatefulRuleProtocol,
+    -- | The source IP address or address range to inspect for, in CIDR notation.
+    -- To match with any address, specify @ANY@.
+    --
+    -- Specify an IP address or a block of IP addresses in Classless
+    -- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+    -- address ranges for IPv4.
+    --
+    -- Examples:
+    --
+    -- -   To configure Network Firewall to inspect for the IP address
+    --     192.0.2.44, specify @192.0.2.44\/32@.
+    --
+    -- -   To configure Network Firewall to inspect for IP addresses from
+    --     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+    --
+    -- For more information about CIDR notation, see the Wikipedia entry
+    -- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+    source :: Prelude.Text,
+    -- | The source port to inspect for. You can specify an individual port, for
+    -- example @1994@ and you can specify a port range, for example
+    -- @1990:1994@. To match with any port, specify @ANY@.
+    sourcePort :: Prelude.Text,
+    -- | The direction of traffic flow to inspect. If set to @ANY@, the
+    -- inspection matches bidirectional traffic, both from the source to the
+    -- destination and from the destination to the source. If set to @FORWARD@,
+    -- the inspection only matches traffic going from the source to the
+    -- destination.
+    direction :: StatefulRuleDirection,
+    -- | The destination IP address or address range to inspect for, in CIDR
+    -- notation. To match with any address, specify @ANY@.
+    --
+    -- Specify an IP address or a block of IP addresses in Classless
+    -- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+    -- address ranges for IPv4.
+    --
+    -- Examples:
+    --
+    -- -   To configure Network Firewall to inspect for the IP address
+    --     192.0.2.44, specify @192.0.2.44\/32@.
+    --
+    -- -   To configure Network Firewall to inspect for IP addresses from
+    --     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+    --
+    -- For more information about CIDR notation, see the Wikipedia entry
+    -- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+    destination :: Prelude.Text,
+    -- | The destination port to inspect for. You can specify an individual port,
+    -- for example @1994@ and you can specify a port range, for example
+    -- @1990:1994@. To match with any port, specify @ANY@.
+    destinationPort :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Header' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'protocol', 'header_protocol' - The protocol to inspect for. To specify all, you can use @IP@, because
+-- all traffic on Amazon Web Services and on the internet is IP.
+--
+-- 'source', 'header_source' - The source IP address or address range to inspect for, in CIDR notation.
+-- To match with any address, specify @ANY@.
+--
+-- Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+--
+-- 'sourcePort', 'header_sourcePort' - The source port to inspect for. You can specify an individual port, for
+-- example @1994@ and you can specify a port range, for example
+-- @1990:1994@. To match with any port, specify @ANY@.
+--
+-- 'direction', 'header_direction' - The direction of traffic flow to inspect. If set to @ANY@, the
+-- inspection matches bidirectional traffic, both from the source to the
+-- destination and from the destination to the source. If set to @FORWARD@,
+-- the inspection only matches traffic going from the source to the
+-- destination.
+--
+-- 'destination', 'header_destination' - The destination IP address or address range to inspect for, in CIDR
+-- notation. To match with any address, specify @ANY@.
+--
+-- Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+--
+-- 'destinationPort', 'header_destinationPort' - The destination port to inspect for. You can specify an individual port,
+-- for example @1994@ and you can specify a port range, for example
+-- @1990:1994@. To match with any port, specify @ANY@.
+newHeader ::
+  -- | 'protocol'
+  StatefulRuleProtocol ->
+  -- | 'source'
+  Prelude.Text ->
+  -- | 'sourcePort'
+  Prelude.Text ->
+  -- | 'direction'
+  StatefulRuleDirection ->
+  -- | 'destination'
+  Prelude.Text ->
+  -- | 'destinationPort'
+  Prelude.Text ->
+  Header
+newHeader
+  pProtocol_
+  pSource_
+  pSourcePort_
+  pDirection_
+  pDestination_
+  pDestinationPort_ =
+    Header'
+      { protocol = pProtocol_,
+        source = pSource_,
+        sourcePort = pSourcePort_,
+        direction = pDirection_,
+        destination = pDestination_,
+        destinationPort = pDestinationPort_
+      }
+
+-- | The protocol to inspect for. To specify all, you can use @IP@, because
+-- all traffic on Amazon Web Services and on the internet is IP.
+header_protocol :: Lens.Lens' Header StatefulRuleProtocol
+header_protocol = Lens.lens (\Header' {protocol} -> protocol) (\s@Header' {} a -> s {protocol = a} :: Header)
+
+-- | The source IP address or address range to inspect for, in CIDR notation.
+-- To match with any address, specify @ANY@.
+--
+-- Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+header_source :: Lens.Lens' Header Prelude.Text
+header_source = Lens.lens (\Header' {source} -> source) (\s@Header' {} a -> s {source = a} :: Header)
+
+-- | The source port to inspect for. You can specify an individual port, for
+-- example @1994@ and you can specify a port range, for example
+-- @1990:1994@. To match with any port, specify @ANY@.
+header_sourcePort :: Lens.Lens' Header Prelude.Text
+header_sourcePort = Lens.lens (\Header' {sourcePort} -> sourcePort) (\s@Header' {} a -> s {sourcePort = a} :: Header)
+
+-- | The direction of traffic flow to inspect. If set to @ANY@, the
+-- inspection matches bidirectional traffic, both from the source to the
+-- destination and from the destination to the source. If set to @FORWARD@,
+-- the inspection only matches traffic going from the source to the
+-- destination.
+header_direction :: Lens.Lens' Header StatefulRuleDirection
+header_direction = Lens.lens (\Header' {direction} -> direction) (\s@Header' {} a -> s {direction = a} :: Header)
+
+-- | The destination IP address or address range to inspect for, in CIDR
+-- notation. To match with any address, specify @ANY@.
+--
+-- Specify an IP address or a block of IP addresses in Classless
+-- Inter-Domain Routing (CIDR) notation. Network Firewall supports all
+-- address ranges for IPv4.
+--
+-- Examples:
+--
+-- -   To configure Network Firewall to inspect for the IP address
+--     192.0.2.44, specify @192.0.2.44\/32@.
+--
+-- -   To configure Network Firewall to inspect for IP addresses from
+--     192.0.2.0 to 192.0.2.255, specify @192.0.2.0\/24@.
+--
+-- For more information about CIDR notation, see the Wikipedia entry
+-- <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing Classless Inter-Domain Routing>.
+header_destination :: Lens.Lens' Header Prelude.Text
+header_destination = Lens.lens (\Header' {destination} -> destination) (\s@Header' {} a -> s {destination = a} :: Header)
+
+-- | The destination port to inspect for. You can specify an individual port,
+-- for example @1994@ and you can specify a port range, for example
+-- @1990:1994@. To match with any port, specify @ANY@.
+header_destinationPort :: Lens.Lens' Header Prelude.Text
+header_destinationPort = Lens.lens (\Header' {destinationPort} -> destinationPort) (\s@Header' {} a -> s {destinationPort = a} :: Header)
+
+instance Data.FromJSON Header where
+  parseJSON =
+    Data.withObject
+      "Header"
+      ( \x ->
+          Header'
+            Prelude.<$> (x Data..: "Protocol")
+            Prelude.<*> (x Data..: "Source")
+            Prelude.<*> (x Data..: "SourcePort")
+            Prelude.<*> (x Data..: "Direction")
+            Prelude.<*> (x Data..: "Destination")
+            Prelude.<*> (x Data..: "DestinationPort")
+      )
+
+instance Prelude.Hashable Header where
+  hashWithSalt _salt Header' {..} =
+    _salt
+      `Prelude.hashWithSalt` protocol
+      `Prelude.hashWithSalt` source
+      `Prelude.hashWithSalt` sourcePort
+      `Prelude.hashWithSalt` direction
+      `Prelude.hashWithSalt` destination
+      `Prelude.hashWithSalt` destinationPort
+
+instance Prelude.NFData Header where
+  rnf Header' {..} =
+    Prelude.rnf protocol
+      `Prelude.seq` Prelude.rnf source
+      `Prelude.seq` Prelude.rnf sourcePort
+      `Prelude.seq` Prelude.rnf direction
+      `Prelude.seq` Prelude.rnf destination
+      `Prelude.seq` Prelude.rnf destinationPort
+
+instance Data.ToJSON Header where
+  toJSON Header' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("Protocol" Data..= protocol),
+            Prelude.Just ("Source" Data..= source),
+            Prelude.Just ("SourcePort" Data..= sourcePort),
+            Prelude.Just ("Direction" Data..= direction),
+            Prelude.Just ("Destination" Data..= destination),
+            Prelude.Just
+              ("DestinationPort" Data..= destinationPort)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/IPSet.hs b/gen/Amazonka/NetworkFirewall/Types/IPSet.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/IPSet.hs
@@ -0,0 +1,75 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.IPSet
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.IPSet where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A list of IP addresses and address ranges, in CIDR notation. This is
+-- part of a RuleVariables.
+--
+-- /See:/ 'newIPSet' smart constructor.
+data IPSet = IPSet'
+  { -- | The list of IP addresses and address ranges, in CIDR notation.
+    definition :: [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'IPSet' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'definition', 'iPSet_definition' - The list of IP addresses and address ranges, in CIDR notation.
+newIPSet ::
+  IPSet
+newIPSet = IPSet' {definition = Prelude.mempty}
+
+-- | The list of IP addresses and address ranges, in CIDR notation.
+iPSet_definition :: Lens.Lens' IPSet [Prelude.Text]
+iPSet_definition = Lens.lens (\IPSet' {definition} -> definition) (\s@IPSet' {} a -> s {definition = a} :: IPSet) Prelude.. Lens.coerced
+
+instance Data.FromJSON IPSet where
+  parseJSON =
+    Data.withObject
+      "IPSet"
+      ( \x ->
+          IPSet'
+            Prelude.<$> (x Data..:? "Definition" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable IPSet where
+  hashWithSalt _salt IPSet' {..} =
+    _salt `Prelude.hashWithSalt` definition
+
+instance Prelude.NFData IPSet where
+  rnf IPSet' {..} = Prelude.rnf definition
+
+instance Data.ToJSON IPSet where
+  toJSON IPSet' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("Definition" Data..= definition)]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/IPSetMetadata.hs b/gen/Amazonka/NetworkFirewall/Types/IPSetMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/IPSetMetadata.hs
@@ -0,0 +1,78 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.IPSetMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.IPSetMetadata where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | General information about the IP set.
+--
+-- /See:/ 'newIPSetMetadata' smart constructor.
+data IPSetMetadata = IPSetMetadata'
+  { -- | Describes the total number of CIDR blocks currently in use by the IP set
+    -- references in a firewall. To determine how many CIDR blocks are
+    -- available for you to use in a firewall, you can call
+    -- @AvailableCIDRCount@.
+    resolvedCIDRCount :: Prelude.Maybe Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'IPSetMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resolvedCIDRCount', 'iPSetMetadata_resolvedCIDRCount' - Describes the total number of CIDR blocks currently in use by the IP set
+-- references in a firewall. To determine how many CIDR blocks are
+-- available for you to use in a firewall, you can call
+-- @AvailableCIDRCount@.
+newIPSetMetadata ::
+  IPSetMetadata
+newIPSetMetadata =
+  IPSetMetadata' {resolvedCIDRCount = Prelude.Nothing}
+
+-- | Describes the total number of CIDR blocks currently in use by the IP set
+-- references in a firewall. To determine how many CIDR blocks are
+-- available for you to use in a firewall, you can call
+-- @AvailableCIDRCount@.
+iPSetMetadata_resolvedCIDRCount :: Lens.Lens' IPSetMetadata (Prelude.Maybe Prelude.Natural)
+iPSetMetadata_resolvedCIDRCount = Lens.lens (\IPSetMetadata' {resolvedCIDRCount} -> resolvedCIDRCount) (\s@IPSetMetadata' {} a -> s {resolvedCIDRCount = a} :: IPSetMetadata)
+
+instance Data.FromJSON IPSetMetadata where
+  parseJSON =
+    Data.withObject
+      "IPSetMetadata"
+      ( \x ->
+          IPSetMetadata'
+            Prelude.<$> (x Data..:? "ResolvedCIDRCount")
+      )
+
+instance Prelude.Hashable IPSetMetadata where
+  hashWithSalt _salt IPSetMetadata' {..} =
+    _salt `Prelude.hashWithSalt` resolvedCIDRCount
+
+instance Prelude.NFData IPSetMetadata where
+  rnf IPSetMetadata' {..} =
+    Prelude.rnf resolvedCIDRCount
diff --git a/gen/Amazonka/NetworkFirewall/Types/IPSetReference.hs b/gen/Amazonka/NetworkFirewall/Types/IPSetReference.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/IPSetReference.hs
@@ -0,0 +1,92 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.IPSetReference
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.IPSetReference where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | Configures one or more IP set references for a Suricata-compatible rule
+-- group. This is used in CreateRuleGroup or UpdateRuleGroup. An IP set
+-- reference is a rule variable that references a resource that you create
+-- and manage in another Amazon Web Services service, such as an Amazon VPC
+-- prefix list. Network Firewall IP set references enable you to
+-- dynamically update the contents of your rules. When you create, update,
+-- or delete the IP set you are referencing in your rule, Network Firewall
+-- automatically updates the rule\'s content with the changes. For more
+-- information about IP set references in Network Firewall, see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references Using IP set references>
+-- in the /Network Firewall Developer Guide/.
+--
+-- Network Firewall currently supports only
+-- <https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html Amazon VPC prefix lists>
+-- as IP set references.
+--
+-- /See:/ 'newIPSetReference' smart constructor.
+data IPSetReference = IPSetReference'
+  { -- | The Amazon Resource Name (ARN) of the resource that you are referencing
+    -- in your rule group.
+    referenceArn :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'IPSetReference' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'referenceArn', 'iPSetReference_referenceArn' - The Amazon Resource Name (ARN) of the resource that you are referencing
+-- in your rule group.
+newIPSetReference ::
+  IPSetReference
+newIPSetReference =
+  IPSetReference' {referenceArn = Prelude.Nothing}
+
+-- | The Amazon Resource Name (ARN) of the resource that you are referencing
+-- in your rule group.
+iPSetReference_referenceArn :: Lens.Lens' IPSetReference (Prelude.Maybe Prelude.Text)
+iPSetReference_referenceArn = Lens.lens (\IPSetReference' {referenceArn} -> referenceArn) (\s@IPSetReference' {} a -> s {referenceArn = a} :: IPSetReference)
+
+instance Data.FromJSON IPSetReference where
+  parseJSON =
+    Data.withObject
+      "IPSetReference"
+      ( \x ->
+          IPSetReference'
+            Prelude.<$> (x Data..:? "ReferenceArn")
+      )
+
+instance Prelude.Hashable IPSetReference where
+  hashWithSalt _salt IPSetReference' {..} =
+    _salt `Prelude.hashWithSalt` referenceArn
+
+instance Prelude.NFData IPSetReference where
+  rnf IPSetReference' {..} = Prelude.rnf referenceArn
+
+instance Data.ToJSON IPSetReference where
+  toJSON IPSetReference' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [("ReferenceArn" Data..=) Prelude.<$> referenceArn]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/LogDestinationConfig.hs b/gen/Amazonka/NetworkFirewall/Types/LogDestinationConfig.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/LogDestinationConfig.hs
@@ -0,0 +1,200 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.LogDestinationConfig
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.LogDestinationConfig where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.LogDestinationType
+import Amazonka.NetworkFirewall.Types.LogType
+import qualified Amazonka.Prelude as Prelude
+
+-- | Defines where Network Firewall sends logs for the firewall for one log
+-- type. This is used in LoggingConfiguration. You can send each type of
+-- log to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
+-- Firehose delivery stream.
+--
+-- Network Firewall generates logs for stateful rule groups. You can save
+-- alert and flow log types. The stateful rules engine records flow logs
+-- for all network traffic that it receives. It records alert logs for
+-- traffic that matches stateful rules that have the rule action set to
+-- @DROP@ or @ALERT@.
+--
+-- /See:/ 'newLogDestinationConfig' smart constructor.
+data LogDestinationConfig = LogDestinationConfig'
+  { -- | The type of log to send. Alert logs report traffic that matches a
+    -- StatefulRule with an action setting that sends an alert log message.
+    -- Flow logs are standard network traffic flow logs.
+    logType :: LogType,
+    -- | The type of storage destination to send these logs to. You can send logs
+    -- to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
+    -- Firehose delivery stream.
+    logDestinationType :: LogDestinationType,
+    -- | The named location for the logs, provided in a key:value mapping that is
+    -- specific to the chosen destination type.
+    --
+    -- -   For an Amazon S3 bucket, provide the name of the bucket, with key
+    --     @bucketName@, and optionally provide a prefix, with key @prefix@.
+    --     The following example specifies an Amazon S3 bucket named
+    --     @DOC-EXAMPLE-BUCKET@ and the prefix @alerts@:
+    --
+    --     @\"LogDestination\": { \"bucketName\": \"DOC-EXAMPLE-BUCKET\", \"prefix\": \"alerts\" }@
+    --
+    -- -   For a CloudWatch log group, provide the name of the CloudWatch log
+    --     group, with key @logGroup@. The following example specifies a log
+    --     group named @alert-log-group@:
+    --
+    --     @\"LogDestination\": { \"logGroup\": \"alert-log-group\" }@
+    --
+    -- -   For a Kinesis Data Firehose delivery stream, provide the name of the
+    --     delivery stream, with key @deliveryStream@. The following example
+    --     specifies a delivery stream named @alert-delivery-stream@:
+    --
+    --     @\"LogDestination\": { \"deliveryStream\": \"alert-delivery-stream\" }@
+    logDestination :: Prelude.HashMap Prelude.Text Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'LogDestinationConfig' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'logType', 'logDestinationConfig_logType' - The type of log to send. Alert logs report traffic that matches a
+-- StatefulRule with an action setting that sends an alert log message.
+-- Flow logs are standard network traffic flow logs.
+--
+-- 'logDestinationType', 'logDestinationConfig_logDestinationType' - The type of storage destination to send these logs to. You can send logs
+-- to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
+-- Firehose delivery stream.
+--
+-- 'logDestination', 'logDestinationConfig_logDestination' - The named location for the logs, provided in a key:value mapping that is
+-- specific to the chosen destination type.
+--
+-- -   For an Amazon S3 bucket, provide the name of the bucket, with key
+--     @bucketName@, and optionally provide a prefix, with key @prefix@.
+--     The following example specifies an Amazon S3 bucket named
+--     @DOC-EXAMPLE-BUCKET@ and the prefix @alerts@:
+--
+--     @\"LogDestination\": { \"bucketName\": \"DOC-EXAMPLE-BUCKET\", \"prefix\": \"alerts\" }@
+--
+-- -   For a CloudWatch log group, provide the name of the CloudWatch log
+--     group, with key @logGroup@. The following example specifies a log
+--     group named @alert-log-group@:
+--
+--     @\"LogDestination\": { \"logGroup\": \"alert-log-group\" }@
+--
+-- -   For a Kinesis Data Firehose delivery stream, provide the name of the
+--     delivery stream, with key @deliveryStream@. The following example
+--     specifies a delivery stream named @alert-delivery-stream@:
+--
+--     @\"LogDestination\": { \"deliveryStream\": \"alert-delivery-stream\" }@
+newLogDestinationConfig ::
+  -- | 'logType'
+  LogType ->
+  -- | 'logDestinationType'
+  LogDestinationType ->
+  LogDestinationConfig
+newLogDestinationConfig
+  pLogType_
+  pLogDestinationType_ =
+    LogDestinationConfig'
+      { logType = pLogType_,
+        logDestinationType = pLogDestinationType_,
+        logDestination = Prelude.mempty
+      }
+
+-- | The type of log to send. Alert logs report traffic that matches a
+-- StatefulRule with an action setting that sends an alert log message.
+-- Flow logs are standard network traffic flow logs.
+logDestinationConfig_logType :: Lens.Lens' LogDestinationConfig LogType
+logDestinationConfig_logType = Lens.lens (\LogDestinationConfig' {logType} -> logType) (\s@LogDestinationConfig' {} a -> s {logType = a} :: LogDestinationConfig)
+
+-- | The type of storage destination to send these logs to. You can send logs
+-- to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
+-- Firehose delivery stream.
+logDestinationConfig_logDestinationType :: Lens.Lens' LogDestinationConfig LogDestinationType
+logDestinationConfig_logDestinationType = Lens.lens (\LogDestinationConfig' {logDestinationType} -> logDestinationType) (\s@LogDestinationConfig' {} a -> s {logDestinationType = a} :: LogDestinationConfig)
+
+-- | The named location for the logs, provided in a key:value mapping that is
+-- specific to the chosen destination type.
+--
+-- -   For an Amazon S3 bucket, provide the name of the bucket, with key
+--     @bucketName@, and optionally provide a prefix, with key @prefix@.
+--     The following example specifies an Amazon S3 bucket named
+--     @DOC-EXAMPLE-BUCKET@ and the prefix @alerts@:
+--
+--     @\"LogDestination\": { \"bucketName\": \"DOC-EXAMPLE-BUCKET\", \"prefix\": \"alerts\" }@
+--
+-- -   For a CloudWatch log group, provide the name of the CloudWatch log
+--     group, with key @logGroup@. The following example specifies a log
+--     group named @alert-log-group@:
+--
+--     @\"LogDestination\": { \"logGroup\": \"alert-log-group\" }@
+--
+-- -   For a Kinesis Data Firehose delivery stream, provide the name of the
+--     delivery stream, with key @deliveryStream@. The following example
+--     specifies a delivery stream named @alert-delivery-stream@:
+--
+--     @\"LogDestination\": { \"deliveryStream\": \"alert-delivery-stream\" }@
+logDestinationConfig_logDestination :: Lens.Lens' LogDestinationConfig (Prelude.HashMap Prelude.Text Prelude.Text)
+logDestinationConfig_logDestination = Lens.lens (\LogDestinationConfig' {logDestination} -> logDestination) (\s@LogDestinationConfig' {} a -> s {logDestination = a} :: LogDestinationConfig) Prelude.. Lens.coerced
+
+instance Data.FromJSON LogDestinationConfig where
+  parseJSON =
+    Data.withObject
+      "LogDestinationConfig"
+      ( \x ->
+          LogDestinationConfig'
+            Prelude.<$> (x Data..: "LogType")
+            Prelude.<*> (x Data..: "LogDestinationType")
+            Prelude.<*> ( x
+                            Data..:? "LogDestination"
+                            Data..!= Prelude.mempty
+                        )
+      )
+
+instance Prelude.Hashable LogDestinationConfig where
+  hashWithSalt _salt LogDestinationConfig' {..} =
+    _salt
+      `Prelude.hashWithSalt` logType
+      `Prelude.hashWithSalt` logDestinationType
+      `Prelude.hashWithSalt` logDestination
+
+instance Prelude.NFData LogDestinationConfig where
+  rnf LogDestinationConfig' {..} =
+    Prelude.rnf logType
+      `Prelude.seq` Prelude.rnf logDestinationType
+      `Prelude.seq` Prelude.rnf logDestination
+
+instance Data.ToJSON LogDestinationConfig where
+  toJSON LogDestinationConfig' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("LogType" Data..= logType),
+            Prelude.Just
+              ("LogDestinationType" Data..= logDestinationType),
+            Prelude.Just
+              ("LogDestination" Data..= logDestination)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/LogDestinationType.hs b/gen/Amazonka/NetworkFirewall/Types/LogDestinationType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/LogDestinationType.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.LogDestinationType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.LogDestinationType
+  ( LogDestinationType
+      ( ..,
+        LogDestinationType_CloudWatchLogs,
+        LogDestinationType_KinesisDataFirehose,
+        LogDestinationType_S3
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype LogDestinationType = LogDestinationType'
+  { fromLogDestinationType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern LogDestinationType_CloudWatchLogs :: LogDestinationType
+pattern LogDestinationType_CloudWatchLogs = LogDestinationType' "CloudWatchLogs"
+
+pattern LogDestinationType_KinesisDataFirehose :: LogDestinationType
+pattern LogDestinationType_KinesisDataFirehose = LogDestinationType' "KinesisDataFirehose"
+
+pattern LogDestinationType_S3 :: LogDestinationType
+pattern LogDestinationType_S3 = LogDestinationType' "S3"
+
+{-# COMPLETE
+  LogDestinationType_CloudWatchLogs,
+  LogDestinationType_KinesisDataFirehose,
+  LogDestinationType_S3,
+  LogDestinationType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/LogType.hs b/gen/Amazonka/NetworkFirewall/Types/LogType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/LogType.hs
@@ -0,0 +1,68 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.LogType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.LogType
+  ( LogType
+      ( ..,
+        LogType_ALERT,
+        LogType_FLOW
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype LogType = LogType' {fromLogType :: Data.Text}
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern LogType_ALERT :: LogType
+pattern LogType_ALERT = LogType' "ALERT"
+
+pattern LogType_FLOW :: LogType
+pattern LogType_FLOW = LogType' "FLOW"
+
+{-# COMPLETE
+  LogType_ALERT,
+  LogType_FLOW,
+  LogType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/LoggingConfiguration.hs b/gen/Amazonka/NetworkFirewall/Types/LoggingConfiguration.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/LoggingConfiguration.hs
@@ -0,0 +1,90 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.LoggingConfiguration
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.LoggingConfiguration where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.LogDestinationConfig
+import qualified Amazonka.Prelude as Prelude
+
+-- | Defines how Network Firewall performs logging for a Firewall.
+--
+-- /See:/ 'newLoggingConfiguration' smart constructor.
+data LoggingConfiguration = LoggingConfiguration'
+  { -- | Defines the logging destinations for the logs for a firewall. Network
+    -- Firewall generates logs for stateful rule groups.
+    logDestinationConfigs :: [LogDestinationConfig]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'LoggingConfiguration' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'logDestinationConfigs', 'loggingConfiguration_logDestinationConfigs' - Defines the logging destinations for the logs for a firewall. Network
+-- Firewall generates logs for stateful rule groups.
+newLoggingConfiguration ::
+  LoggingConfiguration
+newLoggingConfiguration =
+  LoggingConfiguration'
+    { logDestinationConfigs =
+        Prelude.mempty
+    }
+
+-- | Defines the logging destinations for the logs for a firewall. Network
+-- Firewall generates logs for stateful rule groups.
+loggingConfiguration_logDestinationConfigs :: Lens.Lens' LoggingConfiguration [LogDestinationConfig]
+loggingConfiguration_logDestinationConfigs = Lens.lens (\LoggingConfiguration' {logDestinationConfigs} -> logDestinationConfigs) (\s@LoggingConfiguration' {} a -> s {logDestinationConfigs = a} :: LoggingConfiguration) Prelude.. Lens.coerced
+
+instance Data.FromJSON LoggingConfiguration where
+  parseJSON =
+    Data.withObject
+      "LoggingConfiguration"
+      ( \x ->
+          LoggingConfiguration'
+            Prelude.<$> ( x
+                            Data..:? "LogDestinationConfigs"
+                            Data..!= Prelude.mempty
+                        )
+      )
+
+instance Prelude.Hashable LoggingConfiguration where
+  hashWithSalt _salt LoggingConfiguration' {..} =
+    _salt `Prelude.hashWithSalt` logDestinationConfigs
+
+instance Prelude.NFData LoggingConfiguration where
+  rnf LoggingConfiguration' {..} =
+    Prelude.rnf logDestinationConfigs
+
+instance Data.ToJSON LoggingConfiguration where
+  toJSON LoggingConfiguration' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just
+              ( "LogDestinationConfigs"
+                  Data..= logDestinationConfigs
+              )
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/MatchAttributes.hs b/gen/Amazonka/NetworkFirewall/Types/MatchAttributes.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/MatchAttributes.hs
@@ -0,0 +1,201 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.MatchAttributes
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.MatchAttributes where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.Address
+import Amazonka.NetworkFirewall.Types.PortRange
+import Amazonka.NetworkFirewall.Types.TCPFlagField
+import qualified Amazonka.Prelude as Prelude
+
+-- | Criteria for Network Firewall to use to inspect an individual packet in
+-- stateless rule inspection. Each match attributes set can include one or
+-- more items such as IP address, CIDR range, port number, protocol, and
+-- TCP flags.
+--
+-- /See:/ 'newMatchAttributes' smart constructor.
+data MatchAttributes = MatchAttributes'
+  { -- | The destination ports to inspect for. If not specified, this matches
+    -- with any destination port. This setting is only used for protocols 6
+    -- (TCP) and 17 (UDP).
+    --
+    -- You can specify individual ports, for example @1994@ and you can specify
+    -- port ranges, for example @1990:1994@.
+    destinationPorts :: Prelude.Maybe [PortRange],
+    -- | The destination IP addresses and address ranges to inspect for, in CIDR
+    -- notation. If not specified, this matches with any destination address.
+    destinations :: Prelude.Maybe [Address],
+    -- | The protocols to inspect for, specified using each protocol\'s assigned
+    -- internet protocol number (IANA). If not specified, this matches with any
+    -- protocol.
+    protocols :: Prelude.Maybe [Prelude.Natural],
+    -- | The source ports to inspect for. If not specified, this matches with any
+    -- source port. This setting is only used for protocols 6 (TCP) and 17
+    -- (UDP).
+    --
+    -- You can specify individual ports, for example @1994@ and you can specify
+    -- port ranges, for example @1990:1994@.
+    sourcePorts :: Prelude.Maybe [PortRange],
+    -- | The source IP addresses and address ranges to inspect for, in CIDR
+    -- notation. If not specified, this matches with any source address.
+    sources :: Prelude.Maybe [Address],
+    -- | The TCP flags and masks to inspect for. If not specified, this matches
+    -- with any settings. This setting is only used for protocol 6 (TCP).
+    tCPFlags :: Prelude.Maybe [TCPFlagField]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'MatchAttributes' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'destinationPorts', 'matchAttributes_destinationPorts' - The destination ports to inspect for. If not specified, this matches
+-- with any destination port. This setting is only used for protocols 6
+-- (TCP) and 17 (UDP).
+--
+-- You can specify individual ports, for example @1994@ and you can specify
+-- port ranges, for example @1990:1994@.
+--
+-- 'destinations', 'matchAttributes_destinations' - The destination IP addresses and address ranges to inspect for, in CIDR
+-- notation. If not specified, this matches with any destination address.
+--
+-- 'protocols', 'matchAttributes_protocols' - The protocols to inspect for, specified using each protocol\'s assigned
+-- internet protocol number (IANA). If not specified, this matches with any
+-- protocol.
+--
+-- 'sourcePorts', 'matchAttributes_sourcePorts' - The source ports to inspect for. If not specified, this matches with any
+-- source port. This setting is only used for protocols 6 (TCP) and 17
+-- (UDP).
+--
+-- You can specify individual ports, for example @1994@ and you can specify
+-- port ranges, for example @1990:1994@.
+--
+-- 'sources', 'matchAttributes_sources' - The source IP addresses and address ranges to inspect for, in CIDR
+-- notation. If not specified, this matches with any source address.
+--
+-- 'tCPFlags', 'matchAttributes_tCPFlags' - The TCP flags and masks to inspect for. If not specified, this matches
+-- with any settings. This setting is only used for protocol 6 (TCP).
+newMatchAttributes ::
+  MatchAttributes
+newMatchAttributes =
+  MatchAttributes'
+    { destinationPorts =
+        Prelude.Nothing,
+      destinations = Prelude.Nothing,
+      protocols = Prelude.Nothing,
+      sourcePorts = Prelude.Nothing,
+      sources = Prelude.Nothing,
+      tCPFlags = Prelude.Nothing
+    }
+
+-- | The destination ports to inspect for. If not specified, this matches
+-- with any destination port. This setting is only used for protocols 6
+-- (TCP) and 17 (UDP).
+--
+-- You can specify individual ports, for example @1994@ and you can specify
+-- port ranges, for example @1990:1994@.
+matchAttributes_destinationPorts :: Lens.Lens' MatchAttributes (Prelude.Maybe [PortRange])
+matchAttributes_destinationPorts = Lens.lens (\MatchAttributes' {destinationPorts} -> destinationPorts) (\s@MatchAttributes' {} a -> s {destinationPorts = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+-- | The destination IP addresses and address ranges to inspect for, in CIDR
+-- notation. If not specified, this matches with any destination address.
+matchAttributes_destinations :: Lens.Lens' MatchAttributes (Prelude.Maybe [Address])
+matchAttributes_destinations = Lens.lens (\MatchAttributes' {destinations} -> destinations) (\s@MatchAttributes' {} a -> s {destinations = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+-- | The protocols to inspect for, specified using each protocol\'s assigned
+-- internet protocol number (IANA). If not specified, this matches with any
+-- protocol.
+matchAttributes_protocols :: Lens.Lens' MatchAttributes (Prelude.Maybe [Prelude.Natural])
+matchAttributes_protocols = Lens.lens (\MatchAttributes' {protocols} -> protocols) (\s@MatchAttributes' {} a -> s {protocols = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+-- | The source ports to inspect for. If not specified, this matches with any
+-- source port. This setting is only used for protocols 6 (TCP) and 17
+-- (UDP).
+--
+-- You can specify individual ports, for example @1994@ and you can specify
+-- port ranges, for example @1990:1994@.
+matchAttributes_sourcePorts :: Lens.Lens' MatchAttributes (Prelude.Maybe [PortRange])
+matchAttributes_sourcePorts = Lens.lens (\MatchAttributes' {sourcePorts} -> sourcePorts) (\s@MatchAttributes' {} a -> s {sourcePorts = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+-- | The source IP addresses and address ranges to inspect for, in CIDR
+-- notation. If not specified, this matches with any source address.
+matchAttributes_sources :: Lens.Lens' MatchAttributes (Prelude.Maybe [Address])
+matchAttributes_sources = Lens.lens (\MatchAttributes' {sources} -> sources) (\s@MatchAttributes' {} a -> s {sources = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+-- | The TCP flags and masks to inspect for. If not specified, this matches
+-- with any settings. This setting is only used for protocol 6 (TCP).
+matchAttributes_tCPFlags :: Lens.Lens' MatchAttributes (Prelude.Maybe [TCPFlagField])
+matchAttributes_tCPFlags = Lens.lens (\MatchAttributes' {tCPFlags} -> tCPFlags) (\s@MatchAttributes' {} a -> s {tCPFlags = a} :: MatchAttributes) Prelude.. Lens.mapping Lens.coerced
+
+instance Data.FromJSON MatchAttributes where
+  parseJSON =
+    Data.withObject
+      "MatchAttributes"
+      ( \x ->
+          MatchAttributes'
+            Prelude.<$> ( x
+                            Data..:? "DestinationPorts"
+                            Data..!= Prelude.mempty
+                        )
+            Prelude.<*> (x Data..:? "Destinations" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "Protocols" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "SourcePorts" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "Sources" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "TCPFlags" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable MatchAttributes where
+  hashWithSalt _salt MatchAttributes' {..} =
+    _salt
+      `Prelude.hashWithSalt` destinationPorts
+      `Prelude.hashWithSalt` destinations
+      `Prelude.hashWithSalt` protocols
+      `Prelude.hashWithSalt` sourcePorts
+      `Prelude.hashWithSalt` sources
+      `Prelude.hashWithSalt` tCPFlags
+
+instance Prelude.NFData MatchAttributes where
+  rnf MatchAttributes' {..} =
+    Prelude.rnf destinationPorts
+      `Prelude.seq` Prelude.rnf destinations
+      `Prelude.seq` Prelude.rnf protocols
+      `Prelude.seq` Prelude.rnf sourcePorts
+      `Prelude.seq` Prelude.rnf sources
+      `Prelude.seq` Prelude.rnf tCPFlags
+
+instance Data.ToJSON MatchAttributes where
+  toJSON MatchAttributes' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("DestinationPorts" Data..=)
+              Prelude.<$> destinationPorts,
+            ("Destinations" Data..=) Prelude.<$> destinations,
+            ("Protocols" Data..=) Prelude.<$> protocols,
+            ("SourcePorts" Data..=) Prelude.<$> sourcePorts,
+            ("Sources" Data..=) Prelude.<$> sources,
+            ("TCPFlags" Data..=) Prelude.<$> tCPFlags
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/OverrideAction.hs b/gen/Amazonka/NetworkFirewall/Types/OverrideAction.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/OverrideAction.hs
@@ -0,0 +1,66 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.OverrideAction
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.OverrideAction
+  ( OverrideAction
+      ( ..,
+        OverrideAction_DROP_TO_ALERT
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype OverrideAction = OverrideAction'
+  { fromOverrideAction ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern OverrideAction_DROP_TO_ALERT :: OverrideAction
+pattern OverrideAction_DROP_TO_ALERT = OverrideAction' "DROP_TO_ALERT"
+
+{-# COMPLETE
+  OverrideAction_DROP_TO_ALERT,
+  OverrideAction'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/PerObjectStatus.hs b/gen/Amazonka/NetworkFirewall/Types/PerObjectStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/PerObjectStatus.hs
@@ -0,0 +1,96 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.PerObjectStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.PerObjectStatus where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.PerObjectSyncStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | Provides configuration status for a single policy or rule group that is
+-- used for a firewall endpoint. Network Firewall provides each endpoint
+-- with the rules that are configured in the firewall policy. Each time you
+-- add a subnet or modify the associated firewall policy, Network Firewall
+-- synchronizes the rules in the endpoint, so it can properly filter
+-- network traffic. This is part of a SyncState for a firewall.
+--
+-- /See:/ 'newPerObjectStatus' smart constructor.
+data PerObjectStatus = PerObjectStatus'
+  { -- | Indicates whether this object is in sync with the version indicated in
+    -- the update token.
+    syncStatus :: Prelude.Maybe PerObjectSyncStatus,
+    -- | The current version of the object that is either in sync or pending
+    -- synchronization.
+    updateToken :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PerObjectStatus' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'syncStatus', 'perObjectStatus_syncStatus' - Indicates whether this object is in sync with the version indicated in
+-- the update token.
+--
+-- 'updateToken', 'perObjectStatus_updateToken' - The current version of the object that is either in sync or pending
+-- synchronization.
+newPerObjectStatus ::
+  PerObjectStatus
+newPerObjectStatus =
+  PerObjectStatus'
+    { syncStatus = Prelude.Nothing,
+      updateToken = Prelude.Nothing
+    }
+
+-- | Indicates whether this object is in sync with the version indicated in
+-- the update token.
+perObjectStatus_syncStatus :: Lens.Lens' PerObjectStatus (Prelude.Maybe PerObjectSyncStatus)
+perObjectStatus_syncStatus = Lens.lens (\PerObjectStatus' {syncStatus} -> syncStatus) (\s@PerObjectStatus' {} a -> s {syncStatus = a} :: PerObjectStatus)
+
+-- | The current version of the object that is either in sync or pending
+-- synchronization.
+perObjectStatus_updateToken :: Lens.Lens' PerObjectStatus (Prelude.Maybe Prelude.Text)
+perObjectStatus_updateToken = Lens.lens (\PerObjectStatus' {updateToken} -> updateToken) (\s@PerObjectStatus' {} a -> s {updateToken = a} :: PerObjectStatus)
+
+instance Data.FromJSON PerObjectStatus where
+  parseJSON =
+    Data.withObject
+      "PerObjectStatus"
+      ( \x ->
+          PerObjectStatus'
+            Prelude.<$> (x Data..:? "SyncStatus")
+            Prelude.<*> (x Data..:? "UpdateToken")
+      )
+
+instance Prelude.Hashable PerObjectStatus where
+  hashWithSalt _salt PerObjectStatus' {..} =
+    _salt
+      `Prelude.hashWithSalt` syncStatus
+      `Prelude.hashWithSalt` updateToken
+
+instance Prelude.NFData PerObjectStatus where
+  rnf PerObjectStatus' {..} =
+    Prelude.rnf syncStatus
+      `Prelude.seq` Prelude.rnf updateToken
diff --git a/gen/Amazonka/NetworkFirewall/Types/PerObjectSyncStatus.hs b/gen/Amazonka/NetworkFirewall/Types/PerObjectSyncStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/PerObjectSyncStatus.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.PerObjectSyncStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.PerObjectSyncStatus
+  ( PerObjectSyncStatus
+      ( ..,
+        PerObjectSyncStatus_CAPACITY_CONSTRAINED,
+        PerObjectSyncStatus_IN_SYNC,
+        PerObjectSyncStatus_PENDING
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype PerObjectSyncStatus = PerObjectSyncStatus'
+  { fromPerObjectSyncStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern PerObjectSyncStatus_CAPACITY_CONSTRAINED :: PerObjectSyncStatus
+pattern PerObjectSyncStatus_CAPACITY_CONSTRAINED = PerObjectSyncStatus' "CAPACITY_CONSTRAINED"
+
+pattern PerObjectSyncStatus_IN_SYNC :: PerObjectSyncStatus
+pattern PerObjectSyncStatus_IN_SYNC = PerObjectSyncStatus' "IN_SYNC"
+
+pattern PerObjectSyncStatus_PENDING :: PerObjectSyncStatus
+pattern PerObjectSyncStatus_PENDING = PerObjectSyncStatus' "PENDING"
+
+{-# COMPLETE
+  PerObjectSyncStatus_CAPACITY_CONSTRAINED,
+  PerObjectSyncStatus_IN_SYNC,
+  PerObjectSyncStatus_PENDING,
+  PerObjectSyncStatus'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/PortRange.hs b/gen/Amazonka/NetworkFirewall/Types/PortRange.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/PortRange.hs
@@ -0,0 +1,105 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.PortRange
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.PortRange where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A single port range specification. This is used for source and
+-- destination port ranges in the stateless rule MatchAttributes,
+-- @SourcePorts@, and @DestinationPorts@ settings.
+--
+-- /See:/ 'newPortRange' smart constructor.
+data PortRange = PortRange'
+  { -- | The lower limit of the port range. This must be less than or equal to
+    -- the @ToPort@ specification.
+    fromPort :: Prelude.Natural,
+    -- | The upper limit of the port range. This must be greater than or equal to
+    -- the @FromPort@ specification.
+    toPort :: Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PortRange' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'fromPort', 'portRange_fromPort' - The lower limit of the port range. This must be less than or equal to
+-- the @ToPort@ specification.
+--
+-- 'toPort', 'portRange_toPort' - The upper limit of the port range. This must be greater than or equal to
+-- the @FromPort@ specification.
+newPortRange ::
+  -- | 'fromPort'
+  Prelude.Natural ->
+  -- | 'toPort'
+  Prelude.Natural ->
+  PortRange
+newPortRange pFromPort_ pToPort_ =
+  PortRange'
+    { fromPort = pFromPort_,
+      toPort = pToPort_
+    }
+
+-- | The lower limit of the port range. This must be less than or equal to
+-- the @ToPort@ specification.
+portRange_fromPort :: Lens.Lens' PortRange Prelude.Natural
+portRange_fromPort = Lens.lens (\PortRange' {fromPort} -> fromPort) (\s@PortRange' {} a -> s {fromPort = a} :: PortRange)
+
+-- | The upper limit of the port range. This must be greater than or equal to
+-- the @FromPort@ specification.
+portRange_toPort :: Lens.Lens' PortRange Prelude.Natural
+portRange_toPort = Lens.lens (\PortRange' {toPort} -> toPort) (\s@PortRange' {} a -> s {toPort = a} :: PortRange)
+
+instance Data.FromJSON PortRange where
+  parseJSON =
+    Data.withObject
+      "PortRange"
+      ( \x ->
+          PortRange'
+            Prelude.<$> (x Data..: "FromPort")
+            Prelude.<*> (x Data..: "ToPort")
+      )
+
+instance Prelude.Hashable PortRange where
+  hashWithSalt _salt PortRange' {..} =
+    _salt
+      `Prelude.hashWithSalt` fromPort
+      `Prelude.hashWithSalt` toPort
+
+instance Prelude.NFData PortRange where
+  rnf PortRange' {..} =
+    Prelude.rnf fromPort
+      `Prelude.seq` Prelude.rnf toPort
+
+instance Data.ToJSON PortRange where
+  toJSON PortRange' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("FromPort" Data..= fromPort),
+            Prelude.Just ("ToPort" Data..= toPort)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/PortSet.hs b/gen/Amazonka/NetworkFirewall/Types/PortSet.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/PortSet.hs
@@ -0,0 +1,74 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.PortSet
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.PortSet where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A set of port ranges for use in the rules in a rule group.
+--
+-- /See:/ 'newPortSet' smart constructor.
+data PortSet = PortSet'
+  { -- | The set of port ranges.
+    definition :: Prelude.Maybe [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PortSet' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'definition', 'portSet_definition' - The set of port ranges.
+newPortSet ::
+  PortSet
+newPortSet = PortSet' {definition = Prelude.Nothing}
+
+-- | The set of port ranges.
+portSet_definition :: Lens.Lens' PortSet (Prelude.Maybe [Prelude.Text])
+portSet_definition = Lens.lens (\PortSet' {definition} -> definition) (\s@PortSet' {} a -> s {definition = a} :: PortSet) Prelude.. Lens.mapping Lens.coerced
+
+instance Data.FromJSON PortSet where
+  parseJSON =
+    Data.withObject
+      "PortSet"
+      ( \x ->
+          PortSet'
+            Prelude.<$> (x Data..:? "Definition" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable PortSet where
+  hashWithSalt _salt PortSet' {..} =
+    _salt `Prelude.hashWithSalt` definition
+
+instance Prelude.NFData PortSet where
+  rnf PortSet' {..} = Prelude.rnf definition
+
+instance Data.ToJSON PortSet where
+  toJSON PortSet' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [("Definition" Data..=) Prelude.<$> definition]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/PublishMetricAction.hs b/gen/Amazonka/NetworkFirewall/Types/PublishMetricAction.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/PublishMetricAction.hs
@@ -0,0 +1,81 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.PublishMetricAction
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.PublishMetricAction where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.Dimension
+import qualified Amazonka.Prelude as Prelude
+
+-- | Stateless inspection criteria that publishes the specified metrics to
+-- Amazon CloudWatch for the matching packet. This setting defines a
+-- CloudWatch dimension value to be published.
+--
+-- /See:/ 'newPublishMetricAction' smart constructor.
+data PublishMetricAction = PublishMetricAction'
+  { dimensions :: Prelude.NonEmpty Dimension
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PublishMetricAction' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'dimensions', 'publishMetricAction_dimensions' -
+newPublishMetricAction ::
+  -- | 'dimensions'
+  Prelude.NonEmpty Dimension ->
+  PublishMetricAction
+newPublishMetricAction pDimensions_ =
+  PublishMetricAction'
+    { dimensions =
+        Lens.coerced Lens.# pDimensions_
+    }
+
+publishMetricAction_dimensions :: Lens.Lens' PublishMetricAction (Prelude.NonEmpty Dimension)
+publishMetricAction_dimensions = Lens.lens (\PublishMetricAction' {dimensions} -> dimensions) (\s@PublishMetricAction' {} a -> s {dimensions = a} :: PublishMetricAction) Prelude.. Lens.coerced
+
+instance Data.FromJSON PublishMetricAction where
+  parseJSON =
+    Data.withObject
+      "PublishMetricAction"
+      ( \x ->
+          PublishMetricAction'
+            Prelude.<$> (x Data..: "Dimensions")
+      )
+
+instance Prelude.Hashable PublishMetricAction where
+  hashWithSalt _salt PublishMetricAction' {..} =
+    _salt `Prelude.hashWithSalt` dimensions
+
+instance Prelude.NFData PublishMetricAction where
+  rnf PublishMetricAction' {..} = Prelude.rnf dimensions
+
+instance Data.ToJSON PublishMetricAction where
+  toJSON PublishMetricAction' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("Dimensions" Data..= dimensions)]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/ReferenceSets.hs b/gen/Amazonka/NetworkFirewall/Types/ReferenceSets.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ReferenceSets.hs
@@ -0,0 +1,81 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ReferenceSets
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ReferenceSets where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.IPSetReference
+import qualified Amazonka.Prelude as Prelude
+
+-- | Contains a set of IP set references.
+--
+-- /See:/ 'newReferenceSets' smart constructor.
+data ReferenceSets = ReferenceSets'
+  { -- | The list of IP set references.
+    iPSetReferences :: Prelude.Maybe (Prelude.HashMap Prelude.Text IPSetReference)
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ReferenceSets' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'iPSetReferences', 'referenceSets_iPSetReferences' - The list of IP set references.
+newReferenceSets ::
+  ReferenceSets
+newReferenceSets =
+  ReferenceSets' {iPSetReferences = Prelude.Nothing}
+
+-- | The list of IP set references.
+referenceSets_iPSetReferences :: Lens.Lens' ReferenceSets (Prelude.Maybe (Prelude.HashMap Prelude.Text IPSetReference))
+referenceSets_iPSetReferences = Lens.lens (\ReferenceSets' {iPSetReferences} -> iPSetReferences) (\s@ReferenceSets' {} a -> s {iPSetReferences = a} :: ReferenceSets) Prelude.. Lens.mapping Lens.coerced
+
+instance Data.FromJSON ReferenceSets where
+  parseJSON =
+    Data.withObject
+      "ReferenceSets"
+      ( \x ->
+          ReferenceSets'
+            Prelude.<$> ( x
+                            Data..:? "IPSetReferences"
+                            Data..!= Prelude.mempty
+                        )
+      )
+
+instance Prelude.Hashable ReferenceSets where
+  hashWithSalt _salt ReferenceSets' {..} =
+    _salt `Prelude.hashWithSalt` iPSetReferences
+
+instance Prelude.NFData ReferenceSets where
+  rnf ReferenceSets' {..} = Prelude.rnf iPSetReferences
+
+instance Data.ToJSON ReferenceSets where
+  toJSON ReferenceSets' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("IPSetReferences" Data..=)
+              Prelude.<$> iPSetReferences
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/ResourceManagedStatus.hs b/gen/Amazonka/NetworkFirewall/Types/ResourceManagedStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ResourceManagedStatus.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ResourceManagedStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ResourceManagedStatus
+  ( ResourceManagedStatus
+      ( ..,
+        ResourceManagedStatus_ACCOUNT,
+        ResourceManagedStatus_MANAGED
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ResourceManagedStatus = ResourceManagedStatus'
+  { fromResourceManagedStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ResourceManagedStatus_ACCOUNT :: ResourceManagedStatus
+pattern ResourceManagedStatus_ACCOUNT = ResourceManagedStatus' "ACCOUNT"
+
+pattern ResourceManagedStatus_MANAGED :: ResourceManagedStatus
+pattern ResourceManagedStatus_MANAGED = ResourceManagedStatus' "MANAGED"
+
+{-# COMPLETE
+  ResourceManagedStatus_ACCOUNT,
+  ResourceManagedStatus_MANAGED,
+  ResourceManagedStatus'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/ResourceManagedType.hs b/gen/Amazonka/NetworkFirewall/Types/ResourceManagedType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ResourceManagedType.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ResourceManagedType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ResourceManagedType
+  ( ResourceManagedType
+      ( ..,
+        ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS,
+        ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ResourceManagedType = ResourceManagedType'
+  { fromResourceManagedType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS :: ResourceManagedType
+pattern ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS = ResourceManagedType' "AWS_MANAGED_DOMAIN_LISTS"
+
+pattern ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES :: ResourceManagedType
+pattern ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES = ResourceManagedType' "AWS_MANAGED_THREAT_SIGNATURES"
+
+{-# COMPLETE
+  ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS,
+  ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES,
+  ResourceManagedType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/ResourceStatus.hs b/gen/Amazonka/NetworkFirewall/Types/ResourceStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/ResourceStatus.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.ResourceStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.ResourceStatus
+  ( ResourceStatus
+      ( ..,
+        ResourceStatus_ACTIVE,
+        ResourceStatus_DELETING
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ResourceStatus = ResourceStatus'
+  { fromResourceStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ResourceStatus_ACTIVE :: ResourceStatus
+pattern ResourceStatus_ACTIVE = ResourceStatus' "ACTIVE"
+
+pattern ResourceStatus_DELETING :: ResourceStatus
+pattern ResourceStatus_DELETING = ResourceStatus' "DELETING"
+
+{-# COMPLETE
+  ResourceStatus_ACTIVE,
+  ResourceStatus_DELETING,
+  ResourceStatus'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleDefinition.hs b/gen/Amazonka/NetworkFirewall/Types/RuleDefinition.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleDefinition.hs
@@ -0,0 +1,203 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleDefinition
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleDefinition where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.MatchAttributes
+import qualified Amazonka.Prelude as Prelude
+
+-- | The inspection criteria and action for a single stateless rule. Network
+-- Firewall inspects each packet for the specified matching criteria. When
+-- a packet matches the criteria, Network Firewall performs the rule\'s
+-- actions on the packet.
+--
+-- /See:/ 'newRuleDefinition' smart constructor.
+data RuleDefinition = RuleDefinition'
+  { -- | Criteria for Network Firewall to use to inspect an individual packet in
+    -- stateless rule inspection. Each match attributes set can include one or
+    -- more items such as IP address, CIDR range, port number, protocol, and
+    -- TCP flags.
+    matchAttributes :: MatchAttributes,
+    -- | The actions to take on a packet that matches one of the stateless rule
+    -- definition\'s match attributes. You must specify a standard action and
+    -- you can add custom actions.
+    --
+    -- Network Firewall only forwards a packet for stateful rule inspection if
+    -- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
+    -- if the packet doesn\'t match any stateless rule and you specify
+    -- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
+    -- FirewallPolicy.
+    --
+    -- For every rule, you must specify exactly one of the following standard
+    -- actions.
+    --
+    -- -   __aws:pass__ - Discontinues all inspection of the packet and permits
+    --     it to go to its intended destination.
+    --
+    -- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
+    --     it from going to its intended destination.
+    --
+    -- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
+    --     packet and forwards it to the stateful rule engine for inspection.
+    --
+    -- Additionally, you can specify a custom action. To do this, you define a
+    -- custom action by name and type, then provide the name you\'ve assigned
+    -- to the action in this @Actions@ setting. For information about the
+    -- options, see CustomAction.
+    --
+    -- To provide more than one action in this setting, separate the settings
+    -- with a comma. For example, if you have a custom @PublishMetrics@ action
+    -- that you\'ve named @MyMetricsAction@, then you could specify the
+    -- standard action @aws:pass@ and the custom action with
+    -- @[“aws:pass”, “MyMetricsAction”]@.
+    actions :: [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleDefinition' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'matchAttributes', 'ruleDefinition_matchAttributes' - Criteria for Network Firewall to use to inspect an individual packet in
+-- stateless rule inspection. Each match attributes set can include one or
+-- more items such as IP address, CIDR range, port number, protocol, and
+-- TCP flags.
+--
+-- 'actions', 'ruleDefinition_actions' - The actions to take on a packet that matches one of the stateless rule
+-- definition\'s match attributes. You must specify a standard action and
+-- you can add custom actions.
+--
+-- Network Firewall only forwards a packet for stateful rule inspection if
+-- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
+-- if the packet doesn\'t match any stateless rule and you specify
+-- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
+-- FirewallPolicy.
+--
+-- For every rule, you must specify exactly one of the following standard
+-- actions.
+--
+-- -   __aws:pass__ - Discontinues all inspection of the packet and permits
+--     it to go to its intended destination.
+--
+-- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
+--     it from going to its intended destination.
+--
+-- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
+--     packet and forwards it to the stateful rule engine for inspection.
+--
+-- Additionally, you can specify a custom action. To do this, you define a
+-- custom action by name and type, then provide the name you\'ve assigned
+-- to the action in this @Actions@ setting. For information about the
+-- options, see CustomAction.
+--
+-- To provide more than one action in this setting, separate the settings
+-- with a comma. For example, if you have a custom @PublishMetrics@ action
+-- that you\'ve named @MyMetricsAction@, then you could specify the
+-- standard action @aws:pass@ and the custom action with
+-- @[“aws:pass”, “MyMetricsAction”]@.
+newRuleDefinition ::
+  -- | 'matchAttributes'
+  MatchAttributes ->
+  RuleDefinition
+newRuleDefinition pMatchAttributes_ =
+  RuleDefinition'
+    { matchAttributes =
+        pMatchAttributes_,
+      actions = Prelude.mempty
+    }
+
+-- | Criteria for Network Firewall to use to inspect an individual packet in
+-- stateless rule inspection. Each match attributes set can include one or
+-- more items such as IP address, CIDR range, port number, protocol, and
+-- TCP flags.
+ruleDefinition_matchAttributes :: Lens.Lens' RuleDefinition MatchAttributes
+ruleDefinition_matchAttributes = Lens.lens (\RuleDefinition' {matchAttributes} -> matchAttributes) (\s@RuleDefinition' {} a -> s {matchAttributes = a} :: RuleDefinition)
+
+-- | The actions to take on a packet that matches one of the stateless rule
+-- definition\'s match attributes. You must specify a standard action and
+-- you can add custom actions.
+--
+-- Network Firewall only forwards a packet for stateful rule inspection if
+-- you specify @aws:forward_to_sfe@ for a rule that the packet matches, or
+-- if the packet doesn\'t match any stateless rule and you specify
+-- @aws:forward_to_sfe@ for the @StatelessDefaultActions@ setting for the
+-- FirewallPolicy.
+--
+-- For every rule, you must specify exactly one of the following standard
+-- actions.
+--
+-- -   __aws:pass__ - Discontinues all inspection of the packet and permits
+--     it to go to its intended destination.
+--
+-- -   __aws:drop__ - Discontinues all inspection of the packet and blocks
+--     it from going to its intended destination.
+--
+-- -   __aws:forward_to_sfe__ - Discontinues stateless inspection of the
+--     packet and forwards it to the stateful rule engine for inspection.
+--
+-- Additionally, you can specify a custom action. To do this, you define a
+-- custom action by name and type, then provide the name you\'ve assigned
+-- to the action in this @Actions@ setting. For information about the
+-- options, see CustomAction.
+--
+-- To provide more than one action in this setting, separate the settings
+-- with a comma. For example, if you have a custom @PublishMetrics@ action
+-- that you\'ve named @MyMetricsAction@, then you could specify the
+-- standard action @aws:pass@ and the custom action with
+-- @[“aws:pass”, “MyMetricsAction”]@.
+ruleDefinition_actions :: Lens.Lens' RuleDefinition [Prelude.Text]
+ruleDefinition_actions = Lens.lens (\RuleDefinition' {actions} -> actions) (\s@RuleDefinition' {} a -> s {actions = a} :: RuleDefinition) Prelude.. Lens.coerced
+
+instance Data.FromJSON RuleDefinition where
+  parseJSON =
+    Data.withObject
+      "RuleDefinition"
+      ( \x ->
+          RuleDefinition'
+            Prelude.<$> (x Data..: "MatchAttributes")
+            Prelude.<*> (x Data..:? "Actions" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable RuleDefinition where
+  hashWithSalt _salt RuleDefinition' {..} =
+    _salt
+      `Prelude.hashWithSalt` matchAttributes
+      `Prelude.hashWithSalt` actions
+
+instance Prelude.NFData RuleDefinition where
+  rnf RuleDefinition' {..} =
+    Prelude.rnf matchAttributes
+      `Prelude.seq` Prelude.rnf actions
+
+instance Data.ToJSON RuleDefinition where
+  toJSON RuleDefinition' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just
+              ("MatchAttributes" Data..= matchAttributes),
+            Prelude.Just ("Actions" Data..= actions)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleGroup.hs b/gen/Amazonka/NetworkFirewall/Types/RuleGroup.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleGroup.hs
@@ -0,0 +1,147 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleGroup
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleGroup where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.ReferenceSets
+import Amazonka.NetworkFirewall.Types.RuleVariables
+import Amazonka.NetworkFirewall.Types.RulesSource
+import Amazonka.NetworkFirewall.Types.StatefulRuleOptions
+import qualified Amazonka.Prelude as Prelude
+
+-- | The object that defines the rules in a rule group. This, along with
+-- RuleGroupResponse, define the rule group. You can retrieve all objects
+-- for a rule group by calling DescribeRuleGroup.
+--
+-- Network Firewall uses a rule group to inspect and control network
+-- traffic. You define stateless rule groups to inspect individual packets
+-- and you define stateful rule groups to inspect packets in the context of
+-- their traffic flow.
+--
+-- To use a rule group, you include it by reference in an Network Firewall
+-- firewall policy, then you use the policy in a firewall. You can
+-- reference a rule group from more than one firewall policy, and you can
+-- use a firewall policy in more than one firewall.
+--
+-- /See:/ 'newRuleGroup' smart constructor.
+data RuleGroup = RuleGroup'
+  { -- | The list of a rule group\'s reference sets.
+    referenceSets :: Prelude.Maybe ReferenceSets,
+    -- | Settings that are available for use in the rules in the rule group. You
+    -- can only use these for stateful rule groups.
+    ruleVariables :: Prelude.Maybe RuleVariables,
+    -- | Additional options governing how Network Firewall handles stateful
+    -- rules. The policies where you use your stateful rule group must have
+    -- stateful rule options settings that are compatible with these settings.
+    statefulRuleOptions :: Prelude.Maybe StatefulRuleOptions,
+    -- | The stateful rules or stateless rules for the rule group.
+    rulesSource :: RulesSource
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleGroup' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'referenceSets', 'ruleGroup_referenceSets' - The list of a rule group\'s reference sets.
+--
+-- 'ruleVariables', 'ruleGroup_ruleVariables' - Settings that are available for use in the rules in the rule group. You
+-- can only use these for stateful rule groups.
+--
+-- 'statefulRuleOptions', 'ruleGroup_statefulRuleOptions' - Additional options governing how Network Firewall handles stateful
+-- rules. The policies where you use your stateful rule group must have
+-- stateful rule options settings that are compatible with these settings.
+--
+-- 'rulesSource', 'ruleGroup_rulesSource' - The stateful rules or stateless rules for the rule group.
+newRuleGroup ::
+  -- | 'rulesSource'
+  RulesSource ->
+  RuleGroup
+newRuleGroup pRulesSource_ =
+  RuleGroup'
+    { referenceSets = Prelude.Nothing,
+      ruleVariables = Prelude.Nothing,
+      statefulRuleOptions = Prelude.Nothing,
+      rulesSource = pRulesSource_
+    }
+
+-- | The list of a rule group\'s reference sets.
+ruleGroup_referenceSets :: Lens.Lens' RuleGroup (Prelude.Maybe ReferenceSets)
+ruleGroup_referenceSets = Lens.lens (\RuleGroup' {referenceSets} -> referenceSets) (\s@RuleGroup' {} a -> s {referenceSets = a} :: RuleGroup)
+
+-- | Settings that are available for use in the rules in the rule group. You
+-- can only use these for stateful rule groups.
+ruleGroup_ruleVariables :: Lens.Lens' RuleGroup (Prelude.Maybe RuleVariables)
+ruleGroup_ruleVariables = Lens.lens (\RuleGroup' {ruleVariables} -> ruleVariables) (\s@RuleGroup' {} a -> s {ruleVariables = a} :: RuleGroup)
+
+-- | Additional options governing how Network Firewall handles stateful
+-- rules. The policies where you use your stateful rule group must have
+-- stateful rule options settings that are compatible with these settings.
+ruleGroup_statefulRuleOptions :: Lens.Lens' RuleGroup (Prelude.Maybe StatefulRuleOptions)
+ruleGroup_statefulRuleOptions = Lens.lens (\RuleGroup' {statefulRuleOptions} -> statefulRuleOptions) (\s@RuleGroup' {} a -> s {statefulRuleOptions = a} :: RuleGroup)
+
+-- | The stateful rules or stateless rules for the rule group.
+ruleGroup_rulesSource :: Lens.Lens' RuleGroup RulesSource
+ruleGroup_rulesSource = Lens.lens (\RuleGroup' {rulesSource} -> rulesSource) (\s@RuleGroup' {} a -> s {rulesSource = a} :: RuleGroup)
+
+instance Data.FromJSON RuleGroup where
+  parseJSON =
+    Data.withObject
+      "RuleGroup"
+      ( \x ->
+          RuleGroup'
+            Prelude.<$> (x Data..:? "ReferenceSets")
+            Prelude.<*> (x Data..:? "RuleVariables")
+            Prelude.<*> (x Data..:? "StatefulRuleOptions")
+            Prelude.<*> (x Data..: "RulesSource")
+      )
+
+instance Prelude.Hashable RuleGroup where
+  hashWithSalt _salt RuleGroup' {..} =
+    _salt
+      `Prelude.hashWithSalt` referenceSets
+      `Prelude.hashWithSalt` ruleVariables
+      `Prelude.hashWithSalt` statefulRuleOptions
+      `Prelude.hashWithSalt` rulesSource
+
+instance Prelude.NFData RuleGroup where
+  rnf RuleGroup' {..} =
+    Prelude.rnf referenceSets
+      `Prelude.seq` Prelude.rnf ruleVariables
+      `Prelude.seq` Prelude.rnf statefulRuleOptions
+      `Prelude.seq` Prelude.rnf rulesSource
+
+instance Data.ToJSON RuleGroup where
+  toJSON RuleGroup' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("ReferenceSets" Data..=) Prelude.<$> referenceSets,
+            ("RuleVariables" Data..=) Prelude.<$> ruleVariables,
+            ("StatefulRuleOptions" Data..=)
+              Prelude.<$> statefulRuleOptions,
+            Prelude.Just ("RulesSource" Data..= rulesSource)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleGroupMetadata.hs b/gen/Amazonka/NetworkFirewall/Types/RuleGroupMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleGroupMetadata.hs
@@ -0,0 +1,88 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleGroupMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleGroupMetadata where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | High-level information about a rule group, returned by ListRuleGroups.
+-- You can use the information provided in the metadata to retrieve and
+-- manage a rule group.
+--
+-- /See:/ 'newRuleGroupMetadata' smart constructor.
+data RuleGroupMetadata = RuleGroupMetadata'
+  { -- | The Amazon Resource Name (ARN) of the rule group.
+    arn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    name :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleGroupMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'arn', 'ruleGroupMetadata_arn' - The Amazon Resource Name (ARN) of the rule group.
+--
+-- 'name', 'ruleGroupMetadata_name' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+newRuleGroupMetadata ::
+  RuleGroupMetadata
+newRuleGroupMetadata =
+  RuleGroupMetadata'
+    { arn = Prelude.Nothing,
+      name = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the rule group.
+ruleGroupMetadata_arn :: Lens.Lens' RuleGroupMetadata (Prelude.Maybe Prelude.Text)
+ruleGroupMetadata_arn = Lens.lens (\RuleGroupMetadata' {arn} -> arn) (\s@RuleGroupMetadata' {} a -> s {arn = a} :: RuleGroupMetadata)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+ruleGroupMetadata_name :: Lens.Lens' RuleGroupMetadata (Prelude.Maybe Prelude.Text)
+ruleGroupMetadata_name = Lens.lens (\RuleGroupMetadata' {name} -> name) (\s@RuleGroupMetadata' {} a -> s {name = a} :: RuleGroupMetadata)
+
+instance Data.FromJSON RuleGroupMetadata where
+  parseJSON =
+    Data.withObject
+      "RuleGroupMetadata"
+      ( \x ->
+          RuleGroupMetadata'
+            Prelude.<$> (x Data..:? "Arn")
+            Prelude.<*> (x Data..:? "Name")
+      )
+
+instance Prelude.Hashable RuleGroupMetadata where
+  hashWithSalt _salt RuleGroupMetadata' {..} =
+    _salt
+      `Prelude.hashWithSalt` arn
+      `Prelude.hashWithSalt` name
+
+instance Prelude.NFData RuleGroupMetadata where
+  rnf RuleGroupMetadata' {..} =
+    Prelude.rnf arn `Prelude.seq` Prelude.rnf name
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleGroupResponse.hs b/gen/Amazonka/NetworkFirewall/Types/RuleGroupResponse.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleGroupResponse.hs
@@ -0,0 +1,313 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleGroupResponse
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleGroupResponse where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.EncryptionConfiguration
+import Amazonka.NetworkFirewall.Types.ResourceStatus
+import Amazonka.NetworkFirewall.Types.RuleGroupType
+import Amazonka.NetworkFirewall.Types.SourceMetadata
+import Amazonka.NetworkFirewall.Types.Tag
+import qualified Amazonka.Prelude as Prelude
+
+-- | The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+--
+-- /See:/ 'newRuleGroupResponse' smart constructor.
+data RuleGroupResponse = RuleGroupResponse'
+  { -- | The maximum operating resources that this rule group can use. Rule group
+    -- capacity is fixed at creation. When you update a rule group, you are
+    -- limited to this capacity. When you reference a rule group from a
+    -- firewall policy, Network Firewall reserves this capacity for the rule
+    -- group.
+    --
+    -- You can retrieve the capacity that would be required for a rule group
+    -- before you create the rule group by calling CreateRuleGroup with
+    -- @DryRun@ set to @TRUE@.
+    capacity :: Prelude.Maybe Prelude.Int,
+    -- | The number of capacity units currently consumed by the rule group rules.
+    consumedCapacity :: Prelude.Maybe Prelude.Int,
+    -- | A description of the rule group.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains the Amazon Web Services KMS encryption
+    -- configuration settings for your rule group.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The last time that the rule group was changed.
+    lastModifiedTime :: Prelude.Maybe Data.POSIX,
+    -- | The number of firewall policies that use this rule group.
+    numberOfAssociations :: Prelude.Maybe Prelude.Int,
+    -- | Detailed information about the current status of a rule group.
+    ruleGroupStatus :: Prelude.Maybe ResourceStatus,
+    -- | The Amazon resource name (ARN) of the Amazon Simple Notification Service
+    -- SNS topic that\'s used to record changes to the managed rule group. You
+    -- can subscribe to the SNS topic to receive notifications when the managed
+    -- rule group is modified, such as for new versions and for version
+    -- expiration. For more information, see the
+    -- <https://docs.aws.amazon.com/sns/latest/dg/welcome.html Amazon Simple Notification Service Developer Guide.>.
+    snsTopic :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains metadata about the rule group that your own
+    -- rule group is copied from. You can use the metadata to track the version
+    -- updates made to the originating rule group.
+    sourceMetadata :: Prelude.Maybe SourceMetadata,
+    -- | The key:value pairs to associate with the resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    type' :: Prelude.Maybe RuleGroupType,
+    -- | The Amazon Resource Name (ARN) of the rule group.
+    --
+    -- If this response is for a create request that had @DryRun@ set to
+    -- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+    -- resource.
+    ruleGroupArn :: Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    ruleGroupName :: Prelude.Text,
+    -- | The unique identifier for the rule group.
+    ruleGroupId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleGroupResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'capacity', 'ruleGroupResponse_capacity' - The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+--
+-- 'consumedCapacity', 'ruleGroupResponse_consumedCapacity' - The number of capacity units currently consumed by the rule group rules.
+--
+-- 'description', 'ruleGroupResponse_description' - A description of the rule group.
+--
+-- 'encryptionConfiguration', 'ruleGroupResponse_encryptionConfiguration' - A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your rule group.
+--
+-- 'lastModifiedTime', 'ruleGroupResponse_lastModifiedTime' - The last time that the rule group was changed.
+--
+-- 'numberOfAssociations', 'ruleGroupResponse_numberOfAssociations' - The number of firewall policies that use this rule group.
+--
+-- 'ruleGroupStatus', 'ruleGroupResponse_ruleGroupStatus' - Detailed information about the current status of a rule group.
+--
+-- 'snsTopic', 'ruleGroupResponse_snsTopic' - The Amazon resource name (ARN) of the Amazon Simple Notification Service
+-- SNS topic that\'s used to record changes to the managed rule group. You
+-- can subscribe to the SNS topic to receive notifications when the managed
+-- rule group is modified, such as for new versions and for version
+-- expiration. For more information, see the
+-- <https://docs.aws.amazon.com/sns/latest/dg/welcome.html Amazon Simple Notification Service Developer Guide.>.
+--
+-- 'sourceMetadata', 'ruleGroupResponse_sourceMetadata' - A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to track the version
+-- updates made to the originating rule group.
+--
+-- 'tags', 'ruleGroupResponse_tags' - The key:value pairs to associate with the resource.
+--
+-- 'type'', 'ruleGroupResponse_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- 'ruleGroupArn', 'ruleGroupResponse_ruleGroupArn' - The Amazon Resource Name (ARN) of the rule group.
+--
+-- If this response is for a create request that had @DryRun@ set to
+-- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+-- resource.
+--
+-- 'ruleGroupName', 'ruleGroupResponse_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- 'ruleGroupId', 'ruleGroupResponse_ruleGroupId' - The unique identifier for the rule group.
+newRuleGroupResponse ::
+  -- | 'ruleGroupArn'
+  Prelude.Text ->
+  -- | 'ruleGroupName'
+  Prelude.Text ->
+  -- | 'ruleGroupId'
+  Prelude.Text ->
+  RuleGroupResponse
+newRuleGroupResponse
+  pRuleGroupArn_
+  pRuleGroupName_
+  pRuleGroupId_ =
+    RuleGroupResponse'
+      { capacity = Prelude.Nothing,
+        consumedCapacity = Prelude.Nothing,
+        description = Prelude.Nothing,
+        encryptionConfiguration = Prelude.Nothing,
+        lastModifiedTime = Prelude.Nothing,
+        numberOfAssociations = Prelude.Nothing,
+        ruleGroupStatus = Prelude.Nothing,
+        snsTopic = Prelude.Nothing,
+        sourceMetadata = Prelude.Nothing,
+        tags = Prelude.Nothing,
+        type' = Prelude.Nothing,
+        ruleGroupArn = pRuleGroupArn_,
+        ruleGroupName = pRuleGroupName_,
+        ruleGroupId = pRuleGroupId_
+      }
+
+-- | The maximum operating resources that this rule group can use. Rule group
+-- capacity is fixed at creation. When you update a rule group, you are
+-- limited to this capacity. When you reference a rule group from a
+-- firewall policy, Network Firewall reserves this capacity for the rule
+-- group.
+--
+-- You can retrieve the capacity that would be required for a rule group
+-- before you create the rule group by calling CreateRuleGroup with
+-- @DryRun@ set to @TRUE@.
+ruleGroupResponse_capacity :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.Int)
+ruleGroupResponse_capacity = Lens.lens (\RuleGroupResponse' {capacity} -> capacity) (\s@RuleGroupResponse' {} a -> s {capacity = a} :: RuleGroupResponse)
+
+-- | The number of capacity units currently consumed by the rule group rules.
+ruleGroupResponse_consumedCapacity :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.Int)
+ruleGroupResponse_consumedCapacity = Lens.lens (\RuleGroupResponse' {consumedCapacity} -> consumedCapacity) (\s@RuleGroupResponse' {} a -> s {consumedCapacity = a} :: RuleGroupResponse)
+
+-- | A description of the rule group.
+ruleGroupResponse_description :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.Text)
+ruleGroupResponse_description = Lens.lens (\RuleGroupResponse' {description} -> description) (\s@RuleGroupResponse' {} a -> s {description = a} :: RuleGroupResponse)
+
+-- | A complex type that contains the Amazon Web Services KMS encryption
+-- configuration settings for your rule group.
+ruleGroupResponse_encryptionConfiguration :: Lens.Lens' RuleGroupResponse (Prelude.Maybe EncryptionConfiguration)
+ruleGroupResponse_encryptionConfiguration = Lens.lens (\RuleGroupResponse' {encryptionConfiguration} -> encryptionConfiguration) (\s@RuleGroupResponse' {} a -> s {encryptionConfiguration = a} :: RuleGroupResponse)
+
+-- | The last time that the rule group was changed.
+ruleGroupResponse_lastModifiedTime :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.UTCTime)
+ruleGroupResponse_lastModifiedTime = Lens.lens (\RuleGroupResponse' {lastModifiedTime} -> lastModifiedTime) (\s@RuleGroupResponse' {} a -> s {lastModifiedTime = a} :: RuleGroupResponse) Prelude.. Lens.mapping Data._Time
+
+-- | The number of firewall policies that use this rule group.
+ruleGroupResponse_numberOfAssociations :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.Int)
+ruleGroupResponse_numberOfAssociations = Lens.lens (\RuleGroupResponse' {numberOfAssociations} -> numberOfAssociations) (\s@RuleGroupResponse' {} a -> s {numberOfAssociations = a} :: RuleGroupResponse)
+
+-- | Detailed information about the current status of a rule group.
+ruleGroupResponse_ruleGroupStatus :: Lens.Lens' RuleGroupResponse (Prelude.Maybe ResourceStatus)
+ruleGroupResponse_ruleGroupStatus = Lens.lens (\RuleGroupResponse' {ruleGroupStatus} -> ruleGroupStatus) (\s@RuleGroupResponse' {} a -> s {ruleGroupStatus = a} :: RuleGroupResponse)
+
+-- | The Amazon resource name (ARN) of the Amazon Simple Notification Service
+-- SNS topic that\'s used to record changes to the managed rule group. You
+-- can subscribe to the SNS topic to receive notifications when the managed
+-- rule group is modified, such as for new versions and for version
+-- expiration. For more information, see the
+-- <https://docs.aws.amazon.com/sns/latest/dg/welcome.html Amazon Simple Notification Service Developer Guide.>.
+ruleGroupResponse_snsTopic :: Lens.Lens' RuleGroupResponse (Prelude.Maybe Prelude.Text)
+ruleGroupResponse_snsTopic = Lens.lens (\RuleGroupResponse' {snsTopic} -> snsTopic) (\s@RuleGroupResponse' {} a -> s {snsTopic = a} :: RuleGroupResponse)
+
+-- | A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to track the version
+-- updates made to the originating rule group.
+ruleGroupResponse_sourceMetadata :: Lens.Lens' RuleGroupResponse (Prelude.Maybe SourceMetadata)
+ruleGroupResponse_sourceMetadata = Lens.lens (\RuleGroupResponse' {sourceMetadata} -> sourceMetadata) (\s@RuleGroupResponse' {} a -> s {sourceMetadata = a} :: RuleGroupResponse)
+
+-- | The key:value pairs to associate with the resource.
+ruleGroupResponse_tags :: Lens.Lens' RuleGroupResponse (Prelude.Maybe (Prelude.NonEmpty Tag))
+ruleGroupResponse_tags = Lens.lens (\RuleGroupResponse' {tags} -> tags) (\s@RuleGroupResponse' {} a -> s {tags = a} :: RuleGroupResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+ruleGroupResponse_type :: Lens.Lens' RuleGroupResponse (Prelude.Maybe RuleGroupType)
+ruleGroupResponse_type = Lens.lens (\RuleGroupResponse' {type'} -> type') (\s@RuleGroupResponse' {} a -> s {type' = a} :: RuleGroupResponse)
+
+-- | The Amazon Resource Name (ARN) of the rule group.
+--
+-- If this response is for a create request that had @DryRun@ set to
+-- @TRUE@, then this ARN is a placeholder that isn\'t attached to a valid
+-- resource.
+ruleGroupResponse_ruleGroupArn :: Lens.Lens' RuleGroupResponse Prelude.Text
+ruleGroupResponse_ruleGroupArn = Lens.lens (\RuleGroupResponse' {ruleGroupArn} -> ruleGroupArn) (\s@RuleGroupResponse' {} a -> s {ruleGroupArn = a} :: RuleGroupResponse)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+ruleGroupResponse_ruleGroupName :: Lens.Lens' RuleGroupResponse Prelude.Text
+ruleGroupResponse_ruleGroupName = Lens.lens (\RuleGroupResponse' {ruleGroupName} -> ruleGroupName) (\s@RuleGroupResponse' {} a -> s {ruleGroupName = a} :: RuleGroupResponse)
+
+-- | The unique identifier for the rule group.
+ruleGroupResponse_ruleGroupId :: Lens.Lens' RuleGroupResponse Prelude.Text
+ruleGroupResponse_ruleGroupId = Lens.lens (\RuleGroupResponse' {ruleGroupId} -> ruleGroupId) (\s@RuleGroupResponse' {} a -> s {ruleGroupId = a} :: RuleGroupResponse)
+
+instance Data.FromJSON RuleGroupResponse where
+  parseJSON =
+    Data.withObject
+      "RuleGroupResponse"
+      ( \x ->
+          RuleGroupResponse'
+            Prelude.<$> (x Data..:? "Capacity")
+            Prelude.<*> (x Data..:? "ConsumedCapacity")
+            Prelude.<*> (x Data..:? "Description")
+            Prelude.<*> (x Data..:? "EncryptionConfiguration")
+            Prelude.<*> (x Data..:? "LastModifiedTime")
+            Prelude.<*> (x Data..:? "NumberOfAssociations")
+            Prelude.<*> (x Data..:? "RuleGroupStatus")
+            Prelude.<*> (x Data..:? "SnsTopic")
+            Prelude.<*> (x Data..:? "SourceMetadata")
+            Prelude.<*> (x Data..:? "Tags")
+            Prelude.<*> (x Data..:? "Type")
+            Prelude.<*> (x Data..: "RuleGroupArn")
+            Prelude.<*> (x Data..: "RuleGroupName")
+            Prelude.<*> (x Data..: "RuleGroupId")
+      )
+
+instance Prelude.Hashable RuleGroupResponse where
+  hashWithSalt _salt RuleGroupResponse' {..} =
+    _salt
+      `Prelude.hashWithSalt` capacity
+      `Prelude.hashWithSalt` consumedCapacity
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` lastModifiedTime
+      `Prelude.hashWithSalt` numberOfAssociations
+      `Prelude.hashWithSalt` ruleGroupStatus
+      `Prelude.hashWithSalt` snsTopic
+      `Prelude.hashWithSalt` sourceMetadata
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` type'
+      `Prelude.hashWithSalt` ruleGroupArn
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` ruleGroupId
+
+instance Prelude.NFData RuleGroupResponse where
+  rnf RuleGroupResponse' {..} =
+    Prelude.rnf capacity
+      `Prelude.seq` Prelude.rnf consumedCapacity
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf lastModifiedTime
+      `Prelude.seq` Prelude.rnf numberOfAssociations
+      `Prelude.seq` Prelude.rnf ruleGroupStatus
+      `Prelude.seq` Prelude.rnf snsTopic
+      `Prelude.seq` Prelude.rnf sourceMetadata
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf type'
+      `Prelude.seq` Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf ruleGroupId
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleGroupType.hs b/gen/Amazonka/NetworkFirewall/Types/RuleGroupType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleGroupType.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleGroupType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleGroupType
+  ( RuleGroupType
+      ( ..,
+        RuleGroupType_STATEFUL,
+        RuleGroupType_STATELESS
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype RuleGroupType = RuleGroupType'
+  { fromRuleGroupType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern RuleGroupType_STATEFUL :: RuleGroupType
+pattern RuleGroupType_STATEFUL = RuleGroupType' "STATEFUL"
+
+pattern RuleGroupType_STATELESS :: RuleGroupType
+pattern RuleGroupType_STATELESS = RuleGroupType' "STATELESS"
+
+{-# COMPLETE
+  RuleGroupType_STATEFUL,
+  RuleGroupType_STATELESS,
+  RuleGroupType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleOption.hs b/gen/Amazonka/NetworkFirewall/Types/RuleOption.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleOption.hs
@@ -0,0 +1,92 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleOption
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleOption where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | Additional settings for a stateful rule. This is part of the
+-- StatefulRule configuration.
+--
+-- /See:/ 'newRuleOption' smart constructor.
+data RuleOption = RuleOption'
+  { settings :: Prelude.Maybe [Prelude.Text],
+    keyword :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleOption' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'settings', 'ruleOption_settings' -
+--
+-- 'keyword', 'ruleOption_keyword' -
+newRuleOption ::
+  -- | 'keyword'
+  Prelude.Text ->
+  RuleOption
+newRuleOption pKeyword_ =
+  RuleOption'
+    { settings = Prelude.Nothing,
+      keyword = pKeyword_
+    }
+
+ruleOption_settings :: Lens.Lens' RuleOption (Prelude.Maybe [Prelude.Text])
+ruleOption_settings = Lens.lens (\RuleOption' {settings} -> settings) (\s@RuleOption' {} a -> s {settings = a} :: RuleOption) Prelude.. Lens.mapping Lens.coerced
+
+ruleOption_keyword :: Lens.Lens' RuleOption Prelude.Text
+ruleOption_keyword = Lens.lens (\RuleOption' {keyword} -> keyword) (\s@RuleOption' {} a -> s {keyword = a} :: RuleOption)
+
+instance Data.FromJSON RuleOption where
+  parseJSON =
+    Data.withObject
+      "RuleOption"
+      ( \x ->
+          RuleOption'
+            Prelude.<$> (x Data..:? "Settings" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..: "Keyword")
+      )
+
+instance Prelude.Hashable RuleOption where
+  hashWithSalt _salt RuleOption' {..} =
+    _salt
+      `Prelude.hashWithSalt` settings
+      `Prelude.hashWithSalt` keyword
+
+instance Prelude.NFData RuleOption where
+  rnf RuleOption' {..} =
+    Prelude.rnf settings
+      `Prelude.seq` Prelude.rnf keyword
+
+instance Data.ToJSON RuleOption where
+  toJSON RuleOption' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Settings" Data..=) Prelude.<$> settings,
+            Prelude.Just ("Keyword" Data..= keyword)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleOrder.hs b/gen/Amazonka/NetworkFirewall/Types/RuleOrder.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleOrder.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleOrder
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleOrder
+  ( RuleOrder
+      ( ..,
+        RuleOrder_DEFAULT_ACTION_ORDER,
+        RuleOrder_STRICT_ORDER
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype RuleOrder = RuleOrder'
+  { fromRuleOrder ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder
+pattern RuleOrder_DEFAULT_ACTION_ORDER = RuleOrder' "DEFAULT_ACTION_ORDER"
+
+pattern RuleOrder_STRICT_ORDER :: RuleOrder
+pattern RuleOrder_STRICT_ORDER = RuleOrder' "STRICT_ORDER"
+
+{-# COMPLETE
+  RuleOrder_DEFAULT_ACTION_ORDER,
+  RuleOrder_STRICT_ORDER,
+  RuleOrder'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/RuleVariables.hs b/gen/Amazonka/NetworkFirewall/Types/RuleVariables.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RuleVariables.hs
@@ -0,0 +1,96 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RuleVariables
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RuleVariables where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.IPSet
+import Amazonka.NetworkFirewall.Types.PortSet
+import qualified Amazonka.Prelude as Prelude
+
+-- | Settings that are available for use in the rules in the RuleGroup where
+-- this is defined.
+--
+-- /See:/ 'newRuleVariables' smart constructor.
+data RuleVariables = RuleVariables'
+  { -- | A list of IP addresses and address ranges, in CIDR notation.
+    iPSets :: Prelude.Maybe (Prelude.HashMap Prelude.Text IPSet),
+    -- | A list of port ranges.
+    portSets :: Prelude.Maybe (Prelude.HashMap Prelude.Text PortSet)
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RuleVariables' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'iPSets', 'ruleVariables_iPSets' - A list of IP addresses and address ranges, in CIDR notation.
+--
+-- 'portSets', 'ruleVariables_portSets' - A list of port ranges.
+newRuleVariables ::
+  RuleVariables
+newRuleVariables =
+  RuleVariables'
+    { iPSets = Prelude.Nothing,
+      portSets = Prelude.Nothing
+    }
+
+-- | A list of IP addresses and address ranges, in CIDR notation.
+ruleVariables_iPSets :: Lens.Lens' RuleVariables (Prelude.Maybe (Prelude.HashMap Prelude.Text IPSet))
+ruleVariables_iPSets = Lens.lens (\RuleVariables' {iPSets} -> iPSets) (\s@RuleVariables' {} a -> s {iPSets = a} :: RuleVariables) Prelude.. Lens.mapping Lens.coerced
+
+-- | A list of port ranges.
+ruleVariables_portSets :: Lens.Lens' RuleVariables (Prelude.Maybe (Prelude.HashMap Prelude.Text PortSet))
+ruleVariables_portSets = Lens.lens (\RuleVariables' {portSets} -> portSets) (\s@RuleVariables' {} a -> s {portSets = a} :: RuleVariables) Prelude.. Lens.mapping Lens.coerced
+
+instance Data.FromJSON RuleVariables where
+  parseJSON =
+    Data.withObject
+      "RuleVariables"
+      ( \x ->
+          RuleVariables'
+            Prelude.<$> (x Data..:? "IPSets" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "PortSets" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable RuleVariables where
+  hashWithSalt _salt RuleVariables' {..} =
+    _salt
+      `Prelude.hashWithSalt` iPSets
+      `Prelude.hashWithSalt` portSets
+
+instance Prelude.NFData RuleVariables where
+  rnf RuleVariables' {..} =
+    Prelude.rnf iPSets
+      `Prelude.seq` Prelude.rnf portSets
+
+instance Data.ToJSON RuleVariables where
+  toJSON RuleVariables' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("IPSets" Data..=) Prelude.<$> iPSets,
+            ("PortSets" Data..=) Prelude.<$> portSets
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/RulesSource.hs b/gen/Amazonka/NetworkFirewall/Types/RulesSource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RulesSource.hs
@@ -0,0 +1,159 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RulesSource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RulesSource where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.RulesSourceList
+import Amazonka.NetworkFirewall.Types.StatefulRule
+import Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions
+import qualified Amazonka.Prelude as Prelude
+
+-- | The stateless or stateful rules definitions for use in a single rule
+-- group. Each rule group requires a single @RulesSource@. You can use an
+-- instance of this for either stateless rules or stateful rules.
+--
+-- /See:/ 'newRulesSource' smart constructor.
+data RulesSource = RulesSource'
+  { -- | Stateful inspection criteria for a domain list rule group.
+    rulesSourceList :: Prelude.Maybe RulesSourceList,
+    -- | Stateful inspection criteria, provided in Suricata compatible intrusion
+    -- prevention system (IPS) rules. Suricata is an open-source network IPS
+    -- that includes a standard rule-based language for network traffic
+    -- inspection.
+    --
+    -- These rules contain the inspection criteria and the action to take for
+    -- traffic that matches the criteria, so this type of rule group doesn\'t
+    -- have a separate action setting.
+    rulesString :: Prelude.Maybe Prelude.Text,
+    -- | An array of individual stateful rules inspection criteria to be used
+    -- together in a stateful rule group. Use this option to specify simple
+    -- Suricata rules with protocol, source and destination, ports, direction,
+    -- and rule options. For information about the Suricata @Rules@ format, see
+    -- <https://suricata.readthedocs.io/rules/intro.html# Rules Format>.
+    statefulRules :: Prelude.Maybe [StatefulRule],
+    -- | Stateless inspection criteria to be used in a stateless rule group.
+    statelessRulesAndCustomActions :: Prelude.Maybe StatelessRulesAndCustomActions
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RulesSource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'rulesSourceList', 'rulesSource_rulesSourceList' - Stateful inspection criteria for a domain list rule group.
+--
+-- 'rulesString', 'rulesSource_rulesString' - Stateful inspection criteria, provided in Suricata compatible intrusion
+-- prevention system (IPS) rules. Suricata is an open-source network IPS
+-- that includes a standard rule-based language for network traffic
+-- inspection.
+--
+-- These rules contain the inspection criteria and the action to take for
+-- traffic that matches the criteria, so this type of rule group doesn\'t
+-- have a separate action setting.
+--
+-- 'statefulRules', 'rulesSource_statefulRules' - An array of individual stateful rules inspection criteria to be used
+-- together in a stateful rule group. Use this option to specify simple
+-- Suricata rules with protocol, source and destination, ports, direction,
+-- and rule options. For information about the Suricata @Rules@ format, see
+-- <https://suricata.readthedocs.io/rules/intro.html# Rules Format>.
+--
+-- 'statelessRulesAndCustomActions', 'rulesSource_statelessRulesAndCustomActions' - Stateless inspection criteria to be used in a stateless rule group.
+newRulesSource ::
+  RulesSource
+newRulesSource =
+  RulesSource'
+    { rulesSourceList = Prelude.Nothing,
+      rulesString = Prelude.Nothing,
+      statefulRules = Prelude.Nothing,
+      statelessRulesAndCustomActions = Prelude.Nothing
+    }
+
+-- | Stateful inspection criteria for a domain list rule group.
+rulesSource_rulesSourceList :: Lens.Lens' RulesSource (Prelude.Maybe RulesSourceList)
+rulesSource_rulesSourceList = Lens.lens (\RulesSource' {rulesSourceList} -> rulesSourceList) (\s@RulesSource' {} a -> s {rulesSourceList = a} :: RulesSource)
+
+-- | Stateful inspection criteria, provided in Suricata compatible intrusion
+-- prevention system (IPS) rules. Suricata is an open-source network IPS
+-- that includes a standard rule-based language for network traffic
+-- inspection.
+--
+-- These rules contain the inspection criteria and the action to take for
+-- traffic that matches the criteria, so this type of rule group doesn\'t
+-- have a separate action setting.
+rulesSource_rulesString :: Lens.Lens' RulesSource (Prelude.Maybe Prelude.Text)
+rulesSource_rulesString = Lens.lens (\RulesSource' {rulesString} -> rulesString) (\s@RulesSource' {} a -> s {rulesString = a} :: RulesSource)
+
+-- | An array of individual stateful rules inspection criteria to be used
+-- together in a stateful rule group. Use this option to specify simple
+-- Suricata rules with protocol, source and destination, ports, direction,
+-- and rule options. For information about the Suricata @Rules@ format, see
+-- <https://suricata.readthedocs.io/rules/intro.html# Rules Format>.
+rulesSource_statefulRules :: Lens.Lens' RulesSource (Prelude.Maybe [StatefulRule])
+rulesSource_statefulRules = Lens.lens (\RulesSource' {statefulRules} -> statefulRules) (\s@RulesSource' {} a -> s {statefulRules = a} :: RulesSource) Prelude.. Lens.mapping Lens.coerced
+
+-- | Stateless inspection criteria to be used in a stateless rule group.
+rulesSource_statelessRulesAndCustomActions :: Lens.Lens' RulesSource (Prelude.Maybe StatelessRulesAndCustomActions)
+rulesSource_statelessRulesAndCustomActions = Lens.lens (\RulesSource' {statelessRulesAndCustomActions} -> statelessRulesAndCustomActions) (\s@RulesSource' {} a -> s {statelessRulesAndCustomActions = a} :: RulesSource)
+
+instance Data.FromJSON RulesSource where
+  parseJSON =
+    Data.withObject
+      "RulesSource"
+      ( \x ->
+          RulesSource'
+            Prelude.<$> (x Data..:? "RulesSourceList")
+            Prelude.<*> (x Data..:? "RulesString")
+            Prelude.<*> (x Data..:? "StatefulRules" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "StatelessRulesAndCustomActions")
+      )
+
+instance Prelude.Hashable RulesSource where
+  hashWithSalt _salt RulesSource' {..} =
+    _salt
+      `Prelude.hashWithSalt` rulesSourceList
+      `Prelude.hashWithSalt` rulesString
+      `Prelude.hashWithSalt` statefulRules
+      `Prelude.hashWithSalt` statelessRulesAndCustomActions
+
+instance Prelude.NFData RulesSource where
+  rnf RulesSource' {..} =
+    Prelude.rnf rulesSourceList
+      `Prelude.seq` Prelude.rnf rulesString
+      `Prelude.seq` Prelude.rnf statefulRules
+      `Prelude.seq` Prelude.rnf statelessRulesAndCustomActions
+
+instance Data.ToJSON RulesSource where
+  toJSON RulesSource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("RulesSourceList" Data..=)
+              Prelude.<$> rulesSourceList,
+            ("RulesString" Data..=) Prelude.<$> rulesString,
+            ("StatefulRules" Data..=) Prelude.<$> statefulRules,
+            ("StatelessRulesAndCustomActions" Data..=)
+              Prelude.<$> statelessRulesAndCustomActions
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/RulesSourceList.hs b/gen/Amazonka/NetworkFirewall/Types/RulesSourceList.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/RulesSourceList.hs
@@ -0,0 +1,156 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.RulesSourceList
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.RulesSourceList where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.GeneratedRulesType
+import Amazonka.NetworkFirewall.Types.TargetType
+import qualified Amazonka.Prelude as Prelude
+
+-- | Stateful inspection criteria for a domain list rule group.
+--
+-- For HTTPS traffic, domain filtering is SNI-based. It uses the server
+-- name indicator extension of the TLS handshake.
+--
+-- By default, Network Firewall domain list inspection only includes
+-- traffic coming from the VPC where you deploy the firewall. To inspect
+-- traffic from IP addresses outside of the deployment VPC, you set the
+-- @HOME_NET@ rule variable to include the CIDR range of the deployment VPC
+-- plus the other CIDR ranges. For more information, see RuleVariables in
+-- this guide and
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html Stateful domain list rule groups in Network Firewall>
+-- in the /Network Firewall Developer Guide/.
+--
+-- /See:/ 'newRulesSourceList' smart constructor.
+data RulesSourceList = RulesSourceList'
+  { -- | The domains that you want to inspect for in your traffic flows. Valid
+    -- domain specifications are the following:
+    --
+    -- -   Explicit names. For example, @abc.example.com@ matches only the
+    --     domain @abc.example.com@.
+    --
+    -- -   Names that use a domain wildcard, which you indicate with an initial
+    --     \'@.@\'. For example,@.example.com@ matches @example.com@ and
+    --     matches all subdomains of @example.com@, such as @abc.example.com@
+    --     and @www.example.com@.
+    targets :: [Prelude.Text],
+    -- | The protocols you want to inspect. Specify @TLS_SNI@ for @HTTPS@.
+    -- Specify @HTTP_HOST@ for @HTTP@. You can specify either or both.
+    targetTypes :: [TargetType],
+    -- | Whether you want to allow or deny access to the domains in your target
+    -- list.
+    generatedRulesType :: GeneratedRulesType
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RulesSourceList' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'targets', 'rulesSourceList_targets' - The domains that you want to inspect for in your traffic flows. Valid
+-- domain specifications are the following:
+--
+-- -   Explicit names. For example, @abc.example.com@ matches only the
+--     domain @abc.example.com@.
+--
+-- -   Names that use a domain wildcard, which you indicate with an initial
+--     \'@.@\'. For example,@.example.com@ matches @example.com@ and
+--     matches all subdomains of @example.com@, such as @abc.example.com@
+--     and @www.example.com@.
+--
+-- 'targetTypes', 'rulesSourceList_targetTypes' - The protocols you want to inspect. Specify @TLS_SNI@ for @HTTPS@.
+-- Specify @HTTP_HOST@ for @HTTP@. You can specify either or both.
+--
+-- 'generatedRulesType', 'rulesSourceList_generatedRulesType' - Whether you want to allow or deny access to the domains in your target
+-- list.
+newRulesSourceList ::
+  -- | 'generatedRulesType'
+  GeneratedRulesType ->
+  RulesSourceList
+newRulesSourceList pGeneratedRulesType_ =
+  RulesSourceList'
+    { targets = Prelude.mempty,
+      targetTypes = Prelude.mempty,
+      generatedRulesType = pGeneratedRulesType_
+    }
+
+-- | The domains that you want to inspect for in your traffic flows. Valid
+-- domain specifications are the following:
+--
+-- -   Explicit names. For example, @abc.example.com@ matches only the
+--     domain @abc.example.com@.
+--
+-- -   Names that use a domain wildcard, which you indicate with an initial
+--     \'@.@\'. For example,@.example.com@ matches @example.com@ and
+--     matches all subdomains of @example.com@, such as @abc.example.com@
+--     and @www.example.com@.
+rulesSourceList_targets :: Lens.Lens' RulesSourceList [Prelude.Text]
+rulesSourceList_targets = Lens.lens (\RulesSourceList' {targets} -> targets) (\s@RulesSourceList' {} a -> s {targets = a} :: RulesSourceList) Prelude.. Lens.coerced
+
+-- | The protocols you want to inspect. Specify @TLS_SNI@ for @HTTPS@.
+-- Specify @HTTP_HOST@ for @HTTP@. You can specify either or both.
+rulesSourceList_targetTypes :: Lens.Lens' RulesSourceList [TargetType]
+rulesSourceList_targetTypes = Lens.lens (\RulesSourceList' {targetTypes} -> targetTypes) (\s@RulesSourceList' {} a -> s {targetTypes = a} :: RulesSourceList) Prelude.. Lens.coerced
+
+-- | Whether you want to allow or deny access to the domains in your target
+-- list.
+rulesSourceList_generatedRulesType :: Lens.Lens' RulesSourceList GeneratedRulesType
+rulesSourceList_generatedRulesType = Lens.lens (\RulesSourceList' {generatedRulesType} -> generatedRulesType) (\s@RulesSourceList' {} a -> s {generatedRulesType = a} :: RulesSourceList)
+
+instance Data.FromJSON RulesSourceList where
+  parseJSON =
+    Data.withObject
+      "RulesSourceList"
+      ( \x ->
+          RulesSourceList'
+            Prelude.<$> (x Data..:? "Targets" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "TargetTypes" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..: "GeneratedRulesType")
+      )
+
+instance Prelude.Hashable RulesSourceList where
+  hashWithSalt _salt RulesSourceList' {..} =
+    _salt
+      `Prelude.hashWithSalt` targets
+      `Prelude.hashWithSalt` targetTypes
+      `Prelude.hashWithSalt` generatedRulesType
+
+instance Prelude.NFData RulesSourceList where
+  rnf RulesSourceList' {..} =
+    Prelude.rnf targets
+      `Prelude.seq` Prelude.rnf targetTypes
+      `Prelude.seq` Prelude.rnf generatedRulesType
+
+instance Data.ToJSON RulesSourceList where
+  toJSON RulesSourceList' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("Targets" Data..= targets),
+            Prelude.Just ("TargetTypes" Data..= targetTypes),
+            Prelude.Just
+              ("GeneratedRulesType" Data..= generatedRulesType)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/SourceMetadata.hs b/gen/Amazonka/NetworkFirewall/Types/SourceMetadata.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/SourceMetadata.hs
@@ -0,0 +1,110 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.SourceMetadata
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.SourceMetadata where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | High-level information about the managed rule group that your own rule
+-- group is copied from. You can use the the metadata to track version
+-- updates made to the originating rule group. You can retrieve all objects
+-- for a rule group by calling
+-- <https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html DescribeRuleGroup>.
+--
+-- /See:/ 'newSourceMetadata' smart constructor.
+data SourceMetadata = SourceMetadata'
+  { -- | The Amazon Resource Name (ARN) of the rule group that your own rule
+    -- group is copied from.
+    sourceArn :: Prelude.Maybe Prelude.Text,
+    -- | The update token of the Amazon Web Services managed rule group that your
+    -- own rule group is copied from. To determine the update token for the
+    -- managed rule group, call
+    -- <https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html#networkfirewall-DescribeRuleGroup-response-UpdateToken DescribeRuleGroup>.
+    sourceUpdateToken :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'SourceMetadata' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'sourceArn', 'sourceMetadata_sourceArn' - The Amazon Resource Name (ARN) of the rule group that your own rule
+-- group is copied from.
+--
+-- 'sourceUpdateToken', 'sourceMetadata_sourceUpdateToken' - The update token of the Amazon Web Services managed rule group that your
+-- own rule group is copied from. To determine the update token for the
+-- managed rule group, call
+-- <https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html#networkfirewall-DescribeRuleGroup-response-UpdateToken DescribeRuleGroup>.
+newSourceMetadata ::
+  SourceMetadata
+newSourceMetadata =
+  SourceMetadata'
+    { sourceArn = Prelude.Nothing,
+      sourceUpdateToken = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the rule group that your own rule
+-- group is copied from.
+sourceMetadata_sourceArn :: Lens.Lens' SourceMetadata (Prelude.Maybe Prelude.Text)
+sourceMetadata_sourceArn = Lens.lens (\SourceMetadata' {sourceArn} -> sourceArn) (\s@SourceMetadata' {} a -> s {sourceArn = a} :: SourceMetadata)
+
+-- | The update token of the Amazon Web Services managed rule group that your
+-- own rule group is copied from. To determine the update token for the
+-- managed rule group, call
+-- <https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html#networkfirewall-DescribeRuleGroup-response-UpdateToken DescribeRuleGroup>.
+sourceMetadata_sourceUpdateToken :: Lens.Lens' SourceMetadata (Prelude.Maybe Prelude.Text)
+sourceMetadata_sourceUpdateToken = Lens.lens (\SourceMetadata' {sourceUpdateToken} -> sourceUpdateToken) (\s@SourceMetadata' {} a -> s {sourceUpdateToken = a} :: SourceMetadata)
+
+instance Data.FromJSON SourceMetadata where
+  parseJSON =
+    Data.withObject
+      "SourceMetadata"
+      ( \x ->
+          SourceMetadata'
+            Prelude.<$> (x Data..:? "SourceArn")
+            Prelude.<*> (x Data..:? "SourceUpdateToken")
+      )
+
+instance Prelude.Hashable SourceMetadata where
+  hashWithSalt _salt SourceMetadata' {..} =
+    _salt
+      `Prelude.hashWithSalt` sourceArn
+      `Prelude.hashWithSalt` sourceUpdateToken
+
+instance Prelude.NFData SourceMetadata where
+  rnf SourceMetadata' {..} =
+    Prelude.rnf sourceArn
+      `Prelude.seq` Prelude.rnf sourceUpdateToken
+
+instance Data.ToJSON SourceMetadata where
+  toJSON SourceMetadata' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("SourceArn" Data..=) Prelude.<$> sourceArn,
+            ("SourceUpdateToken" Data..=)
+              Prelude.<$> sourceUpdateToken
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulAction.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulAction.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulAction.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulAction
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulAction
+  ( StatefulAction
+      ( ..,
+        StatefulAction_ALERT,
+        StatefulAction_DROP,
+        StatefulAction_PASS
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype StatefulAction = StatefulAction'
+  { fromStatefulAction ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern StatefulAction_ALERT :: StatefulAction
+pattern StatefulAction_ALERT = StatefulAction' "ALERT"
+
+pattern StatefulAction_DROP :: StatefulAction
+pattern StatefulAction_DROP = StatefulAction' "DROP"
+
+pattern StatefulAction_PASS :: StatefulAction
+pattern StatefulAction_PASS = StatefulAction' "PASS"
+
+{-# COMPLETE
+  StatefulAction_ALERT,
+  StatefulAction_DROP,
+  StatefulAction_PASS,
+  StatefulAction'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulEngineOptions.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulEngineOptions.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulEngineOptions.hs
@@ -0,0 +1,160 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulEngineOptions
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulEngineOptions where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.RuleOrder
+import Amazonka.NetworkFirewall.Types.StreamExceptionPolicy
+import qualified Amazonka.Prelude as Prelude
+
+-- | Configuration settings for the handling of the stateful rule groups in a
+-- firewall policy.
+--
+-- /See:/ 'newStatefulEngineOptions' smart constructor.
+data StatefulEngineOptions = StatefulEngineOptions'
+  { -- | Indicates how to manage the order of stateful rule evaluation for the
+    -- policy. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+    -- are provided to the rule engine as Suricata compatible strings, and
+    -- Suricata evaluates them based on certain settings. For more information,
+    -- see
+    -- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+    -- in the /Network Firewall Developer Guide/.
+    ruleOrder :: Prelude.Maybe RuleOrder,
+    -- | Configures how Network Firewall processes traffic when a network
+    -- connection breaks midstream. Network connections can break due to
+    -- disruptions in external networks or within the firewall itself.
+    --
+    -- -   @DROP@ - Network Firewall fails closed and drops all subsequent
+    --     traffic going to the firewall. This is the default behavior.
+    --
+    -- -   @CONTINUE@ - Network Firewall continues to apply rules to the
+    --     subsequent traffic without context from traffic before the break.
+    --     This impacts the behavior of rules that depend on this context. For
+    --     example, if you have a stateful rule to @drop http@ traffic, Network
+    --     Firewall won\'t match the traffic for this rule because the service
+    --     won\'t have the context from session initialization defining the
+    --     application layer protocol as HTTP. However, this behavior is rule
+    --     dependent—a TCP-layer rule using a @flow:stateless@ rule would still
+    --     match, as would the @aws:drop_strict@ default action.
+    streamExceptionPolicy :: Prelude.Maybe StreamExceptionPolicy
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatefulEngineOptions' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleOrder', 'statefulEngineOptions_ruleOrder' - Indicates how to manage the order of stateful rule evaluation for the
+-- policy. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+-- are provided to the rule engine as Suricata compatible strings, and
+-- Suricata evaluates them based on certain settings. For more information,
+-- see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+-- in the /Network Firewall Developer Guide/.
+--
+-- 'streamExceptionPolicy', 'statefulEngineOptions_streamExceptionPolicy' - Configures how Network Firewall processes traffic when a network
+-- connection breaks midstream. Network connections can break due to
+-- disruptions in external networks or within the firewall itself.
+--
+-- -   @DROP@ - Network Firewall fails closed and drops all subsequent
+--     traffic going to the firewall. This is the default behavior.
+--
+-- -   @CONTINUE@ - Network Firewall continues to apply rules to the
+--     subsequent traffic without context from traffic before the break.
+--     This impacts the behavior of rules that depend on this context. For
+--     example, if you have a stateful rule to @drop http@ traffic, Network
+--     Firewall won\'t match the traffic for this rule because the service
+--     won\'t have the context from session initialization defining the
+--     application layer protocol as HTTP. However, this behavior is rule
+--     dependent—a TCP-layer rule using a @flow:stateless@ rule would still
+--     match, as would the @aws:drop_strict@ default action.
+newStatefulEngineOptions ::
+  StatefulEngineOptions
+newStatefulEngineOptions =
+  StatefulEngineOptions'
+    { ruleOrder = Prelude.Nothing,
+      streamExceptionPolicy = Prelude.Nothing
+    }
+
+-- | Indicates how to manage the order of stateful rule evaluation for the
+-- policy. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+-- are provided to the rule engine as Suricata compatible strings, and
+-- Suricata evaluates them based on certain settings. For more information,
+-- see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+-- in the /Network Firewall Developer Guide/.
+statefulEngineOptions_ruleOrder :: Lens.Lens' StatefulEngineOptions (Prelude.Maybe RuleOrder)
+statefulEngineOptions_ruleOrder = Lens.lens (\StatefulEngineOptions' {ruleOrder} -> ruleOrder) (\s@StatefulEngineOptions' {} a -> s {ruleOrder = a} :: StatefulEngineOptions)
+
+-- | Configures how Network Firewall processes traffic when a network
+-- connection breaks midstream. Network connections can break due to
+-- disruptions in external networks or within the firewall itself.
+--
+-- -   @DROP@ - Network Firewall fails closed and drops all subsequent
+--     traffic going to the firewall. This is the default behavior.
+--
+-- -   @CONTINUE@ - Network Firewall continues to apply rules to the
+--     subsequent traffic without context from traffic before the break.
+--     This impacts the behavior of rules that depend on this context. For
+--     example, if you have a stateful rule to @drop http@ traffic, Network
+--     Firewall won\'t match the traffic for this rule because the service
+--     won\'t have the context from session initialization defining the
+--     application layer protocol as HTTP. However, this behavior is rule
+--     dependent—a TCP-layer rule using a @flow:stateless@ rule would still
+--     match, as would the @aws:drop_strict@ default action.
+statefulEngineOptions_streamExceptionPolicy :: Lens.Lens' StatefulEngineOptions (Prelude.Maybe StreamExceptionPolicy)
+statefulEngineOptions_streamExceptionPolicy = Lens.lens (\StatefulEngineOptions' {streamExceptionPolicy} -> streamExceptionPolicy) (\s@StatefulEngineOptions' {} a -> s {streamExceptionPolicy = a} :: StatefulEngineOptions)
+
+instance Data.FromJSON StatefulEngineOptions where
+  parseJSON =
+    Data.withObject
+      "StatefulEngineOptions"
+      ( \x ->
+          StatefulEngineOptions'
+            Prelude.<$> (x Data..:? "RuleOrder")
+            Prelude.<*> (x Data..:? "StreamExceptionPolicy")
+      )
+
+instance Prelude.Hashable StatefulEngineOptions where
+  hashWithSalt _salt StatefulEngineOptions' {..} =
+    _salt
+      `Prelude.hashWithSalt` ruleOrder
+      `Prelude.hashWithSalt` streamExceptionPolicy
+
+instance Prelude.NFData StatefulEngineOptions where
+  rnf StatefulEngineOptions' {..} =
+    Prelude.rnf ruleOrder
+      `Prelude.seq` Prelude.rnf streamExceptionPolicy
+
+instance Data.ToJSON StatefulEngineOptions where
+  toJSON StatefulEngineOptions' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("RuleOrder" Data..=) Prelude.<$> ruleOrder,
+            ("StreamExceptionPolicy" Data..=)
+              Prelude.<$> streamExceptionPolicy
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRule.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRule.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRule.hs
@@ -0,0 +1,183 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRule
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRule where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.Header
+import Amazonka.NetworkFirewall.Types.RuleOption
+import Amazonka.NetworkFirewall.Types.StatefulAction
+import qualified Amazonka.Prelude as Prelude
+
+-- | A single Suricata rules specification, for use in a stateful rule group.
+-- Use this option to specify a simple Suricata rule with protocol, source
+-- and destination, ports, direction, and rule options. For information
+-- about the Suricata @Rules@ format, see
+-- <https://suricata.readthedocs.io/rules/intro.html# Rules Format>.
+--
+-- /See:/ 'newStatefulRule' smart constructor.
+data StatefulRule = StatefulRule'
+  { -- | Defines what Network Firewall should do with the packets in a traffic
+    -- flow when the flow matches the stateful rule criteria. For all actions,
+    -- Network Firewall performs the specified action and discontinues stateful
+    -- inspection of the traffic flow.
+    --
+    -- The actions for a stateful rule are defined as follows:
+    --
+    -- -   __PASS__ - Permits the packets to go to the intended destination.
+    --
+    -- -   __DROP__ - Blocks the packets from going to the intended destination
+    --     and sends an alert log message, if alert logging is configured in
+    --     the Firewall LoggingConfiguration.
+    --
+    -- -   __ALERT__ - Permits the packets to go to the intended destination
+    --     and sends an alert log message, if alert logging is configured in
+    --     the Firewall LoggingConfiguration.
+    --
+    --     You can use this action to test a rule that you intend to use to
+    --     drop traffic. You can enable the rule with @ALERT@ action, verify in
+    --     the logs that the rule is filtering as you want, then change the
+    --     action to @DROP@.
+    action :: StatefulAction,
+    -- | The stateful inspection criteria for this rule, used to inspect traffic
+    -- flows.
+    header :: Header,
+    -- | Additional options for the rule. These are the Suricata @RuleOptions@
+    -- settings.
+    ruleOptions :: [RuleOption]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatefulRule' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'action', 'statefulRule_action' - Defines what Network Firewall should do with the packets in a traffic
+-- flow when the flow matches the stateful rule criteria. For all actions,
+-- Network Firewall performs the specified action and discontinues stateful
+-- inspection of the traffic flow.
+--
+-- The actions for a stateful rule are defined as follows:
+--
+-- -   __PASS__ - Permits the packets to go to the intended destination.
+--
+-- -   __DROP__ - Blocks the packets from going to the intended destination
+--     and sends an alert log message, if alert logging is configured in
+--     the Firewall LoggingConfiguration.
+--
+-- -   __ALERT__ - Permits the packets to go to the intended destination
+--     and sends an alert log message, if alert logging is configured in
+--     the Firewall LoggingConfiguration.
+--
+--     You can use this action to test a rule that you intend to use to
+--     drop traffic. You can enable the rule with @ALERT@ action, verify in
+--     the logs that the rule is filtering as you want, then change the
+--     action to @DROP@.
+--
+-- 'header', 'statefulRule_header' - The stateful inspection criteria for this rule, used to inspect traffic
+-- flows.
+--
+-- 'ruleOptions', 'statefulRule_ruleOptions' - Additional options for the rule. These are the Suricata @RuleOptions@
+-- settings.
+newStatefulRule ::
+  -- | 'action'
+  StatefulAction ->
+  -- | 'header'
+  Header ->
+  StatefulRule
+newStatefulRule pAction_ pHeader_ =
+  StatefulRule'
+    { action = pAction_,
+      header = pHeader_,
+      ruleOptions = Prelude.mempty
+    }
+
+-- | Defines what Network Firewall should do with the packets in a traffic
+-- flow when the flow matches the stateful rule criteria. For all actions,
+-- Network Firewall performs the specified action and discontinues stateful
+-- inspection of the traffic flow.
+--
+-- The actions for a stateful rule are defined as follows:
+--
+-- -   __PASS__ - Permits the packets to go to the intended destination.
+--
+-- -   __DROP__ - Blocks the packets from going to the intended destination
+--     and sends an alert log message, if alert logging is configured in
+--     the Firewall LoggingConfiguration.
+--
+-- -   __ALERT__ - Permits the packets to go to the intended destination
+--     and sends an alert log message, if alert logging is configured in
+--     the Firewall LoggingConfiguration.
+--
+--     You can use this action to test a rule that you intend to use to
+--     drop traffic. You can enable the rule with @ALERT@ action, verify in
+--     the logs that the rule is filtering as you want, then change the
+--     action to @DROP@.
+statefulRule_action :: Lens.Lens' StatefulRule StatefulAction
+statefulRule_action = Lens.lens (\StatefulRule' {action} -> action) (\s@StatefulRule' {} a -> s {action = a} :: StatefulRule)
+
+-- | The stateful inspection criteria for this rule, used to inspect traffic
+-- flows.
+statefulRule_header :: Lens.Lens' StatefulRule Header
+statefulRule_header = Lens.lens (\StatefulRule' {header} -> header) (\s@StatefulRule' {} a -> s {header = a} :: StatefulRule)
+
+-- | Additional options for the rule. These are the Suricata @RuleOptions@
+-- settings.
+statefulRule_ruleOptions :: Lens.Lens' StatefulRule [RuleOption]
+statefulRule_ruleOptions = Lens.lens (\StatefulRule' {ruleOptions} -> ruleOptions) (\s@StatefulRule' {} a -> s {ruleOptions = a} :: StatefulRule) Prelude.. Lens.coerced
+
+instance Data.FromJSON StatefulRule where
+  parseJSON =
+    Data.withObject
+      "StatefulRule"
+      ( \x ->
+          StatefulRule'
+            Prelude.<$> (x Data..: "Action")
+            Prelude.<*> (x Data..: "Header")
+            Prelude.<*> (x Data..:? "RuleOptions" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable StatefulRule where
+  hashWithSalt _salt StatefulRule' {..} =
+    _salt
+      `Prelude.hashWithSalt` action
+      `Prelude.hashWithSalt` header
+      `Prelude.hashWithSalt` ruleOptions
+
+instance Prelude.NFData StatefulRule where
+  rnf StatefulRule' {..} =
+    Prelude.rnf action
+      `Prelude.seq` Prelude.rnf header
+      `Prelude.seq` Prelude.rnf ruleOptions
+
+instance Data.ToJSON StatefulRule where
+  toJSON StatefulRule' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("Action" Data..= action),
+            Prelude.Just ("Header" Data..= header),
+            Prelude.Just ("RuleOptions" Data..= ruleOptions)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRuleDirection.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleDirection.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleDirection.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRuleDirection
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRuleDirection
+  ( StatefulRuleDirection
+      ( ..,
+        StatefulRuleDirection_ANY,
+        StatefulRuleDirection_FORWARD
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype StatefulRuleDirection = StatefulRuleDirection'
+  { fromStatefulRuleDirection ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern StatefulRuleDirection_ANY :: StatefulRuleDirection
+pattern StatefulRuleDirection_ANY = StatefulRuleDirection' "ANY"
+
+pattern StatefulRuleDirection_FORWARD :: StatefulRuleDirection
+pattern StatefulRuleDirection_FORWARD = StatefulRuleDirection' "FORWARD"
+
+{-# COMPLETE
+  StatefulRuleDirection_ANY,
+  StatefulRuleDirection_FORWARD,
+  StatefulRuleDirection'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupOverride.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupOverride.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupOverride.hs
@@ -0,0 +1,84 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.OverrideAction
+import qualified Amazonka.Prelude as Prelude
+
+-- | The setting that allows the policy owner to change the behavior of the
+-- rule group within a policy.
+--
+-- /See:/ 'newStatefulRuleGroupOverride' smart constructor.
+data StatefulRuleGroupOverride = StatefulRuleGroupOverride'
+  { -- | The action that changes the rule group from @DROP@ to @ALERT@. This only
+    -- applies to managed rule groups.
+    action :: Prelude.Maybe OverrideAction
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatefulRuleGroupOverride' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'action', 'statefulRuleGroupOverride_action' - The action that changes the rule group from @DROP@ to @ALERT@. This only
+-- applies to managed rule groups.
+newStatefulRuleGroupOverride ::
+  StatefulRuleGroupOverride
+newStatefulRuleGroupOverride =
+  StatefulRuleGroupOverride'
+    { action =
+        Prelude.Nothing
+    }
+
+-- | The action that changes the rule group from @DROP@ to @ALERT@. This only
+-- applies to managed rule groups.
+statefulRuleGroupOverride_action :: Lens.Lens' StatefulRuleGroupOverride (Prelude.Maybe OverrideAction)
+statefulRuleGroupOverride_action = Lens.lens (\StatefulRuleGroupOverride' {action} -> action) (\s@StatefulRuleGroupOverride' {} a -> s {action = a} :: StatefulRuleGroupOverride)
+
+instance Data.FromJSON StatefulRuleGroupOverride where
+  parseJSON =
+    Data.withObject
+      "StatefulRuleGroupOverride"
+      ( \x ->
+          StatefulRuleGroupOverride'
+            Prelude.<$> (x Data..:? "Action")
+      )
+
+instance Prelude.Hashable StatefulRuleGroupOverride where
+  hashWithSalt _salt StatefulRuleGroupOverride' {..} =
+    _salt `Prelude.hashWithSalt` action
+
+instance Prelude.NFData StatefulRuleGroupOverride where
+  rnf StatefulRuleGroupOverride' {..} =
+    Prelude.rnf action
+
+instance Data.ToJSON StatefulRuleGroupOverride where
+  toJSON StatefulRuleGroupOverride' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [("Action" Data..=) Prelude.<$> action]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupReference.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupReference.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleGroupReference.hs
@@ -0,0 +1,147 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRuleGroupReference where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.StatefulRuleGroupOverride
+import qualified Amazonka.Prelude as Prelude
+
+-- | Identifier for a single stateful rule group, used in a firewall policy
+-- to refer to a rule group.
+--
+-- /See:/ 'newStatefulRuleGroupReference' smart constructor.
+data StatefulRuleGroupReference = StatefulRuleGroupReference'
+  { -- | The action that allows the policy owner to override the behavior of the
+    -- rule group within a policy.
+    override :: Prelude.Maybe StatefulRuleGroupOverride,
+    -- | An integer setting that indicates the order in which to run the stateful
+    -- rule groups in a single FirewallPolicy. This setting only applies to
+    -- firewall policies that specify the @STRICT_ORDER@ rule order in the
+    -- stateful engine options settings.
+    --
+    -- Network Firewall evalutes each stateful rule group against a packet
+    -- starting with the group that has the lowest priority setting. You must
+    -- ensure that the priority settings are unique within each policy.
+    --
+    -- You can change the priority settings of your rule groups at any time. To
+    -- make it easier to insert rule groups later, number them so there\'s a
+    -- wide range in between, for example use 100, 200, and so on.
+    priority :: Prelude.Maybe Prelude.Natural,
+    -- | The Amazon Resource Name (ARN) of the stateful rule group.
+    resourceArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatefulRuleGroupReference' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'override', 'statefulRuleGroupReference_override' - The action that allows the policy owner to override the behavior of the
+-- rule group within a policy.
+--
+-- 'priority', 'statefulRuleGroupReference_priority' - An integer setting that indicates the order in which to run the stateful
+-- rule groups in a single FirewallPolicy. This setting only applies to
+-- firewall policies that specify the @STRICT_ORDER@ rule order in the
+-- stateful engine options settings.
+--
+-- Network Firewall evalutes each stateful rule group against a packet
+-- starting with the group that has the lowest priority setting. You must
+-- ensure that the priority settings are unique within each policy.
+--
+-- You can change the priority settings of your rule groups at any time. To
+-- make it easier to insert rule groups later, number them so there\'s a
+-- wide range in between, for example use 100, 200, and so on.
+--
+-- 'resourceArn', 'statefulRuleGroupReference_resourceArn' - The Amazon Resource Name (ARN) of the stateful rule group.
+newStatefulRuleGroupReference ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  StatefulRuleGroupReference
+newStatefulRuleGroupReference pResourceArn_ =
+  StatefulRuleGroupReference'
+    { override =
+        Prelude.Nothing,
+      priority = Prelude.Nothing,
+      resourceArn = pResourceArn_
+    }
+
+-- | The action that allows the policy owner to override the behavior of the
+-- rule group within a policy.
+statefulRuleGroupReference_override :: Lens.Lens' StatefulRuleGroupReference (Prelude.Maybe StatefulRuleGroupOverride)
+statefulRuleGroupReference_override = Lens.lens (\StatefulRuleGroupReference' {override} -> override) (\s@StatefulRuleGroupReference' {} a -> s {override = a} :: StatefulRuleGroupReference)
+
+-- | An integer setting that indicates the order in which to run the stateful
+-- rule groups in a single FirewallPolicy. This setting only applies to
+-- firewall policies that specify the @STRICT_ORDER@ rule order in the
+-- stateful engine options settings.
+--
+-- Network Firewall evalutes each stateful rule group against a packet
+-- starting with the group that has the lowest priority setting. You must
+-- ensure that the priority settings are unique within each policy.
+--
+-- You can change the priority settings of your rule groups at any time. To
+-- make it easier to insert rule groups later, number them so there\'s a
+-- wide range in between, for example use 100, 200, and so on.
+statefulRuleGroupReference_priority :: Lens.Lens' StatefulRuleGroupReference (Prelude.Maybe Prelude.Natural)
+statefulRuleGroupReference_priority = Lens.lens (\StatefulRuleGroupReference' {priority} -> priority) (\s@StatefulRuleGroupReference' {} a -> s {priority = a} :: StatefulRuleGroupReference)
+
+-- | The Amazon Resource Name (ARN) of the stateful rule group.
+statefulRuleGroupReference_resourceArn :: Lens.Lens' StatefulRuleGroupReference Prelude.Text
+statefulRuleGroupReference_resourceArn = Lens.lens (\StatefulRuleGroupReference' {resourceArn} -> resourceArn) (\s@StatefulRuleGroupReference' {} a -> s {resourceArn = a} :: StatefulRuleGroupReference)
+
+instance Data.FromJSON StatefulRuleGroupReference where
+  parseJSON =
+    Data.withObject
+      "StatefulRuleGroupReference"
+      ( \x ->
+          StatefulRuleGroupReference'
+            Prelude.<$> (x Data..:? "Override")
+            Prelude.<*> (x Data..:? "Priority")
+            Prelude.<*> (x Data..: "ResourceArn")
+      )
+
+instance Prelude.Hashable StatefulRuleGroupReference where
+  hashWithSalt _salt StatefulRuleGroupReference' {..} =
+    _salt
+      `Prelude.hashWithSalt` override
+      `Prelude.hashWithSalt` priority
+      `Prelude.hashWithSalt` resourceArn
+
+instance Prelude.NFData StatefulRuleGroupReference where
+  rnf StatefulRuleGroupReference' {..} =
+    Prelude.rnf override
+      `Prelude.seq` Prelude.rnf priority
+      `Prelude.seq` Prelude.rnf resourceArn
+
+instance Data.ToJSON StatefulRuleGroupReference where
+  toJSON StatefulRuleGroupReference' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Override" Data..=) Prelude.<$> override,
+            ("Priority" Data..=) Prelude.<$> priority,
+            Prelude.Just ("ResourceArn" Data..= resourceArn)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRuleOptions.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleOptions.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleOptions.hs
@@ -0,0 +1,95 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRuleOptions
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRuleOptions where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.RuleOrder
+import qualified Amazonka.Prelude as Prelude
+
+-- | Additional options governing how Network Firewall handles the rule
+-- group. You can only use these for stateful rule groups.
+--
+-- /See:/ 'newStatefulRuleOptions' smart constructor.
+data StatefulRuleOptions = StatefulRuleOptions'
+  { -- | Indicates how to manage the order of the rule evaluation for the rule
+    -- group. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+    -- are provided to the rule engine as Suricata compatible strings, and
+    -- Suricata evaluates them based on certain settings. For more information,
+    -- see
+    -- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+    -- in the /Network Firewall Developer Guide/.
+    ruleOrder :: Prelude.Maybe RuleOrder
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatefulRuleOptions' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleOrder', 'statefulRuleOptions_ruleOrder' - Indicates how to manage the order of the rule evaluation for the rule
+-- group. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+-- are provided to the rule engine as Suricata compatible strings, and
+-- Suricata evaluates them based on certain settings. For more information,
+-- see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+-- in the /Network Firewall Developer Guide/.
+newStatefulRuleOptions ::
+  StatefulRuleOptions
+newStatefulRuleOptions =
+  StatefulRuleOptions' {ruleOrder = Prelude.Nothing}
+
+-- | Indicates how to manage the order of the rule evaluation for the rule
+-- group. @DEFAULT_ACTION_ORDER@ is the default behavior. Stateful rules
+-- are provided to the rule engine as Suricata compatible strings, and
+-- Suricata evaluates them based on certain settings. For more information,
+-- see
+-- <https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html Evaluation order for stateful rules>
+-- in the /Network Firewall Developer Guide/.
+statefulRuleOptions_ruleOrder :: Lens.Lens' StatefulRuleOptions (Prelude.Maybe RuleOrder)
+statefulRuleOptions_ruleOrder = Lens.lens (\StatefulRuleOptions' {ruleOrder} -> ruleOrder) (\s@StatefulRuleOptions' {} a -> s {ruleOrder = a} :: StatefulRuleOptions)
+
+instance Data.FromJSON StatefulRuleOptions where
+  parseJSON =
+    Data.withObject
+      "StatefulRuleOptions"
+      ( \x ->
+          StatefulRuleOptions'
+            Prelude.<$> (x Data..:? "RuleOrder")
+      )
+
+instance Prelude.Hashable StatefulRuleOptions where
+  hashWithSalt _salt StatefulRuleOptions' {..} =
+    _salt `Prelude.hashWithSalt` ruleOrder
+
+instance Prelude.NFData StatefulRuleOptions where
+  rnf StatefulRuleOptions' {..} = Prelude.rnf ruleOrder
+
+instance Data.ToJSON StatefulRuleOptions where
+  toJSON StatefulRuleOptions' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [("RuleOrder" Data..=) Prelude.<$> ruleOrder]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatefulRuleProtocol.hs b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleProtocol.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatefulRuleProtocol.hs
@@ -0,0 +1,156 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatefulRuleProtocol
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatefulRuleProtocol
+  ( StatefulRuleProtocol
+      ( ..,
+        StatefulRuleProtocol_DCERPC,
+        StatefulRuleProtocol_DHCP,
+        StatefulRuleProtocol_DNS,
+        StatefulRuleProtocol_FTP,
+        StatefulRuleProtocol_HTTP,
+        StatefulRuleProtocol_ICMP,
+        StatefulRuleProtocol_IKEV2,
+        StatefulRuleProtocol_IMAP,
+        StatefulRuleProtocol_IP,
+        StatefulRuleProtocol_KRB5,
+        StatefulRuleProtocol_MSN,
+        StatefulRuleProtocol_NTP,
+        StatefulRuleProtocol_SMB,
+        StatefulRuleProtocol_SMTP,
+        StatefulRuleProtocol_SSH,
+        StatefulRuleProtocol_TCP,
+        StatefulRuleProtocol_TFTP,
+        StatefulRuleProtocol_TLS,
+        StatefulRuleProtocol_UDP
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype StatefulRuleProtocol = StatefulRuleProtocol'
+  { fromStatefulRuleProtocol ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern StatefulRuleProtocol_DCERPC :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_DCERPC = StatefulRuleProtocol' "DCERPC"
+
+pattern StatefulRuleProtocol_DHCP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_DHCP = StatefulRuleProtocol' "DHCP"
+
+pattern StatefulRuleProtocol_DNS :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_DNS = StatefulRuleProtocol' "DNS"
+
+pattern StatefulRuleProtocol_FTP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_FTP = StatefulRuleProtocol' "FTP"
+
+pattern StatefulRuleProtocol_HTTP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_HTTP = StatefulRuleProtocol' "HTTP"
+
+pattern StatefulRuleProtocol_ICMP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_ICMP = StatefulRuleProtocol' "ICMP"
+
+pattern StatefulRuleProtocol_IKEV2 :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_IKEV2 = StatefulRuleProtocol' "IKEV2"
+
+pattern StatefulRuleProtocol_IMAP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_IMAP = StatefulRuleProtocol' "IMAP"
+
+pattern StatefulRuleProtocol_IP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_IP = StatefulRuleProtocol' "IP"
+
+pattern StatefulRuleProtocol_KRB5 :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_KRB5 = StatefulRuleProtocol' "KRB5"
+
+pattern StatefulRuleProtocol_MSN :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_MSN = StatefulRuleProtocol' "MSN"
+
+pattern StatefulRuleProtocol_NTP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_NTP = StatefulRuleProtocol' "NTP"
+
+pattern StatefulRuleProtocol_SMB :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_SMB = StatefulRuleProtocol' "SMB"
+
+pattern StatefulRuleProtocol_SMTP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_SMTP = StatefulRuleProtocol' "SMTP"
+
+pattern StatefulRuleProtocol_SSH :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_SSH = StatefulRuleProtocol' "SSH"
+
+pattern StatefulRuleProtocol_TCP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_TCP = StatefulRuleProtocol' "TCP"
+
+pattern StatefulRuleProtocol_TFTP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_TFTP = StatefulRuleProtocol' "TFTP"
+
+pattern StatefulRuleProtocol_TLS :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_TLS = StatefulRuleProtocol' "TLS"
+
+pattern StatefulRuleProtocol_UDP :: StatefulRuleProtocol
+pattern StatefulRuleProtocol_UDP = StatefulRuleProtocol' "UDP"
+
+{-# COMPLETE
+  StatefulRuleProtocol_DCERPC,
+  StatefulRuleProtocol_DHCP,
+  StatefulRuleProtocol_DNS,
+  StatefulRuleProtocol_FTP,
+  StatefulRuleProtocol_HTTP,
+  StatefulRuleProtocol_ICMP,
+  StatefulRuleProtocol_IKEV2,
+  StatefulRuleProtocol_IMAP,
+  StatefulRuleProtocol_IP,
+  StatefulRuleProtocol_KRB5,
+  StatefulRuleProtocol_MSN,
+  StatefulRuleProtocol_NTP,
+  StatefulRuleProtocol_SMB,
+  StatefulRuleProtocol_SMTP,
+  StatefulRuleProtocol_SSH,
+  StatefulRuleProtocol_TCP,
+  StatefulRuleProtocol_TFTP,
+  StatefulRuleProtocol_TLS,
+  StatefulRuleProtocol_UDP,
+  StatefulRuleProtocol'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatelessRule.hs b/gen/Amazonka/NetworkFirewall/Types/StatelessRule.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatelessRule.hs
@@ -0,0 +1,147 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatelessRule
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatelessRule where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.RuleDefinition
+import qualified Amazonka.Prelude as Prelude
+
+-- | A single stateless rule. This is used in StatelessRulesAndCustomActions.
+--
+-- /See:/ 'newStatelessRule' smart constructor.
+data StatelessRule = StatelessRule'
+  { -- | Defines the stateless 5-tuple packet inspection criteria and the action
+    -- to take on a packet that matches the criteria.
+    ruleDefinition :: RuleDefinition,
+    -- | Indicates the order in which to run this rule relative to all of the
+    -- rules that are defined for a stateless rule group. Network Firewall
+    -- evaluates the rules in a rule group starting with the lowest priority
+    -- setting. You must ensure that the priority settings are unique for the
+    -- rule group.
+    --
+    -- Each stateless rule group uses exactly one
+    -- @StatelessRulesAndCustomActions@ object, and each
+    -- @StatelessRulesAndCustomActions@ contains exactly one @StatelessRules@
+    -- object. To ensure unique priority settings for your rule groups, set
+    -- unique priorities for the stateless rules that you define inside any
+    -- single @StatelessRules@ object.
+    --
+    -- You can change the priority settings of your rules at any time. To make
+    -- it easier to insert rules later, number them so there\'s a wide range in
+    -- between, for example use 100, 200, and so on.
+    priority :: Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatelessRule' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'ruleDefinition', 'statelessRule_ruleDefinition' - Defines the stateless 5-tuple packet inspection criteria and the action
+-- to take on a packet that matches the criteria.
+--
+-- 'priority', 'statelessRule_priority' - Indicates the order in which to run this rule relative to all of the
+-- rules that are defined for a stateless rule group. Network Firewall
+-- evaluates the rules in a rule group starting with the lowest priority
+-- setting. You must ensure that the priority settings are unique for the
+-- rule group.
+--
+-- Each stateless rule group uses exactly one
+-- @StatelessRulesAndCustomActions@ object, and each
+-- @StatelessRulesAndCustomActions@ contains exactly one @StatelessRules@
+-- object. To ensure unique priority settings for your rule groups, set
+-- unique priorities for the stateless rules that you define inside any
+-- single @StatelessRules@ object.
+--
+-- You can change the priority settings of your rules at any time. To make
+-- it easier to insert rules later, number them so there\'s a wide range in
+-- between, for example use 100, 200, and so on.
+newStatelessRule ::
+  -- | 'ruleDefinition'
+  RuleDefinition ->
+  -- | 'priority'
+  Prelude.Natural ->
+  StatelessRule
+newStatelessRule pRuleDefinition_ pPriority_ =
+  StatelessRule'
+    { ruleDefinition = pRuleDefinition_,
+      priority = pPriority_
+    }
+
+-- | Defines the stateless 5-tuple packet inspection criteria and the action
+-- to take on a packet that matches the criteria.
+statelessRule_ruleDefinition :: Lens.Lens' StatelessRule RuleDefinition
+statelessRule_ruleDefinition = Lens.lens (\StatelessRule' {ruleDefinition} -> ruleDefinition) (\s@StatelessRule' {} a -> s {ruleDefinition = a} :: StatelessRule)
+
+-- | Indicates the order in which to run this rule relative to all of the
+-- rules that are defined for a stateless rule group. Network Firewall
+-- evaluates the rules in a rule group starting with the lowest priority
+-- setting. You must ensure that the priority settings are unique for the
+-- rule group.
+--
+-- Each stateless rule group uses exactly one
+-- @StatelessRulesAndCustomActions@ object, and each
+-- @StatelessRulesAndCustomActions@ contains exactly one @StatelessRules@
+-- object. To ensure unique priority settings for your rule groups, set
+-- unique priorities for the stateless rules that you define inside any
+-- single @StatelessRules@ object.
+--
+-- You can change the priority settings of your rules at any time. To make
+-- it easier to insert rules later, number them so there\'s a wide range in
+-- between, for example use 100, 200, and so on.
+statelessRule_priority :: Lens.Lens' StatelessRule Prelude.Natural
+statelessRule_priority = Lens.lens (\StatelessRule' {priority} -> priority) (\s@StatelessRule' {} a -> s {priority = a} :: StatelessRule)
+
+instance Data.FromJSON StatelessRule where
+  parseJSON =
+    Data.withObject
+      "StatelessRule"
+      ( \x ->
+          StatelessRule'
+            Prelude.<$> (x Data..: "RuleDefinition")
+            Prelude.<*> (x Data..: "Priority")
+      )
+
+instance Prelude.Hashable StatelessRule where
+  hashWithSalt _salt StatelessRule' {..} =
+    _salt
+      `Prelude.hashWithSalt` ruleDefinition
+      `Prelude.hashWithSalt` priority
+
+instance Prelude.NFData StatelessRule where
+  rnf StatelessRule' {..} =
+    Prelude.rnf ruleDefinition
+      `Prelude.seq` Prelude.rnf priority
+
+instance Data.ToJSON StatelessRule where
+  toJSON StatelessRule' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just
+              ("RuleDefinition" Data..= ruleDefinition),
+            Prelude.Just ("Priority" Data..= priority)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatelessRuleGroupReference.hs b/gen/Amazonka/NetworkFirewall/Types/StatelessRuleGroupReference.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatelessRuleGroupReference.hs
@@ -0,0 +1,113 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatelessRuleGroupReference where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | Identifier for a single stateless rule group, used in a firewall policy
+-- to refer to the rule group.
+--
+-- /See:/ 'newStatelessRuleGroupReference' smart constructor.
+data StatelessRuleGroupReference = StatelessRuleGroupReference'
+  { -- | The Amazon Resource Name (ARN) of the stateless rule group.
+    resourceArn :: Prelude.Text,
+    -- | An integer setting that indicates the order in which to run the
+    -- stateless rule groups in a single FirewallPolicy. Network Firewall
+    -- applies each stateless rule group to a packet starting with the group
+    -- that has the lowest priority setting. You must ensure that the priority
+    -- settings are unique within each policy.
+    priority :: Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatelessRuleGroupReference' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'statelessRuleGroupReference_resourceArn' - The Amazon Resource Name (ARN) of the stateless rule group.
+--
+-- 'priority', 'statelessRuleGroupReference_priority' - An integer setting that indicates the order in which to run the
+-- stateless rule groups in a single FirewallPolicy. Network Firewall
+-- applies each stateless rule group to a packet starting with the group
+-- that has the lowest priority setting. You must ensure that the priority
+-- settings are unique within each policy.
+newStatelessRuleGroupReference ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  -- | 'priority'
+  Prelude.Natural ->
+  StatelessRuleGroupReference
+newStatelessRuleGroupReference
+  pResourceArn_
+  pPriority_ =
+    StatelessRuleGroupReference'
+      { resourceArn =
+          pResourceArn_,
+        priority = pPriority_
+      }
+
+-- | The Amazon Resource Name (ARN) of the stateless rule group.
+statelessRuleGroupReference_resourceArn :: Lens.Lens' StatelessRuleGroupReference Prelude.Text
+statelessRuleGroupReference_resourceArn = Lens.lens (\StatelessRuleGroupReference' {resourceArn} -> resourceArn) (\s@StatelessRuleGroupReference' {} a -> s {resourceArn = a} :: StatelessRuleGroupReference)
+
+-- | An integer setting that indicates the order in which to run the
+-- stateless rule groups in a single FirewallPolicy. Network Firewall
+-- applies each stateless rule group to a packet starting with the group
+-- that has the lowest priority setting. You must ensure that the priority
+-- settings are unique within each policy.
+statelessRuleGroupReference_priority :: Lens.Lens' StatelessRuleGroupReference Prelude.Natural
+statelessRuleGroupReference_priority = Lens.lens (\StatelessRuleGroupReference' {priority} -> priority) (\s@StatelessRuleGroupReference' {} a -> s {priority = a} :: StatelessRuleGroupReference)
+
+instance Data.FromJSON StatelessRuleGroupReference where
+  parseJSON =
+    Data.withObject
+      "StatelessRuleGroupReference"
+      ( \x ->
+          StatelessRuleGroupReference'
+            Prelude.<$> (x Data..: "ResourceArn")
+            Prelude.<*> (x Data..: "Priority")
+      )
+
+instance Prelude.Hashable StatelessRuleGroupReference where
+  hashWithSalt _salt StatelessRuleGroupReference' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` priority
+
+instance Prelude.NFData StatelessRuleGroupReference where
+  rnf StatelessRuleGroupReference' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf priority
+
+instance Data.ToJSON StatelessRuleGroupReference where
+  toJSON StatelessRuleGroupReference' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("ResourceArn" Data..= resourceArn),
+            Prelude.Just ("Priority" Data..= priority)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StatelessRulesAndCustomActions.hs b/gen/Amazonka/NetworkFirewall/Types/StatelessRulesAndCustomActions.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StatelessRulesAndCustomActions.hs
@@ -0,0 +1,121 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StatelessRulesAndCustomActions where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.CustomAction
+import Amazonka.NetworkFirewall.Types.StatelessRule
+import qualified Amazonka.Prelude as Prelude
+
+-- | Stateless inspection criteria. Each stateless rule group uses exactly
+-- one of these data types to define its stateless rules.
+--
+-- /See:/ 'newStatelessRulesAndCustomActions' smart constructor.
+data StatelessRulesAndCustomActions = StatelessRulesAndCustomActions'
+  { -- | Defines an array of individual custom action definitions that are
+    -- available for use by the stateless rules in this
+    -- @StatelessRulesAndCustomActions@ specification. You name each custom
+    -- action that you define, and then you can use it by name in your
+    -- StatelessRule RuleDefinition @Actions@ specification.
+    customActions :: Prelude.Maybe [CustomAction],
+    -- | Defines the set of stateless rules for use in a stateless rule group.
+    statelessRules :: [StatelessRule]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'StatelessRulesAndCustomActions' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'customActions', 'statelessRulesAndCustomActions_customActions' - Defines an array of individual custom action definitions that are
+-- available for use by the stateless rules in this
+-- @StatelessRulesAndCustomActions@ specification. You name each custom
+-- action that you define, and then you can use it by name in your
+-- StatelessRule RuleDefinition @Actions@ specification.
+--
+-- 'statelessRules', 'statelessRulesAndCustomActions_statelessRules' - Defines the set of stateless rules for use in a stateless rule group.
+newStatelessRulesAndCustomActions ::
+  StatelessRulesAndCustomActions
+newStatelessRulesAndCustomActions =
+  StatelessRulesAndCustomActions'
+    { customActions =
+        Prelude.Nothing,
+      statelessRules = Prelude.mempty
+    }
+
+-- | Defines an array of individual custom action definitions that are
+-- available for use by the stateless rules in this
+-- @StatelessRulesAndCustomActions@ specification. You name each custom
+-- action that you define, and then you can use it by name in your
+-- StatelessRule RuleDefinition @Actions@ specification.
+statelessRulesAndCustomActions_customActions :: Lens.Lens' StatelessRulesAndCustomActions (Prelude.Maybe [CustomAction])
+statelessRulesAndCustomActions_customActions = Lens.lens (\StatelessRulesAndCustomActions' {customActions} -> customActions) (\s@StatelessRulesAndCustomActions' {} a -> s {customActions = a} :: StatelessRulesAndCustomActions) Prelude.. Lens.mapping Lens.coerced
+
+-- | Defines the set of stateless rules for use in a stateless rule group.
+statelessRulesAndCustomActions_statelessRules :: Lens.Lens' StatelessRulesAndCustomActions [StatelessRule]
+statelessRulesAndCustomActions_statelessRules = Lens.lens (\StatelessRulesAndCustomActions' {statelessRules} -> statelessRules) (\s@StatelessRulesAndCustomActions' {} a -> s {statelessRules = a} :: StatelessRulesAndCustomActions) Prelude.. Lens.coerced
+
+instance Data.FromJSON StatelessRulesAndCustomActions where
+  parseJSON =
+    Data.withObject
+      "StatelessRulesAndCustomActions"
+      ( \x ->
+          StatelessRulesAndCustomActions'
+            Prelude.<$> (x Data..:? "CustomActions" Data..!= Prelude.mempty)
+            Prelude.<*> ( x
+                            Data..:? "StatelessRules"
+                            Data..!= Prelude.mempty
+                        )
+      )
+
+instance
+  Prelude.Hashable
+    StatelessRulesAndCustomActions
+  where
+  hashWithSalt
+    _salt
+    StatelessRulesAndCustomActions' {..} =
+      _salt
+        `Prelude.hashWithSalt` customActions
+        `Prelude.hashWithSalt` statelessRules
+
+instance
+  Prelude.NFData
+    StatelessRulesAndCustomActions
+  where
+  rnf StatelessRulesAndCustomActions' {..} =
+    Prelude.rnf customActions
+      `Prelude.seq` Prelude.rnf statelessRules
+
+instance Data.ToJSON StatelessRulesAndCustomActions where
+  toJSON StatelessRulesAndCustomActions' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("CustomActions" Data..=) Prelude.<$> customActions,
+            Prelude.Just
+              ("StatelessRules" Data..= statelessRules)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/StreamExceptionPolicy.hs b/gen/Amazonka/NetworkFirewall/Types/StreamExceptionPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/StreamExceptionPolicy.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.StreamExceptionPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.StreamExceptionPolicy
+  ( StreamExceptionPolicy
+      ( ..,
+        StreamExceptionPolicy_CONTINUE,
+        StreamExceptionPolicy_DROP
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype StreamExceptionPolicy = StreamExceptionPolicy'
+  { fromStreamExceptionPolicy ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern StreamExceptionPolicy_CONTINUE :: StreamExceptionPolicy
+pattern StreamExceptionPolicy_CONTINUE = StreamExceptionPolicy' "CONTINUE"
+
+pattern StreamExceptionPolicy_DROP :: StreamExceptionPolicy
+pattern StreamExceptionPolicy_DROP = StreamExceptionPolicy' "DROP"
+
+{-# COMPLETE
+  StreamExceptionPolicy_CONTINUE,
+  StreamExceptionPolicy_DROP,
+  StreamExceptionPolicy'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/SubnetMapping.hs b/gen/Amazonka/NetworkFirewall/Types/SubnetMapping.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/SubnetMapping.hs
@@ -0,0 +1,79 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.SubnetMapping
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.SubnetMapping where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | The ID for a subnet that you want to associate with the firewall. This
+-- is used with CreateFirewall and AssociateSubnets. Network Firewall
+-- creates an instance of the associated firewall in each subnet that you
+-- specify, to filter traffic in the subnet\'s Availability Zone.
+--
+-- /See:/ 'newSubnetMapping' smart constructor.
+data SubnetMapping = SubnetMapping'
+  { -- | The unique identifier for the subnet.
+    subnetId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'SubnetMapping' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'subnetId', 'subnetMapping_subnetId' - The unique identifier for the subnet.
+newSubnetMapping ::
+  -- | 'subnetId'
+  Prelude.Text ->
+  SubnetMapping
+newSubnetMapping pSubnetId_ =
+  SubnetMapping' {subnetId = pSubnetId_}
+
+-- | The unique identifier for the subnet.
+subnetMapping_subnetId :: Lens.Lens' SubnetMapping Prelude.Text
+subnetMapping_subnetId = Lens.lens (\SubnetMapping' {subnetId} -> subnetId) (\s@SubnetMapping' {} a -> s {subnetId = a} :: SubnetMapping)
+
+instance Data.FromJSON SubnetMapping where
+  parseJSON =
+    Data.withObject
+      "SubnetMapping"
+      ( \x ->
+          SubnetMapping' Prelude.<$> (x Data..: "SubnetId")
+      )
+
+instance Prelude.Hashable SubnetMapping where
+  hashWithSalt _salt SubnetMapping' {..} =
+    _salt `Prelude.hashWithSalt` subnetId
+
+instance Prelude.NFData SubnetMapping where
+  rnf SubnetMapping' {..} = Prelude.rnf subnetId
+
+instance Data.ToJSON SubnetMapping where
+  toJSON SubnetMapping' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("SubnetId" Data..= subnetId)]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/SyncState.hs b/gen/Amazonka/NetworkFirewall/Types/SyncState.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/SyncState.hs
@@ -0,0 +1,124 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.SyncState
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.SyncState where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.Attachment
+import Amazonka.NetworkFirewall.Types.PerObjectStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | The status of the firewall endpoint and firewall policy configuration
+-- for a single VPC subnet.
+--
+-- For each VPC subnet that you associate with a firewall, Network Firewall
+-- does the following:
+--
+-- -   Instantiates a firewall endpoint in the subnet, ready to take
+--     traffic.
+--
+-- -   Configures the endpoint with the current firewall policy settings,
+--     to provide the filtering behavior for the endpoint.
+--
+-- When you update a firewall, for example to add a subnet association or
+-- change a rule group in the firewall policy, the affected sync states
+-- reflect out-of-sync or not ready status until the changes are complete.
+--
+-- /See:/ 'newSyncState' smart constructor.
+data SyncState = SyncState'
+  { -- | The attachment status of the firewall\'s association with a single VPC
+    -- subnet. For each configured subnet, Network Firewall creates the
+    -- attachment by instantiating the firewall endpoint in the subnet so that
+    -- it\'s ready to take traffic. This is part of the FirewallStatus.
+    attachment :: Prelude.Maybe Attachment,
+    -- | The configuration status of the firewall endpoint in a single VPC
+    -- subnet. Network Firewall provides each endpoint with the rules that are
+    -- configured in the firewall policy. Each time you add a subnet or modify
+    -- the associated firewall policy, Network Firewall synchronizes the rules
+    -- in the endpoint, so it can properly filter network traffic. This is part
+    -- of the FirewallStatus.
+    config :: Prelude.Maybe (Prelude.HashMap Prelude.Text PerObjectStatus)
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'SyncState' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'attachment', 'syncState_attachment' - The attachment status of the firewall\'s association with a single VPC
+-- subnet. For each configured subnet, Network Firewall creates the
+-- attachment by instantiating the firewall endpoint in the subnet so that
+-- it\'s ready to take traffic. This is part of the FirewallStatus.
+--
+-- 'config', 'syncState_config' - The configuration status of the firewall endpoint in a single VPC
+-- subnet. Network Firewall provides each endpoint with the rules that are
+-- configured in the firewall policy. Each time you add a subnet or modify
+-- the associated firewall policy, Network Firewall synchronizes the rules
+-- in the endpoint, so it can properly filter network traffic. This is part
+-- of the FirewallStatus.
+newSyncState ::
+  SyncState
+newSyncState =
+  SyncState'
+    { attachment = Prelude.Nothing,
+      config = Prelude.Nothing
+    }
+
+-- | The attachment status of the firewall\'s association with a single VPC
+-- subnet. For each configured subnet, Network Firewall creates the
+-- attachment by instantiating the firewall endpoint in the subnet so that
+-- it\'s ready to take traffic. This is part of the FirewallStatus.
+syncState_attachment :: Lens.Lens' SyncState (Prelude.Maybe Attachment)
+syncState_attachment = Lens.lens (\SyncState' {attachment} -> attachment) (\s@SyncState' {} a -> s {attachment = a} :: SyncState)
+
+-- | The configuration status of the firewall endpoint in a single VPC
+-- subnet. Network Firewall provides each endpoint with the rules that are
+-- configured in the firewall policy. Each time you add a subnet or modify
+-- the associated firewall policy, Network Firewall synchronizes the rules
+-- in the endpoint, so it can properly filter network traffic. This is part
+-- of the FirewallStatus.
+syncState_config :: Lens.Lens' SyncState (Prelude.Maybe (Prelude.HashMap Prelude.Text PerObjectStatus))
+syncState_config = Lens.lens (\SyncState' {config} -> config) (\s@SyncState' {} a -> s {config = a} :: SyncState) Prelude.. Lens.mapping Lens.coerced
+
+instance Data.FromJSON SyncState where
+  parseJSON =
+    Data.withObject
+      "SyncState"
+      ( \x ->
+          SyncState'
+            Prelude.<$> (x Data..:? "Attachment")
+            Prelude.<*> (x Data..:? "Config" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable SyncState where
+  hashWithSalt _salt SyncState' {..} =
+    _salt
+      `Prelude.hashWithSalt` attachment
+      `Prelude.hashWithSalt` config
+
+instance Prelude.NFData SyncState where
+  rnf SyncState' {..} =
+    Prelude.rnf attachment
+      `Prelude.seq` Prelude.rnf config
diff --git a/gen/Amazonka/NetworkFirewall/Types/TCPFlag.hs b/gen/Amazonka/NetworkFirewall/Types/TCPFlag.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/TCPFlag.hs
@@ -0,0 +1,98 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.TCPFlag
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.TCPFlag
+  ( TCPFlag
+      ( ..,
+        TCPFlag_ACK,
+        TCPFlag_CWR,
+        TCPFlag_ECE,
+        TCPFlag_FIN,
+        TCPFlag_PSH,
+        TCPFlag_RST,
+        TCPFlag_SYN,
+        TCPFlag_URG
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype TCPFlag = TCPFlag' {fromTCPFlag :: Data.Text}
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern TCPFlag_ACK :: TCPFlag
+pattern TCPFlag_ACK = TCPFlag' "ACK"
+
+pattern TCPFlag_CWR :: TCPFlag
+pattern TCPFlag_CWR = TCPFlag' "CWR"
+
+pattern TCPFlag_ECE :: TCPFlag
+pattern TCPFlag_ECE = TCPFlag' "ECE"
+
+pattern TCPFlag_FIN :: TCPFlag
+pattern TCPFlag_FIN = TCPFlag' "FIN"
+
+pattern TCPFlag_PSH :: TCPFlag
+pattern TCPFlag_PSH = TCPFlag' "PSH"
+
+pattern TCPFlag_RST :: TCPFlag
+pattern TCPFlag_RST = TCPFlag' "RST"
+
+pattern TCPFlag_SYN :: TCPFlag
+pattern TCPFlag_SYN = TCPFlag' "SYN"
+
+pattern TCPFlag_URG :: TCPFlag
+pattern TCPFlag_URG = TCPFlag' "URG"
+
+{-# COMPLETE
+  TCPFlag_ACK,
+  TCPFlag_CWR,
+  TCPFlag_ECE,
+  TCPFlag_FIN,
+  TCPFlag_PSH,
+  TCPFlag_RST,
+  TCPFlag_SYN,
+  TCPFlag_URG,
+  TCPFlag'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/Types/TCPFlagField.hs b/gen/Amazonka/NetworkFirewall/Types/TCPFlagField.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/TCPFlagField.hs
@@ -0,0 +1,133 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.TCPFlagField
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.TCPFlagField where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types.TCPFlag
+import qualified Amazonka.Prelude as Prelude
+
+-- | TCP flags and masks to inspect packets for, used in stateless rules
+-- MatchAttributes settings.
+--
+-- /See:/ 'newTCPFlagField' smart constructor.
+data TCPFlagField = TCPFlagField'
+  { -- | The set of flags to consider in the inspection. To inspect all flags in
+    -- the valid values list, leave this with no setting.
+    masks :: Prelude.Maybe [TCPFlag],
+    -- | Used in conjunction with the @Masks@ setting to define the flags that
+    -- must be set and flags that must not be set in order for the packet to
+    -- match. This setting can only specify values that are also specified in
+    -- the @Masks@ setting.
+    --
+    -- For the flags that are specified in the masks setting, the following
+    -- must be true for the packet to match:
+    --
+    -- -   The ones that are set in this flags setting must be set in the
+    --     packet.
+    --
+    -- -   The ones that are not set in this flags setting must also not be set
+    --     in the packet.
+    flags :: [TCPFlag]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TCPFlagField' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'masks', 'tCPFlagField_masks' - The set of flags to consider in the inspection. To inspect all flags in
+-- the valid values list, leave this with no setting.
+--
+-- 'flags', 'tCPFlagField_flags' - Used in conjunction with the @Masks@ setting to define the flags that
+-- must be set and flags that must not be set in order for the packet to
+-- match. This setting can only specify values that are also specified in
+-- the @Masks@ setting.
+--
+-- For the flags that are specified in the masks setting, the following
+-- must be true for the packet to match:
+--
+-- -   The ones that are set in this flags setting must be set in the
+--     packet.
+--
+-- -   The ones that are not set in this flags setting must also not be set
+--     in the packet.
+newTCPFlagField ::
+  TCPFlagField
+newTCPFlagField =
+  TCPFlagField'
+    { masks = Prelude.Nothing,
+      flags = Prelude.mempty
+    }
+
+-- | The set of flags to consider in the inspection. To inspect all flags in
+-- the valid values list, leave this with no setting.
+tCPFlagField_masks :: Lens.Lens' TCPFlagField (Prelude.Maybe [TCPFlag])
+tCPFlagField_masks = Lens.lens (\TCPFlagField' {masks} -> masks) (\s@TCPFlagField' {} a -> s {masks = a} :: TCPFlagField) Prelude.. Lens.mapping Lens.coerced
+
+-- | Used in conjunction with the @Masks@ setting to define the flags that
+-- must be set and flags that must not be set in order for the packet to
+-- match. This setting can only specify values that are also specified in
+-- the @Masks@ setting.
+--
+-- For the flags that are specified in the masks setting, the following
+-- must be true for the packet to match:
+--
+-- -   The ones that are set in this flags setting must be set in the
+--     packet.
+--
+-- -   The ones that are not set in this flags setting must also not be set
+--     in the packet.
+tCPFlagField_flags :: Lens.Lens' TCPFlagField [TCPFlag]
+tCPFlagField_flags = Lens.lens (\TCPFlagField' {flags} -> flags) (\s@TCPFlagField' {} a -> s {flags = a} :: TCPFlagField) Prelude.. Lens.coerced
+
+instance Data.FromJSON TCPFlagField where
+  parseJSON =
+    Data.withObject
+      "TCPFlagField"
+      ( \x ->
+          TCPFlagField'
+            Prelude.<$> (x Data..:? "Masks" Data..!= Prelude.mempty)
+            Prelude.<*> (x Data..:? "Flags" Data..!= Prelude.mempty)
+      )
+
+instance Prelude.Hashable TCPFlagField where
+  hashWithSalt _salt TCPFlagField' {..} =
+    _salt
+      `Prelude.hashWithSalt` masks
+      `Prelude.hashWithSalt` flags
+
+instance Prelude.NFData TCPFlagField where
+  rnf TCPFlagField' {..} =
+    Prelude.rnf masks `Prelude.seq` Prelude.rnf flags
+
+instance Data.ToJSON TCPFlagField where
+  toJSON TCPFlagField' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Masks" Data..=) Prelude.<$> masks,
+            Prelude.Just ("Flags" Data..= flags)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/Tag.hs b/gen/Amazonka/NetworkFirewall/Types/Tag.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/Tag.hs
@@ -0,0 +1,110 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.Tag
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.Tag where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A key:value pair associated with an Amazon Web Services resource. The
+-- key:value pair can be anything you define. Typically, the tag key
+-- represents a category (such as \"environment\") and the tag value
+-- represents a specific value within that category (such as \"test,\"
+-- \"development,\" or \"production\"). You can add up to 50 tags to each
+-- Amazon Web Services resource.
+--
+-- /See:/ 'newTag' smart constructor.
+data Tag = Tag'
+  { -- | The part of the key:value pair that defines a tag. You can use a tag key
+    -- to describe a category of information, such as \"customer.\" Tag keys
+    -- are case-sensitive.
+    key :: Prelude.Text,
+    -- | The part of the key:value pair that defines a tag. You can use a tag
+    -- value to describe a specific value within a category, such as
+    -- \"companyA\" or \"companyB.\" Tag values are case-sensitive.
+    value :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Tag' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'key', 'tag_key' - The part of the key:value pair that defines a tag. You can use a tag key
+-- to describe a category of information, such as \"customer.\" Tag keys
+-- are case-sensitive.
+--
+-- 'value', 'tag_value' - The part of the key:value pair that defines a tag. You can use a tag
+-- value to describe a specific value within a category, such as
+-- \"companyA\" or \"companyB.\" Tag values are case-sensitive.
+newTag ::
+  -- | 'key'
+  Prelude.Text ->
+  -- | 'value'
+  Prelude.Text ->
+  Tag
+newTag pKey_ pValue_ =
+  Tag' {key = pKey_, value = pValue_}
+
+-- | The part of the key:value pair that defines a tag. You can use a tag key
+-- to describe a category of information, such as \"customer.\" Tag keys
+-- are case-sensitive.
+tag_key :: Lens.Lens' Tag Prelude.Text
+tag_key = Lens.lens (\Tag' {key} -> key) (\s@Tag' {} a -> s {key = a} :: Tag)
+
+-- | The part of the key:value pair that defines a tag. You can use a tag
+-- value to describe a specific value within a category, such as
+-- \"companyA\" or \"companyB.\" Tag values are case-sensitive.
+tag_value :: Lens.Lens' Tag Prelude.Text
+tag_value = Lens.lens (\Tag' {value} -> value) (\s@Tag' {} a -> s {value = a} :: Tag)
+
+instance Data.FromJSON Tag where
+  parseJSON =
+    Data.withObject
+      "Tag"
+      ( \x ->
+          Tag'
+            Prelude.<$> (x Data..: "Key")
+            Prelude.<*> (x Data..: "Value")
+      )
+
+instance Prelude.Hashable Tag where
+  hashWithSalt _salt Tag' {..} =
+    _salt
+      `Prelude.hashWithSalt` key
+      `Prelude.hashWithSalt` value
+
+instance Prelude.NFData Tag where
+  rnf Tag' {..} =
+    Prelude.rnf key `Prelude.seq` Prelude.rnf value
+
+instance Data.ToJSON Tag where
+  toJSON Tag' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("Key" Data..= key),
+            Prelude.Just ("Value" Data..= value)
+          ]
+      )
diff --git a/gen/Amazonka/NetworkFirewall/Types/TargetType.hs b/gen/Amazonka/NetworkFirewall/Types/TargetType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Types/TargetType.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Types.TargetType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Types.TargetType
+  ( TargetType
+      ( ..,
+        TargetType_HTTP_HOST,
+        TargetType_TLS_SNI
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype TargetType = TargetType'
+  { fromTargetType ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern TargetType_HTTP_HOST :: TargetType
+pattern TargetType_HTTP_HOST = TargetType' "HTTP_HOST"
+
+pattern TargetType_TLS_SNI :: TargetType
+pattern TargetType_TLS_SNI = TargetType' "TLS_SNI"
+
+{-# COMPLETE
+  TargetType_HTTP_HOST,
+  TargetType_TLS_SNI,
+  TargetType'
+  #-}
diff --git a/gen/Amazonka/NetworkFirewall/UntagResource.hs b/gen/Amazonka/NetworkFirewall/UntagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UntagResource.hs
@@ -0,0 +1,180 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UntagResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Removes the tags with the specified keys from the specified resource.
+-- Tags are key:value pairs that you can use to categorize and manage your
+-- resources, for purposes like billing. For example, you might set the tag
+-- key to \"customer\" and the value to the customer name or ID. You can
+-- specify one or more tags to add to each Amazon Web Services resource, up
+-- to 50 tags for a resource.
+--
+-- You can manage tags for the Amazon Web Services resources that you
+-- manage through Network Firewall: firewalls, firewall policies, and rule
+-- groups.
+module Amazonka.NetworkFirewall.UntagResource
+  ( -- * Creating a Request
+    UntagResource (..),
+    newUntagResource,
+
+    -- * Request Lenses
+    untagResource_resourceArn,
+    untagResource_tagKeys,
+
+    -- * Destructuring the Response
+    UntagResourceResponse (..),
+    newUntagResourceResponse,
+
+    -- * Response Lenses
+    untagResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUntagResource' smart constructor.
+data UntagResource = UntagResource'
+  { -- | The Amazon Resource Name (ARN) of the resource.
+    resourceArn :: Prelude.Text,
+    tagKeys :: Prelude.NonEmpty Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UntagResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'untagResource_resourceArn' - The Amazon Resource Name (ARN) of the resource.
+--
+-- 'tagKeys', 'untagResource_tagKeys' -
+newUntagResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  -- | 'tagKeys'
+  Prelude.NonEmpty Prelude.Text ->
+  UntagResource
+newUntagResource pResourceArn_ pTagKeys_ =
+  UntagResource'
+    { resourceArn = pResourceArn_,
+      tagKeys = Lens.coerced Lens.# pTagKeys_
+    }
+
+-- | The Amazon Resource Name (ARN) of the resource.
+untagResource_resourceArn :: Lens.Lens' UntagResource Prelude.Text
+untagResource_resourceArn = Lens.lens (\UntagResource' {resourceArn} -> resourceArn) (\s@UntagResource' {} a -> s {resourceArn = a} :: UntagResource)
+
+untagResource_tagKeys :: Lens.Lens' UntagResource (Prelude.NonEmpty Prelude.Text)
+untagResource_tagKeys = Lens.lens (\UntagResource' {tagKeys} -> tagKeys) (\s@UntagResource' {} a -> s {tagKeys = a} :: UntagResource) Prelude.. Lens.coerced
+
+instance Core.AWSRequest UntagResource where
+  type
+    AWSResponse UntagResource =
+      UntagResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          UntagResourceResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable UntagResource where
+  hashWithSalt _salt UntagResource' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` tagKeys
+
+instance Prelude.NFData UntagResource where
+  rnf UntagResource' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf tagKeys
+
+instance Data.ToHeaders UntagResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UntagResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UntagResource where
+  toJSON UntagResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("ResourceArn" Data..= resourceArn),
+            Prelude.Just ("TagKeys" Data..= tagKeys)
+          ]
+      )
+
+instance Data.ToPath UntagResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UntagResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUntagResourceResponse' smart constructor.
+data UntagResourceResponse = UntagResourceResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UntagResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'untagResourceResponse_httpStatus' - The response's http status code.
+newUntagResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UntagResourceResponse
+newUntagResourceResponse pHttpStatus_ =
+  UntagResourceResponse' {httpStatus = pHttpStatus_}
+
+-- | The response's http status code.
+untagResourceResponse_httpStatus :: Lens.Lens' UntagResourceResponse Prelude.Int
+untagResourceResponse_httpStatus = Lens.lens (\UntagResourceResponse' {httpStatus} -> httpStatus) (\s@UntagResourceResponse' {} a -> s {httpStatus = a} :: UntagResourceResponse)
+
+instance Prelude.NFData UntagResourceResponse where
+  rnf UntagResourceResponse' {..} =
+    Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateFirewallDeleteProtection.hs b/gen/Amazonka/NetworkFirewall/UpdateFirewallDeleteProtection.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateFirewallDeleteProtection.hs
@@ -0,0 +1,409 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateFirewallDeleteProtection
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Modifies the flag, @DeleteProtection@, which indicates whether it is
+-- possible to delete the firewall. If the flag is set to @TRUE@, the
+-- firewall is protected against deletion. This setting helps protect
+-- against accidentally deleting a firewall that\'s in use.
+module Amazonka.NetworkFirewall.UpdateFirewallDeleteProtection
+  ( -- * Creating a Request
+    UpdateFirewallDeleteProtection (..),
+    newUpdateFirewallDeleteProtection,
+
+    -- * Request Lenses
+    updateFirewallDeleteProtection_firewallArn,
+    updateFirewallDeleteProtection_firewallName,
+    updateFirewallDeleteProtection_updateToken,
+    updateFirewallDeleteProtection_deleteProtection,
+
+    -- * Destructuring the Response
+    UpdateFirewallDeleteProtectionResponse (..),
+    newUpdateFirewallDeleteProtectionResponse,
+
+    -- * Response Lenses
+    updateFirewallDeleteProtectionResponse_deleteProtection,
+    updateFirewallDeleteProtectionResponse_firewallArn,
+    updateFirewallDeleteProtectionResponse_firewallName,
+    updateFirewallDeleteProtectionResponse_updateToken,
+    updateFirewallDeleteProtectionResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateFirewallDeleteProtection' smart constructor.
+data UpdateFirewallDeleteProtection = UpdateFirewallDeleteProtection'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | A flag indicating whether it is possible to delete the firewall. A
+    -- setting of @TRUE@ indicates that the firewall is protected against
+    -- deletion. Use this setting to protect against accidentally deleting a
+    -- firewall that is in use. When you create a firewall, the operation
+    -- initializes this flag to @TRUE@.
+    deleteProtection :: Prelude.Bool
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallDeleteProtection' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateFirewallDeleteProtection_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'updateFirewallDeleteProtection_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'updateFirewallDeleteProtection_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'deleteProtection', 'updateFirewallDeleteProtection_deleteProtection' - A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+newUpdateFirewallDeleteProtection ::
+  -- | 'deleteProtection'
+  Prelude.Bool ->
+  UpdateFirewallDeleteProtection
+newUpdateFirewallDeleteProtection pDeleteProtection_ =
+  UpdateFirewallDeleteProtection'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      deleteProtection = pDeleteProtection_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallDeleteProtection_firewallArn :: Lens.Lens' UpdateFirewallDeleteProtection (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtection_firewallArn = Lens.lens (\UpdateFirewallDeleteProtection' {firewallArn} -> firewallArn) (\s@UpdateFirewallDeleteProtection' {} a -> s {firewallArn = a} :: UpdateFirewallDeleteProtection)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallDeleteProtection_firewallName :: Lens.Lens' UpdateFirewallDeleteProtection (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtection_firewallName = Lens.lens (\UpdateFirewallDeleteProtection' {firewallName} -> firewallName) (\s@UpdateFirewallDeleteProtection' {} a -> s {firewallName = a} :: UpdateFirewallDeleteProtection)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallDeleteProtection_updateToken :: Lens.Lens' UpdateFirewallDeleteProtection (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtection_updateToken = Lens.lens (\UpdateFirewallDeleteProtection' {updateToken} -> updateToken) (\s@UpdateFirewallDeleteProtection' {} a -> s {updateToken = a} :: UpdateFirewallDeleteProtection)
+
+-- | A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+updateFirewallDeleteProtection_deleteProtection :: Lens.Lens' UpdateFirewallDeleteProtection Prelude.Bool
+updateFirewallDeleteProtection_deleteProtection = Lens.lens (\UpdateFirewallDeleteProtection' {deleteProtection} -> deleteProtection) (\s@UpdateFirewallDeleteProtection' {} a -> s {deleteProtection = a} :: UpdateFirewallDeleteProtection)
+
+instance
+  Core.AWSRequest
+    UpdateFirewallDeleteProtection
+  where
+  type
+    AWSResponse UpdateFirewallDeleteProtection =
+      UpdateFirewallDeleteProtectionResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateFirewallDeleteProtectionResponse'
+            Prelude.<$> (x Data..?> "DeleteProtection")
+            Prelude.<*> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance
+  Prelude.Hashable
+    UpdateFirewallDeleteProtection
+  where
+  hashWithSalt
+    _salt
+    UpdateFirewallDeleteProtection' {..} =
+      _salt
+        `Prelude.hashWithSalt` firewallArn
+        `Prelude.hashWithSalt` firewallName
+        `Prelude.hashWithSalt` updateToken
+        `Prelude.hashWithSalt` deleteProtection
+
+instance
+  Prelude.NFData
+    UpdateFirewallDeleteProtection
+  where
+  rnf UpdateFirewallDeleteProtection' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf deleteProtection
+
+instance
+  Data.ToHeaders
+    UpdateFirewallDeleteProtection
+  where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateFirewallDeleteProtection" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateFirewallDeleteProtection where
+  toJSON UpdateFirewallDeleteProtection' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just
+              ("DeleteProtection" Data..= deleteProtection)
+          ]
+      )
+
+instance Data.ToPath UpdateFirewallDeleteProtection where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateFirewallDeleteProtection where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateFirewallDeleteProtectionResponse' smart constructor.
+data UpdateFirewallDeleteProtectionResponse = UpdateFirewallDeleteProtectionResponse'
+  { -- | A flag indicating whether it is possible to delete the firewall. A
+    -- setting of @TRUE@ indicates that the firewall is protected against
+    -- deletion. Use this setting to protect against accidentally deleting a
+    -- firewall that is in use. When you create a firewall, the operation
+    -- initializes this flag to @TRUE@.
+    deleteProtection :: Prelude.Maybe Prelude.Bool,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallDeleteProtectionResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'deleteProtection', 'updateFirewallDeleteProtectionResponse_deleteProtection' - A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+--
+-- 'firewallArn', 'updateFirewallDeleteProtectionResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateFirewallDeleteProtectionResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'updateToken', 'updateFirewallDeleteProtectionResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'updateFirewallDeleteProtectionResponse_httpStatus' - The response's http status code.
+newUpdateFirewallDeleteProtectionResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateFirewallDeleteProtectionResponse
+newUpdateFirewallDeleteProtectionResponse
+  pHttpStatus_ =
+    UpdateFirewallDeleteProtectionResponse'
+      { deleteProtection =
+          Prelude.Nothing,
+        firewallArn = Prelude.Nothing,
+        firewallName = Prelude.Nothing,
+        updateToken = Prelude.Nothing,
+        httpStatus = pHttpStatus_
+      }
+
+-- | A flag indicating whether it is possible to delete the firewall. A
+-- setting of @TRUE@ indicates that the firewall is protected against
+-- deletion. Use this setting to protect against accidentally deleting a
+-- firewall that is in use. When you create a firewall, the operation
+-- initializes this flag to @TRUE@.
+updateFirewallDeleteProtectionResponse_deleteProtection :: Lens.Lens' UpdateFirewallDeleteProtectionResponse (Prelude.Maybe Prelude.Bool)
+updateFirewallDeleteProtectionResponse_deleteProtection = Lens.lens (\UpdateFirewallDeleteProtectionResponse' {deleteProtection} -> deleteProtection) (\s@UpdateFirewallDeleteProtectionResponse' {} a -> s {deleteProtection = a} :: UpdateFirewallDeleteProtectionResponse)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateFirewallDeleteProtectionResponse_firewallArn :: Lens.Lens' UpdateFirewallDeleteProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtectionResponse_firewallArn = Lens.lens (\UpdateFirewallDeleteProtectionResponse' {firewallArn} -> firewallArn) (\s@UpdateFirewallDeleteProtectionResponse' {} a -> s {firewallArn = a} :: UpdateFirewallDeleteProtectionResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateFirewallDeleteProtectionResponse_firewallName :: Lens.Lens' UpdateFirewallDeleteProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtectionResponse_firewallName = Lens.lens (\UpdateFirewallDeleteProtectionResponse' {firewallName} -> firewallName) (\s@UpdateFirewallDeleteProtectionResponse' {} a -> s {firewallName = a} :: UpdateFirewallDeleteProtectionResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallDeleteProtectionResponse_updateToken :: Lens.Lens' UpdateFirewallDeleteProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDeleteProtectionResponse_updateToken = Lens.lens (\UpdateFirewallDeleteProtectionResponse' {updateToken} -> updateToken) (\s@UpdateFirewallDeleteProtectionResponse' {} a -> s {updateToken = a} :: UpdateFirewallDeleteProtectionResponse)
+
+-- | The response's http status code.
+updateFirewallDeleteProtectionResponse_httpStatus :: Lens.Lens' UpdateFirewallDeleteProtectionResponse Prelude.Int
+updateFirewallDeleteProtectionResponse_httpStatus = Lens.lens (\UpdateFirewallDeleteProtectionResponse' {httpStatus} -> httpStatus) (\s@UpdateFirewallDeleteProtectionResponse' {} a -> s {httpStatus = a} :: UpdateFirewallDeleteProtectionResponse)
+
+instance
+  Prelude.NFData
+    UpdateFirewallDeleteProtectionResponse
+  where
+  rnf UpdateFirewallDeleteProtectionResponse' {..} =
+    Prelude.rnf deleteProtection
+      `Prelude.seq` Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateFirewallDescription.hs b/gen/Amazonka/NetworkFirewall/UpdateFirewallDescription.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateFirewallDescription.hs
@@ -0,0 +1,368 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateFirewallDescription
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Modifies the description for the specified firewall. Use the description
+-- to help you identify the firewall when you\'re working with it.
+module Amazonka.NetworkFirewall.UpdateFirewallDescription
+  ( -- * Creating a Request
+    UpdateFirewallDescription (..),
+    newUpdateFirewallDescription,
+
+    -- * Request Lenses
+    updateFirewallDescription_description,
+    updateFirewallDescription_firewallArn,
+    updateFirewallDescription_firewallName,
+    updateFirewallDescription_updateToken,
+
+    -- * Destructuring the Response
+    UpdateFirewallDescriptionResponse (..),
+    newUpdateFirewallDescriptionResponse,
+
+    -- * Response Lenses
+    updateFirewallDescriptionResponse_description,
+    updateFirewallDescriptionResponse_firewallArn,
+    updateFirewallDescriptionResponse_firewallName,
+    updateFirewallDescriptionResponse_updateToken,
+    updateFirewallDescriptionResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateFirewallDescription' smart constructor.
+data UpdateFirewallDescription = UpdateFirewallDescription'
+  { -- | The new description for the firewall. If you omit this setting, Network
+    -- Firewall removes the description for the firewall.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallDescription' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'updateFirewallDescription_description' - The new description for the firewall. If you omit this setting, Network
+-- Firewall removes the description for the firewall.
+--
+-- 'firewallArn', 'updateFirewallDescription_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'updateFirewallDescription_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'updateFirewallDescription_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+newUpdateFirewallDescription ::
+  UpdateFirewallDescription
+newUpdateFirewallDescription =
+  UpdateFirewallDescription'
+    { description =
+        Prelude.Nothing,
+      firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing
+    }
+
+-- | The new description for the firewall. If you omit this setting, Network
+-- Firewall removes the description for the firewall.
+updateFirewallDescription_description :: Lens.Lens' UpdateFirewallDescription (Prelude.Maybe Prelude.Text)
+updateFirewallDescription_description = Lens.lens (\UpdateFirewallDescription' {description} -> description) (\s@UpdateFirewallDescription' {} a -> s {description = a} :: UpdateFirewallDescription)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallDescription_firewallArn :: Lens.Lens' UpdateFirewallDescription (Prelude.Maybe Prelude.Text)
+updateFirewallDescription_firewallArn = Lens.lens (\UpdateFirewallDescription' {firewallArn} -> firewallArn) (\s@UpdateFirewallDescription' {} a -> s {firewallArn = a} :: UpdateFirewallDescription)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallDescription_firewallName :: Lens.Lens' UpdateFirewallDescription (Prelude.Maybe Prelude.Text)
+updateFirewallDescription_firewallName = Lens.lens (\UpdateFirewallDescription' {firewallName} -> firewallName) (\s@UpdateFirewallDescription' {} a -> s {firewallName = a} :: UpdateFirewallDescription)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallDescription_updateToken :: Lens.Lens' UpdateFirewallDescription (Prelude.Maybe Prelude.Text)
+updateFirewallDescription_updateToken = Lens.lens (\UpdateFirewallDescription' {updateToken} -> updateToken) (\s@UpdateFirewallDescription' {} a -> s {updateToken = a} :: UpdateFirewallDescription)
+
+instance Core.AWSRequest UpdateFirewallDescription where
+  type
+    AWSResponse UpdateFirewallDescription =
+      UpdateFirewallDescriptionResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateFirewallDescriptionResponse'
+            Prelude.<$> (x Data..?> "Description")
+            Prelude.<*> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable UpdateFirewallDescription where
+  hashWithSalt _salt UpdateFirewallDescription' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` updateToken
+
+instance Prelude.NFData UpdateFirewallDescription where
+  rnf UpdateFirewallDescription' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+
+instance Data.ToHeaders UpdateFirewallDescription where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateFirewallDescription" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateFirewallDescription where
+  toJSON UpdateFirewallDescription' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Description" Data..=) Prelude.<$> description,
+            ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken
+          ]
+      )
+
+instance Data.ToPath UpdateFirewallDescription where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateFirewallDescription where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateFirewallDescriptionResponse' smart constructor.
+data UpdateFirewallDescriptionResponse = UpdateFirewallDescriptionResponse'
+  { -- | A description of the firewall.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallDescriptionResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'updateFirewallDescriptionResponse_description' - A description of the firewall.
+--
+-- 'firewallArn', 'updateFirewallDescriptionResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateFirewallDescriptionResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'updateToken', 'updateFirewallDescriptionResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'updateFirewallDescriptionResponse_httpStatus' - The response's http status code.
+newUpdateFirewallDescriptionResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateFirewallDescriptionResponse
+newUpdateFirewallDescriptionResponse pHttpStatus_ =
+  UpdateFirewallDescriptionResponse'
+    { description =
+        Prelude.Nothing,
+      firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | A description of the firewall.
+updateFirewallDescriptionResponse_description :: Lens.Lens' UpdateFirewallDescriptionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDescriptionResponse_description = Lens.lens (\UpdateFirewallDescriptionResponse' {description} -> description) (\s@UpdateFirewallDescriptionResponse' {} a -> s {description = a} :: UpdateFirewallDescriptionResponse)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateFirewallDescriptionResponse_firewallArn :: Lens.Lens' UpdateFirewallDescriptionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDescriptionResponse_firewallArn = Lens.lens (\UpdateFirewallDescriptionResponse' {firewallArn} -> firewallArn) (\s@UpdateFirewallDescriptionResponse' {} a -> s {firewallArn = a} :: UpdateFirewallDescriptionResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateFirewallDescriptionResponse_firewallName :: Lens.Lens' UpdateFirewallDescriptionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDescriptionResponse_firewallName = Lens.lens (\UpdateFirewallDescriptionResponse' {firewallName} -> firewallName) (\s@UpdateFirewallDescriptionResponse' {} a -> s {firewallName = a} :: UpdateFirewallDescriptionResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallDescriptionResponse_updateToken :: Lens.Lens' UpdateFirewallDescriptionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallDescriptionResponse_updateToken = Lens.lens (\UpdateFirewallDescriptionResponse' {updateToken} -> updateToken) (\s@UpdateFirewallDescriptionResponse' {} a -> s {updateToken = a} :: UpdateFirewallDescriptionResponse)
+
+-- | The response's http status code.
+updateFirewallDescriptionResponse_httpStatus :: Lens.Lens' UpdateFirewallDescriptionResponse Prelude.Int
+updateFirewallDescriptionResponse_httpStatus = Lens.lens (\UpdateFirewallDescriptionResponse' {httpStatus} -> httpStatus) (\s@UpdateFirewallDescriptionResponse' {} a -> s {httpStatus = a} :: UpdateFirewallDescriptionResponse)
+
+instance
+  Prelude.NFData
+    UpdateFirewallDescriptionResponse
+  where
+  rnf UpdateFirewallDescriptionResponse' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateFirewallEncryptionConfiguration.hs b/gen/Amazonka/NetworkFirewall/UpdateFirewallEncryptionConfiguration.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateFirewallEncryptionConfiguration.hs
@@ -0,0 +1,381 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateFirewallEncryptionConfiguration
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- A complex type that contains settings for encryption of your firewall
+-- resources.
+module Amazonka.NetworkFirewall.UpdateFirewallEncryptionConfiguration
+  ( -- * Creating a Request
+    UpdateFirewallEncryptionConfiguration (..),
+    newUpdateFirewallEncryptionConfiguration,
+
+    -- * Request Lenses
+    updateFirewallEncryptionConfiguration_encryptionConfiguration,
+    updateFirewallEncryptionConfiguration_firewallArn,
+    updateFirewallEncryptionConfiguration_firewallName,
+    updateFirewallEncryptionConfiguration_updateToken,
+
+    -- * Destructuring the Response
+    UpdateFirewallEncryptionConfigurationResponse (..),
+    newUpdateFirewallEncryptionConfigurationResponse,
+
+    -- * Response Lenses
+    updateFirewallEncryptionConfigurationResponse_encryptionConfiguration,
+    updateFirewallEncryptionConfigurationResponse_firewallArn,
+    updateFirewallEncryptionConfigurationResponse_firewallName,
+    updateFirewallEncryptionConfigurationResponse_updateToken,
+    updateFirewallEncryptionConfigurationResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateFirewallEncryptionConfiguration' smart constructor.
+data UpdateFirewallEncryptionConfiguration = UpdateFirewallEncryptionConfiguration'
+  { encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallEncryptionConfiguration' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'encryptionConfiguration', 'updateFirewallEncryptionConfiguration_encryptionConfiguration' - Undocumented member.
+--
+-- 'firewallArn', 'updateFirewallEncryptionConfiguration_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateFirewallEncryptionConfiguration_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'updateToken', 'updateFirewallEncryptionConfiguration_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+newUpdateFirewallEncryptionConfiguration ::
+  UpdateFirewallEncryptionConfiguration
+newUpdateFirewallEncryptionConfiguration =
+  UpdateFirewallEncryptionConfiguration'
+    { encryptionConfiguration =
+        Prelude.Nothing,
+      firewallArn = Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      updateToken = Prelude.Nothing
+    }
+
+-- | Undocumented member.
+updateFirewallEncryptionConfiguration_encryptionConfiguration :: Lens.Lens' UpdateFirewallEncryptionConfiguration (Prelude.Maybe EncryptionConfiguration)
+updateFirewallEncryptionConfiguration_encryptionConfiguration = Lens.lens (\UpdateFirewallEncryptionConfiguration' {encryptionConfiguration} -> encryptionConfiguration) (\s@UpdateFirewallEncryptionConfiguration' {} a -> s {encryptionConfiguration = a} :: UpdateFirewallEncryptionConfiguration)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateFirewallEncryptionConfiguration_firewallArn :: Lens.Lens' UpdateFirewallEncryptionConfiguration (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfiguration_firewallArn = Lens.lens (\UpdateFirewallEncryptionConfiguration' {firewallArn} -> firewallArn) (\s@UpdateFirewallEncryptionConfiguration' {} a -> s {firewallArn = a} :: UpdateFirewallEncryptionConfiguration)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateFirewallEncryptionConfiguration_firewallName :: Lens.Lens' UpdateFirewallEncryptionConfiguration (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfiguration_firewallName = Lens.lens (\UpdateFirewallEncryptionConfiguration' {firewallName} -> firewallName) (\s@UpdateFirewallEncryptionConfiguration' {} a -> s {firewallName = a} :: UpdateFirewallEncryptionConfiguration)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallEncryptionConfiguration_updateToken :: Lens.Lens' UpdateFirewallEncryptionConfiguration (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfiguration_updateToken = Lens.lens (\UpdateFirewallEncryptionConfiguration' {updateToken} -> updateToken) (\s@UpdateFirewallEncryptionConfiguration' {} a -> s {updateToken = a} :: UpdateFirewallEncryptionConfiguration)
+
+instance
+  Core.AWSRequest
+    UpdateFirewallEncryptionConfiguration
+  where
+  type
+    AWSResponse
+      UpdateFirewallEncryptionConfiguration =
+      UpdateFirewallEncryptionConfigurationResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateFirewallEncryptionConfigurationResponse'
+            Prelude.<$> (x Data..?> "EncryptionConfiguration")
+            Prelude.<*> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance
+  Prelude.Hashable
+    UpdateFirewallEncryptionConfiguration
+  where
+  hashWithSalt
+    _salt
+    UpdateFirewallEncryptionConfiguration' {..} =
+      _salt
+        `Prelude.hashWithSalt` encryptionConfiguration
+        `Prelude.hashWithSalt` firewallArn
+        `Prelude.hashWithSalt` firewallName
+        `Prelude.hashWithSalt` updateToken
+
+instance
+  Prelude.NFData
+    UpdateFirewallEncryptionConfiguration
+  where
+  rnf UpdateFirewallEncryptionConfiguration' {..} =
+    Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+
+instance
+  Data.ToHeaders
+    UpdateFirewallEncryptionConfiguration
+  where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateFirewallEncryptionConfiguration" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance
+  Data.ToJSON
+    UpdateFirewallEncryptionConfiguration
+  where
+  toJSON UpdateFirewallEncryptionConfiguration' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken
+          ]
+      )
+
+instance
+  Data.ToPath
+    UpdateFirewallEncryptionConfiguration
+  where
+  toPath = Prelude.const "/"
+
+instance
+  Data.ToQuery
+    UpdateFirewallEncryptionConfiguration
+  where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateFirewallEncryptionConfigurationResponse' smart constructor.
+data UpdateFirewallEncryptionConfigurationResponse = UpdateFirewallEncryptionConfigurationResponse'
+  { encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallEncryptionConfigurationResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'encryptionConfiguration', 'updateFirewallEncryptionConfigurationResponse_encryptionConfiguration' - Undocumented member.
+--
+-- 'firewallArn', 'updateFirewallEncryptionConfigurationResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateFirewallEncryptionConfigurationResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'updateToken', 'updateFirewallEncryptionConfigurationResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'updateFirewallEncryptionConfigurationResponse_httpStatus' - The response's http status code.
+newUpdateFirewallEncryptionConfigurationResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateFirewallEncryptionConfigurationResponse
+newUpdateFirewallEncryptionConfigurationResponse
+  pHttpStatus_ =
+    UpdateFirewallEncryptionConfigurationResponse'
+      { encryptionConfiguration =
+          Prelude.Nothing,
+        firewallArn =
+          Prelude.Nothing,
+        firewallName =
+          Prelude.Nothing,
+        updateToken =
+          Prelude.Nothing,
+        httpStatus = pHttpStatus_
+      }
+
+-- | Undocumented member.
+updateFirewallEncryptionConfigurationResponse_encryptionConfiguration :: Lens.Lens' UpdateFirewallEncryptionConfigurationResponse (Prelude.Maybe EncryptionConfiguration)
+updateFirewallEncryptionConfigurationResponse_encryptionConfiguration = Lens.lens (\UpdateFirewallEncryptionConfigurationResponse' {encryptionConfiguration} -> encryptionConfiguration) (\s@UpdateFirewallEncryptionConfigurationResponse' {} a -> s {encryptionConfiguration = a} :: UpdateFirewallEncryptionConfigurationResponse)
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateFirewallEncryptionConfigurationResponse_firewallArn :: Lens.Lens' UpdateFirewallEncryptionConfigurationResponse (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfigurationResponse_firewallArn = Lens.lens (\UpdateFirewallEncryptionConfigurationResponse' {firewallArn} -> firewallArn) (\s@UpdateFirewallEncryptionConfigurationResponse' {} a -> s {firewallArn = a} :: UpdateFirewallEncryptionConfigurationResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateFirewallEncryptionConfigurationResponse_firewallName :: Lens.Lens' UpdateFirewallEncryptionConfigurationResponse (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfigurationResponse_firewallName = Lens.lens (\UpdateFirewallEncryptionConfigurationResponse' {firewallName} -> firewallName) (\s@UpdateFirewallEncryptionConfigurationResponse' {} a -> s {firewallName = a} :: UpdateFirewallEncryptionConfigurationResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallEncryptionConfigurationResponse_updateToken :: Lens.Lens' UpdateFirewallEncryptionConfigurationResponse (Prelude.Maybe Prelude.Text)
+updateFirewallEncryptionConfigurationResponse_updateToken = Lens.lens (\UpdateFirewallEncryptionConfigurationResponse' {updateToken} -> updateToken) (\s@UpdateFirewallEncryptionConfigurationResponse' {} a -> s {updateToken = a} :: UpdateFirewallEncryptionConfigurationResponse)
+
+-- | The response's http status code.
+updateFirewallEncryptionConfigurationResponse_httpStatus :: Lens.Lens' UpdateFirewallEncryptionConfigurationResponse Prelude.Int
+updateFirewallEncryptionConfigurationResponse_httpStatus = Lens.lens (\UpdateFirewallEncryptionConfigurationResponse' {httpStatus} -> httpStatus) (\s@UpdateFirewallEncryptionConfigurationResponse' {} a -> s {httpStatus = a} :: UpdateFirewallEncryptionConfigurationResponse)
+
+instance
+  Prelude.NFData
+    UpdateFirewallEncryptionConfigurationResponse
+  where
+  rnf
+    UpdateFirewallEncryptionConfigurationResponse' {..} =
+      Prelude.rnf encryptionConfiguration
+        `Prelude.seq` Prelude.rnf firewallArn
+        `Prelude.seq` Prelude.rnf firewallName
+        `Prelude.seq` Prelude.rnf updateToken
+        `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicy.hs b/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicy.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicy.hs
@@ -0,0 +1,400 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateFirewallPolicy
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Updates the properties of the specified firewall policy.
+module Amazonka.NetworkFirewall.UpdateFirewallPolicy
+  ( -- * Creating a Request
+    UpdateFirewallPolicy (..),
+    newUpdateFirewallPolicy,
+
+    -- * Request Lenses
+    updateFirewallPolicy_description,
+    updateFirewallPolicy_dryRun,
+    updateFirewallPolicy_encryptionConfiguration,
+    updateFirewallPolicy_firewallPolicyArn,
+    updateFirewallPolicy_firewallPolicyName,
+    updateFirewallPolicy_updateToken,
+    updateFirewallPolicy_firewallPolicy,
+
+    -- * Destructuring the Response
+    UpdateFirewallPolicyResponse (..),
+    newUpdateFirewallPolicyResponse,
+
+    -- * Response Lenses
+    updateFirewallPolicyResponse_httpStatus,
+    updateFirewallPolicyResponse_updateToken,
+    updateFirewallPolicyResponse_firewallPolicyResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateFirewallPolicy' smart constructor.
+data UpdateFirewallPolicy = UpdateFirewallPolicy'
+  { -- | A description of the firewall policy.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether you want Network Firewall to just check the validity
+    -- of the request, rather than run the request.
+    --
+    -- If set to @TRUE@, Network Firewall checks whether the request can run
+    -- successfully, but doesn\'t actually make the requested changes. The call
+    -- returns the value that the request would return if you ran it with dry
+    -- run set to @FALSE@, but doesn\'t make additions or changes to your
+    -- resources. This option allows you to make sure that you have the
+    -- required permissions to run the request and that your request parameters
+    -- are valid.
+    --
+    -- If set to @FALSE@, Network Firewall makes the requested changes to your
+    -- resources.
+    dryRun :: Prelude.Maybe Prelude.Bool,
+    -- | A complex type that contains settings for encryption of your firewall
+    -- policy resources.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | The Amazon Resource Name (ARN) of the firewall policy.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall policy. You can\'t change the name
+    -- of a firewall policy after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallPolicyName :: Prelude.Maybe Prelude.Text,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the firewall policy. The token marks the state
+    -- of the policy resource at the time of the request.
+    --
+    -- To make changes to the policy, you provide the token in your request.
+    -- Network Firewall uses the token to ensure that the policy hasn\'t
+    -- changed since you last retrieved it. If it has changed, the operation
+    -- fails with an @InvalidTokenException@. If this happens, retrieve the
+    -- firewall policy again to get a current copy of it with current token.
+    -- Reapply your changes as needed, then try the operation again using the
+    -- new token.
+    updateToken :: Prelude.Text,
+    -- | The updated firewall policy to use for the firewall.
+    firewallPolicy :: FirewallPolicy
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallPolicy' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'updateFirewallPolicy_description' - A description of the firewall policy.
+--
+-- 'dryRun', 'updateFirewallPolicy_dryRun' - Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+--
+-- 'encryptionConfiguration', 'updateFirewallPolicy_encryptionConfiguration' - A complex type that contains settings for encryption of your firewall
+-- policy resources.
+--
+-- 'firewallPolicyArn', 'updateFirewallPolicy_firewallPolicyArn' - The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallPolicyName', 'updateFirewallPolicy_firewallPolicyName' - The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'updateFirewallPolicy_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+--
+-- 'firewallPolicy', 'updateFirewallPolicy_firewallPolicy' - The updated firewall policy to use for the firewall.
+newUpdateFirewallPolicy ::
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'firewallPolicy'
+  FirewallPolicy ->
+  UpdateFirewallPolicy
+newUpdateFirewallPolicy
+  pUpdateToken_
+  pFirewallPolicy_ =
+    UpdateFirewallPolicy'
+      { description =
+          Prelude.Nothing,
+        dryRun = Prelude.Nothing,
+        encryptionConfiguration = Prelude.Nothing,
+        firewallPolicyArn = Prelude.Nothing,
+        firewallPolicyName = Prelude.Nothing,
+        updateToken = pUpdateToken_,
+        firewallPolicy = pFirewallPolicy_
+      }
+
+-- | A description of the firewall policy.
+updateFirewallPolicy_description :: Lens.Lens' UpdateFirewallPolicy (Prelude.Maybe Prelude.Text)
+updateFirewallPolicy_description = Lens.lens (\UpdateFirewallPolicy' {description} -> description) (\s@UpdateFirewallPolicy' {} a -> s {description = a} :: UpdateFirewallPolicy)
+
+-- | Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+updateFirewallPolicy_dryRun :: Lens.Lens' UpdateFirewallPolicy (Prelude.Maybe Prelude.Bool)
+updateFirewallPolicy_dryRun = Lens.lens (\UpdateFirewallPolicy' {dryRun} -> dryRun) (\s@UpdateFirewallPolicy' {} a -> s {dryRun = a} :: UpdateFirewallPolicy)
+
+-- | A complex type that contains settings for encryption of your firewall
+-- policy resources.
+updateFirewallPolicy_encryptionConfiguration :: Lens.Lens' UpdateFirewallPolicy (Prelude.Maybe EncryptionConfiguration)
+updateFirewallPolicy_encryptionConfiguration = Lens.lens (\UpdateFirewallPolicy' {encryptionConfiguration} -> encryptionConfiguration) (\s@UpdateFirewallPolicy' {} a -> s {encryptionConfiguration = a} :: UpdateFirewallPolicy)
+
+-- | The Amazon Resource Name (ARN) of the firewall policy.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallPolicy_firewallPolicyArn :: Lens.Lens' UpdateFirewallPolicy (Prelude.Maybe Prelude.Text)
+updateFirewallPolicy_firewallPolicyArn = Lens.lens (\UpdateFirewallPolicy' {firewallPolicyArn} -> firewallPolicyArn) (\s@UpdateFirewallPolicy' {} a -> s {firewallPolicyArn = a} :: UpdateFirewallPolicy)
+
+-- | The descriptive name of the firewall policy. You can\'t change the name
+-- of a firewall policy after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallPolicy_firewallPolicyName :: Lens.Lens' UpdateFirewallPolicy (Prelude.Maybe Prelude.Text)
+updateFirewallPolicy_firewallPolicyName = Lens.lens (\UpdateFirewallPolicy' {firewallPolicyName} -> firewallPolicyName) (\s@UpdateFirewallPolicy' {} a -> s {firewallPolicyName = a} :: UpdateFirewallPolicy)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+updateFirewallPolicy_updateToken :: Lens.Lens' UpdateFirewallPolicy Prelude.Text
+updateFirewallPolicy_updateToken = Lens.lens (\UpdateFirewallPolicy' {updateToken} -> updateToken) (\s@UpdateFirewallPolicy' {} a -> s {updateToken = a} :: UpdateFirewallPolicy)
+
+-- | The updated firewall policy to use for the firewall.
+updateFirewallPolicy_firewallPolicy :: Lens.Lens' UpdateFirewallPolicy FirewallPolicy
+updateFirewallPolicy_firewallPolicy = Lens.lens (\UpdateFirewallPolicy' {firewallPolicy} -> firewallPolicy) (\s@UpdateFirewallPolicy' {} a -> s {firewallPolicy = a} :: UpdateFirewallPolicy)
+
+instance Core.AWSRequest UpdateFirewallPolicy where
+  type
+    AWSResponse UpdateFirewallPolicy =
+      UpdateFirewallPolicyResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateFirewallPolicyResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "FirewallPolicyResponse")
+      )
+
+instance Prelude.Hashable UpdateFirewallPolicy where
+  hashWithSalt _salt UpdateFirewallPolicy' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` dryRun
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` firewallPolicyArn
+      `Prelude.hashWithSalt` firewallPolicyName
+      `Prelude.hashWithSalt` updateToken
+      `Prelude.hashWithSalt` firewallPolicy
+
+instance Prelude.NFData UpdateFirewallPolicy where
+  rnf UpdateFirewallPolicy' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf dryRun
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf firewallPolicyArn
+      `Prelude.seq` Prelude.rnf firewallPolicyName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicy
+
+instance Data.ToHeaders UpdateFirewallPolicy where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateFirewallPolicy" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateFirewallPolicy where
+  toJSON UpdateFirewallPolicy' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Description" Data..=) Prelude.<$> description,
+            ("DryRun" Data..=) Prelude.<$> dryRun,
+            ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("FirewallPolicyArn" Data..=)
+              Prelude.<$> firewallPolicyArn,
+            ("FirewallPolicyName" Data..=)
+              Prelude.<$> firewallPolicyName,
+            Prelude.Just ("UpdateToken" Data..= updateToken),
+            Prelude.Just
+              ("FirewallPolicy" Data..= firewallPolicy)
+          ]
+      )
+
+instance Data.ToPath UpdateFirewallPolicy where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateFirewallPolicy where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateFirewallPolicyResponse' smart constructor.
+data UpdateFirewallPolicyResponse = UpdateFirewallPolicyResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the firewall policy. The token marks the state
+    -- of the policy resource at the time of the request.
+    --
+    -- To make changes to the policy, you provide the token in your request.
+    -- Network Firewall uses the token to ensure that the policy hasn\'t
+    -- changed since you last retrieved it. If it has changed, the operation
+    -- fails with an @InvalidTokenException@. If this happens, retrieve the
+    -- firewall policy again to get a current copy of it with current token.
+    -- Reapply your changes as needed, then try the operation again using the
+    -- new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a firewall policy. This, along with the
+    -- FirewallPolicy, define the policy. You can retrieve all objects for a
+    -- firewall policy by calling DescribeFirewallPolicy.
+    firewallPolicyResponse :: FirewallPolicyResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallPolicyResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'updateFirewallPolicyResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'updateFirewallPolicyResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+--
+-- 'firewallPolicyResponse', 'updateFirewallPolicyResponse_firewallPolicyResponse' - The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+newUpdateFirewallPolicyResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'firewallPolicyResponse'
+  FirewallPolicyResponse ->
+  UpdateFirewallPolicyResponse
+newUpdateFirewallPolicyResponse
+  pHttpStatus_
+  pUpdateToken_
+  pFirewallPolicyResponse_ =
+    UpdateFirewallPolicyResponse'
+      { httpStatus =
+          pHttpStatus_,
+        updateToken = pUpdateToken_,
+        firewallPolicyResponse =
+          pFirewallPolicyResponse_
+      }
+
+-- | The response's http status code.
+updateFirewallPolicyResponse_httpStatus :: Lens.Lens' UpdateFirewallPolicyResponse Prelude.Int
+updateFirewallPolicyResponse_httpStatus = Lens.lens (\UpdateFirewallPolicyResponse' {httpStatus} -> httpStatus) (\s@UpdateFirewallPolicyResponse' {} a -> s {httpStatus = a} :: UpdateFirewallPolicyResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the firewall policy. The token marks the state
+-- of the policy resource at the time of the request.
+--
+-- To make changes to the policy, you provide the token in your request.
+-- Network Firewall uses the token to ensure that the policy hasn\'t
+-- changed since you last retrieved it. If it has changed, the operation
+-- fails with an @InvalidTokenException@. If this happens, retrieve the
+-- firewall policy again to get a current copy of it with current token.
+-- Reapply your changes as needed, then try the operation again using the
+-- new token.
+updateFirewallPolicyResponse_updateToken :: Lens.Lens' UpdateFirewallPolicyResponse Prelude.Text
+updateFirewallPolicyResponse_updateToken = Lens.lens (\UpdateFirewallPolicyResponse' {updateToken} -> updateToken) (\s@UpdateFirewallPolicyResponse' {} a -> s {updateToken = a} :: UpdateFirewallPolicyResponse)
+
+-- | The high-level properties of a firewall policy. This, along with the
+-- FirewallPolicy, define the policy. You can retrieve all objects for a
+-- firewall policy by calling DescribeFirewallPolicy.
+updateFirewallPolicyResponse_firewallPolicyResponse :: Lens.Lens' UpdateFirewallPolicyResponse FirewallPolicyResponse
+updateFirewallPolicyResponse_firewallPolicyResponse = Lens.lens (\UpdateFirewallPolicyResponse' {firewallPolicyResponse} -> firewallPolicyResponse) (\s@UpdateFirewallPolicyResponse' {} a -> s {firewallPolicyResponse = a} :: UpdateFirewallPolicyResponse)
+
+instance Prelude.NFData UpdateFirewallPolicyResponse where
+  rnf UpdateFirewallPolicyResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicyResponse
diff --git a/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicyChangeProtection.hs b/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicyChangeProtection.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateFirewallPolicyChangeProtection.hs
@@ -0,0 +1,424 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateFirewallPolicyChangeProtection
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Modifies the flag, @ChangeProtection@, which indicates whether it is
+-- possible to change the firewall. If the flag is set to @TRUE@, the
+-- firewall is protected from changes. This setting helps protect against
+-- accidentally changing a firewall that\'s in use.
+module Amazonka.NetworkFirewall.UpdateFirewallPolicyChangeProtection
+  ( -- * Creating a Request
+    UpdateFirewallPolicyChangeProtection (..),
+    newUpdateFirewallPolicyChangeProtection,
+
+    -- * Request Lenses
+    updateFirewallPolicyChangeProtection_firewallArn,
+    updateFirewallPolicyChangeProtection_firewallName,
+    updateFirewallPolicyChangeProtection_updateToken,
+    updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection,
+
+    -- * Destructuring the Response
+    UpdateFirewallPolicyChangeProtectionResponse (..),
+    newUpdateFirewallPolicyChangeProtectionResponse,
+
+    -- * Response Lenses
+    updateFirewallPolicyChangeProtectionResponse_firewallArn,
+    updateFirewallPolicyChangeProtectionResponse_firewallName,
+    updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection,
+    updateFirewallPolicyChangeProtectionResponse_updateToken,
+    updateFirewallPolicyChangeProtectionResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateFirewallPolicyChangeProtection' smart constructor.
+data UpdateFirewallPolicyChangeProtection = UpdateFirewallPolicyChangeProtection'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | A setting indicating whether the firewall is protected against a change
+    -- to the firewall policy association. Use this setting to protect against
+    -- accidentally modifying the firewall policy for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    firewallPolicyChangeProtection :: Prelude.Bool
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallPolicyChangeProtection' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateFirewallPolicyChangeProtection_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'updateFirewallPolicyChangeProtection_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'updateFirewallPolicyChangeProtection_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'firewallPolicyChangeProtection', 'updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection' - A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+newUpdateFirewallPolicyChangeProtection ::
+  -- | 'firewallPolicyChangeProtection'
+  Prelude.Bool ->
+  UpdateFirewallPolicyChangeProtection
+newUpdateFirewallPolicyChangeProtection
+  pFirewallPolicyChangeProtection_ =
+    UpdateFirewallPolicyChangeProtection'
+      { firewallArn =
+          Prelude.Nothing,
+        firewallName = Prelude.Nothing,
+        updateToken = Prelude.Nothing,
+        firewallPolicyChangeProtection =
+          pFirewallPolicyChangeProtection_
+      }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallPolicyChangeProtection_firewallArn :: Lens.Lens' UpdateFirewallPolicyChangeProtection (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtection_firewallArn = Lens.lens (\UpdateFirewallPolicyChangeProtection' {firewallArn} -> firewallArn) (\s@UpdateFirewallPolicyChangeProtection' {} a -> s {firewallArn = a} :: UpdateFirewallPolicyChangeProtection)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateFirewallPolicyChangeProtection_firewallName :: Lens.Lens' UpdateFirewallPolicyChangeProtection (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtection_firewallName = Lens.lens (\UpdateFirewallPolicyChangeProtection' {firewallName} -> firewallName) (\s@UpdateFirewallPolicyChangeProtection' {} a -> s {firewallName = a} :: UpdateFirewallPolicyChangeProtection)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallPolicyChangeProtection_updateToken :: Lens.Lens' UpdateFirewallPolicyChangeProtection (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtection_updateToken = Lens.lens (\UpdateFirewallPolicyChangeProtection' {updateToken} -> updateToken) (\s@UpdateFirewallPolicyChangeProtection' {} a -> s {updateToken = a} :: UpdateFirewallPolicyChangeProtection)
+
+-- | A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection :: Lens.Lens' UpdateFirewallPolicyChangeProtection Prelude.Bool
+updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection = Lens.lens (\UpdateFirewallPolicyChangeProtection' {firewallPolicyChangeProtection} -> firewallPolicyChangeProtection) (\s@UpdateFirewallPolicyChangeProtection' {} a -> s {firewallPolicyChangeProtection = a} :: UpdateFirewallPolicyChangeProtection)
+
+instance
+  Core.AWSRequest
+    UpdateFirewallPolicyChangeProtection
+  where
+  type
+    AWSResponse UpdateFirewallPolicyChangeProtection =
+      UpdateFirewallPolicyChangeProtectionResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateFirewallPolicyChangeProtectionResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "FirewallPolicyChangeProtection")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance
+  Prelude.Hashable
+    UpdateFirewallPolicyChangeProtection
+  where
+  hashWithSalt
+    _salt
+    UpdateFirewallPolicyChangeProtection' {..} =
+      _salt
+        `Prelude.hashWithSalt` firewallArn
+        `Prelude.hashWithSalt` firewallName
+        `Prelude.hashWithSalt` updateToken
+        `Prelude.hashWithSalt` firewallPolicyChangeProtection
+
+instance
+  Prelude.NFData
+    UpdateFirewallPolicyChangeProtection
+  where
+  rnf UpdateFirewallPolicyChangeProtection' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf firewallPolicyChangeProtection
+
+instance
+  Data.ToHeaders
+    UpdateFirewallPolicyChangeProtection
+  where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateFirewallPolicyChangeProtection" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance
+  Data.ToJSON
+    UpdateFirewallPolicyChangeProtection
+  where
+  toJSON UpdateFirewallPolicyChangeProtection' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just
+              ( "FirewallPolicyChangeProtection"
+                  Data..= firewallPolicyChangeProtection
+              )
+          ]
+      )
+
+instance
+  Data.ToPath
+    UpdateFirewallPolicyChangeProtection
+  where
+  toPath = Prelude.const "/"
+
+instance
+  Data.ToQuery
+    UpdateFirewallPolicyChangeProtection
+  where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateFirewallPolicyChangeProtectionResponse' smart constructor.
+data UpdateFirewallPolicyChangeProtectionResponse = UpdateFirewallPolicyChangeProtectionResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | A setting indicating whether the firewall is protected against a change
+    -- to the firewall policy association. Use this setting to protect against
+    -- accidentally modifying the firewall policy for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    firewallPolicyChangeProtection :: Prelude.Maybe Prelude.Bool,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateFirewallPolicyChangeProtectionResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateFirewallPolicyChangeProtectionResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateFirewallPolicyChangeProtectionResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'firewallPolicyChangeProtection', 'updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection' - A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'updateToken', 'updateFirewallPolicyChangeProtectionResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'updateFirewallPolicyChangeProtectionResponse_httpStatus' - The response's http status code.
+newUpdateFirewallPolicyChangeProtectionResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateFirewallPolicyChangeProtectionResponse
+newUpdateFirewallPolicyChangeProtectionResponse
+  pHttpStatus_ =
+    UpdateFirewallPolicyChangeProtectionResponse'
+      { firewallArn =
+          Prelude.Nothing,
+        firewallName =
+          Prelude.Nothing,
+        firewallPolicyChangeProtection =
+          Prelude.Nothing,
+        updateToken = Prelude.Nothing,
+        httpStatus = pHttpStatus_
+      }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateFirewallPolicyChangeProtectionResponse_firewallArn :: Lens.Lens' UpdateFirewallPolicyChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtectionResponse_firewallArn = Lens.lens (\UpdateFirewallPolicyChangeProtectionResponse' {firewallArn} -> firewallArn) (\s@UpdateFirewallPolicyChangeProtectionResponse' {} a -> s {firewallArn = a} :: UpdateFirewallPolicyChangeProtectionResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateFirewallPolicyChangeProtectionResponse_firewallName :: Lens.Lens' UpdateFirewallPolicyChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtectionResponse_firewallName = Lens.lens (\UpdateFirewallPolicyChangeProtectionResponse' {firewallName} -> firewallName) (\s@UpdateFirewallPolicyChangeProtectionResponse' {} a -> s {firewallName = a} :: UpdateFirewallPolicyChangeProtectionResponse)
+
+-- | A setting indicating whether the firewall is protected against a change
+-- to the firewall policy association. Use this setting to protect against
+-- accidentally modifying the firewall policy for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection :: Lens.Lens' UpdateFirewallPolicyChangeProtectionResponse (Prelude.Maybe Prelude.Bool)
+updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection = Lens.lens (\UpdateFirewallPolicyChangeProtectionResponse' {firewallPolicyChangeProtection} -> firewallPolicyChangeProtection) (\s@UpdateFirewallPolicyChangeProtectionResponse' {} a -> s {firewallPolicyChangeProtection = a} :: UpdateFirewallPolicyChangeProtectionResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateFirewallPolicyChangeProtectionResponse_updateToken :: Lens.Lens' UpdateFirewallPolicyChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateFirewallPolicyChangeProtectionResponse_updateToken = Lens.lens (\UpdateFirewallPolicyChangeProtectionResponse' {updateToken} -> updateToken) (\s@UpdateFirewallPolicyChangeProtectionResponse' {} a -> s {updateToken = a} :: UpdateFirewallPolicyChangeProtectionResponse)
+
+-- | The response's http status code.
+updateFirewallPolicyChangeProtectionResponse_httpStatus :: Lens.Lens' UpdateFirewallPolicyChangeProtectionResponse Prelude.Int
+updateFirewallPolicyChangeProtectionResponse_httpStatus = Lens.lens (\UpdateFirewallPolicyChangeProtectionResponse' {httpStatus} -> httpStatus) (\s@UpdateFirewallPolicyChangeProtectionResponse' {} a -> s {httpStatus = a} :: UpdateFirewallPolicyChangeProtectionResponse)
+
+instance
+  Prelude.NFData
+    UpdateFirewallPolicyChangeProtectionResponse
+  where
+  rnf UpdateFirewallPolicyChangeProtectionResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf firewallPolicyChangeProtection
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateLoggingConfiguration.hs b/gen/Amazonka/NetworkFirewall/UpdateLoggingConfiguration.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateLoggingConfiguration.hs
@@ -0,0 +1,269 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateLoggingConfiguration
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Sets the logging configuration for the specified firewall.
+--
+-- To change the logging configuration, retrieve the LoggingConfiguration
+-- by calling DescribeLoggingConfiguration, then change it and provide the
+-- modified object to this update call. You must change the logging
+-- configuration one LogDestinationConfig at a time inside the retrieved
+-- LoggingConfiguration object.
+--
+-- You can perform only one of the following actions in any call to
+-- @UpdateLoggingConfiguration@:
+--
+-- -   Create a new log destination object by adding a single
+--     @LogDestinationConfig@ array element to @LogDestinationConfigs@.
+--
+-- -   Delete a log destination object by removing a single
+--     @LogDestinationConfig@ array element from @LogDestinationConfigs@.
+--
+-- -   Change the @LogDestination@ setting in a single
+--     @LogDestinationConfig@ array element.
+--
+-- You can\'t change the @LogDestinationType@ or @LogType@ in a
+-- @LogDestinationConfig@. To change these settings, delete the existing
+-- @LogDestinationConfig@ object and create a new one, using two separate
+-- calls to this update operation.
+module Amazonka.NetworkFirewall.UpdateLoggingConfiguration
+  ( -- * Creating a Request
+    UpdateLoggingConfiguration (..),
+    newUpdateLoggingConfiguration,
+
+    -- * Request Lenses
+    updateLoggingConfiguration_firewallArn,
+    updateLoggingConfiguration_firewallName,
+    updateLoggingConfiguration_loggingConfiguration,
+
+    -- * Destructuring the Response
+    UpdateLoggingConfigurationResponse (..),
+    newUpdateLoggingConfigurationResponse,
+
+    -- * Response Lenses
+    updateLoggingConfigurationResponse_firewallArn,
+    updateLoggingConfigurationResponse_firewallName,
+    updateLoggingConfigurationResponse_loggingConfiguration,
+    updateLoggingConfigurationResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateLoggingConfiguration' smart constructor.
+data UpdateLoggingConfiguration = UpdateLoggingConfiguration'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | Defines how Network Firewall performs logging for a firewall. If you
+    -- omit this setting, Network Firewall disables logging for the firewall.
+    loggingConfiguration :: Prelude.Maybe LoggingConfiguration
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateLoggingConfiguration' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateLoggingConfiguration_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'updateLoggingConfiguration_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'loggingConfiguration', 'updateLoggingConfiguration_loggingConfiguration' - Defines how Network Firewall performs logging for a firewall. If you
+-- omit this setting, Network Firewall disables logging for the firewall.
+newUpdateLoggingConfiguration ::
+  UpdateLoggingConfiguration
+newUpdateLoggingConfiguration =
+  UpdateLoggingConfiguration'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      loggingConfiguration = Prelude.Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateLoggingConfiguration_firewallArn :: Lens.Lens' UpdateLoggingConfiguration (Prelude.Maybe Prelude.Text)
+updateLoggingConfiguration_firewallArn = Lens.lens (\UpdateLoggingConfiguration' {firewallArn} -> firewallArn) (\s@UpdateLoggingConfiguration' {} a -> s {firewallArn = a} :: UpdateLoggingConfiguration)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateLoggingConfiguration_firewallName :: Lens.Lens' UpdateLoggingConfiguration (Prelude.Maybe Prelude.Text)
+updateLoggingConfiguration_firewallName = Lens.lens (\UpdateLoggingConfiguration' {firewallName} -> firewallName) (\s@UpdateLoggingConfiguration' {} a -> s {firewallName = a} :: UpdateLoggingConfiguration)
+
+-- | Defines how Network Firewall performs logging for a firewall. If you
+-- omit this setting, Network Firewall disables logging for the firewall.
+updateLoggingConfiguration_loggingConfiguration :: Lens.Lens' UpdateLoggingConfiguration (Prelude.Maybe LoggingConfiguration)
+updateLoggingConfiguration_loggingConfiguration = Lens.lens (\UpdateLoggingConfiguration' {loggingConfiguration} -> loggingConfiguration) (\s@UpdateLoggingConfiguration' {} a -> s {loggingConfiguration = a} :: UpdateLoggingConfiguration)
+
+instance Core.AWSRequest UpdateLoggingConfiguration where
+  type
+    AWSResponse UpdateLoggingConfiguration =
+      UpdateLoggingConfigurationResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateLoggingConfigurationResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "LoggingConfiguration")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable UpdateLoggingConfiguration where
+  hashWithSalt _salt UpdateLoggingConfiguration' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` loggingConfiguration
+
+instance Prelude.NFData UpdateLoggingConfiguration where
+  rnf UpdateLoggingConfiguration' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf loggingConfiguration
+
+instance Data.ToHeaders UpdateLoggingConfiguration where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateLoggingConfiguration" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateLoggingConfiguration where
+  toJSON UpdateLoggingConfiguration' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("LoggingConfiguration" Data..=)
+              Prelude.<$> loggingConfiguration
+          ]
+      )
+
+instance Data.ToPath UpdateLoggingConfiguration where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateLoggingConfiguration where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateLoggingConfigurationResponse' smart constructor.
+data UpdateLoggingConfigurationResponse = UpdateLoggingConfigurationResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    loggingConfiguration :: Prelude.Maybe LoggingConfiguration,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateLoggingConfigurationResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateLoggingConfigurationResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateLoggingConfigurationResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'loggingConfiguration', 'updateLoggingConfigurationResponse_loggingConfiguration' - Undocumented member.
+--
+-- 'httpStatus', 'updateLoggingConfigurationResponse_httpStatus' - The response's http status code.
+newUpdateLoggingConfigurationResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateLoggingConfigurationResponse
+newUpdateLoggingConfigurationResponse pHttpStatus_ =
+  UpdateLoggingConfigurationResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      loggingConfiguration = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateLoggingConfigurationResponse_firewallArn :: Lens.Lens' UpdateLoggingConfigurationResponse (Prelude.Maybe Prelude.Text)
+updateLoggingConfigurationResponse_firewallArn = Lens.lens (\UpdateLoggingConfigurationResponse' {firewallArn} -> firewallArn) (\s@UpdateLoggingConfigurationResponse' {} a -> s {firewallArn = a} :: UpdateLoggingConfigurationResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateLoggingConfigurationResponse_firewallName :: Lens.Lens' UpdateLoggingConfigurationResponse (Prelude.Maybe Prelude.Text)
+updateLoggingConfigurationResponse_firewallName = Lens.lens (\UpdateLoggingConfigurationResponse' {firewallName} -> firewallName) (\s@UpdateLoggingConfigurationResponse' {} a -> s {firewallName = a} :: UpdateLoggingConfigurationResponse)
+
+-- | Undocumented member.
+updateLoggingConfigurationResponse_loggingConfiguration :: Lens.Lens' UpdateLoggingConfigurationResponse (Prelude.Maybe LoggingConfiguration)
+updateLoggingConfigurationResponse_loggingConfiguration = Lens.lens (\UpdateLoggingConfigurationResponse' {loggingConfiguration} -> loggingConfiguration) (\s@UpdateLoggingConfigurationResponse' {} a -> s {loggingConfiguration = a} :: UpdateLoggingConfigurationResponse)
+
+-- | The response's http status code.
+updateLoggingConfigurationResponse_httpStatus :: Lens.Lens' UpdateLoggingConfigurationResponse Prelude.Int
+updateLoggingConfigurationResponse_httpStatus = Lens.lens (\UpdateLoggingConfigurationResponse' {httpStatus} -> httpStatus) (\s@UpdateLoggingConfigurationResponse' {} a -> s {httpStatus = a} :: UpdateLoggingConfigurationResponse)
+
+instance
+  Prelude.NFData
+    UpdateLoggingConfigurationResponse
+  where
+  rnf UpdateLoggingConfigurationResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf loggingConfiguration
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/UpdateRuleGroup.hs b/gen/Amazonka/NetworkFirewall/UpdateRuleGroup.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateRuleGroup.hs
@@ -0,0 +1,496 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateRuleGroup
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Updates the rule settings for the specified rule group. You use a rule
+-- group by reference in one or more firewall policies. When you modify a
+-- rule group, you modify all firewall policies that use the rule group.
+--
+-- To update a rule group, first call DescribeRuleGroup to retrieve the
+-- current RuleGroup object, update the object as needed, and then provide
+-- the updated object to this call.
+module Amazonka.NetworkFirewall.UpdateRuleGroup
+  ( -- * Creating a Request
+    UpdateRuleGroup (..),
+    newUpdateRuleGroup,
+
+    -- * Request Lenses
+    updateRuleGroup_description,
+    updateRuleGroup_dryRun,
+    updateRuleGroup_encryptionConfiguration,
+    updateRuleGroup_ruleGroup,
+    updateRuleGroup_ruleGroupArn,
+    updateRuleGroup_ruleGroupName,
+    updateRuleGroup_rules,
+    updateRuleGroup_sourceMetadata,
+    updateRuleGroup_type,
+    updateRuleGroup_updateToken,
+
+    -- * Destructuring the Response
+    UpdateRuleGroupResponse (..),
+    newUpdateRuleGroupResponse,
+
+    -- * Response Lenses
+    updateRuleGroupResponse_httpStatus,
+    updateRuleGroupResponse_updateToken,
+    updateRuleGroupResponse_ruleGroupResponse,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateRuleGroup' smart constructor.
+data UpdateRuleGroup = UpdateRuleGroup'
+  { -- | A description of the rule group.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | Indicates whether you want Network Firewall to just check the validity
+    -- of the request, rather than run the request.
+    --
+    -- If set to @TRUE@, Network Firewall checks whether the request can run
+    -- successfully, but doesn\'t actually make the requested changes. The call
+    -- returns the value that the request would return if you ran it with dry
+    -- run set to @FALSE@, but doesn\'t make additions or changes to your
+    -- resources. This option allows you to make sure that you have the
+    -- required permissions to run the request and that your request parameters
+    -- are valid.
+    --
+    -- If set to @FALSE@, Network Firewall makes the requested changes to your
+    -- resources.
+    dryRun :: Prelude.Maybe Prelude.Bool,
+    -- | A complex type that contains settings for encryption of your rule group
+    -- resources.
+    encryptionConfiguration :: Prelude.Maybe EncryptionConfiguration,
+    -- | An object that defines the rule group rules.
+    --
+    -- You must provide either this rule group setting or a @Rules@ setting,
+    -- but not both.
+    ruleGroup :: Prelude.Maybe RuleGroup,
+    -- | The Amazon Resource Name (ARN) of the rule group.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the rule group. You can\'t change the name of a
+    -- rule group after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    ruleGroupName :: Prelude.Maybe Prelude.Text,
+    -- | A string containing stateful rule group rules specifications in Suricata
+    -- flat format, with one rule per line. Use this to import your existing
+    -- Suricata compatible rule groups.
+    --
+    -- You must provide either this rules setting or a populated @RuleGroup@
+    -- setting, but not both.
+    --
+    -- You can provide your rule group specification in Suricata flat format
+    -- through this setting when you create or update your rule group. The call
+    -- response returns a RuleGroup object that Network Firewall has populated
+    -- from your string.
+    rules :: Prelude.Maybe Prelude.Text,
+    -- | A complex type that contains metadata about the rule group that your own
+    -- rule group is copied from. You can use the metadata to keep track of
+    -- updates made to the originating rule group.
+    sourceMetadata :: Prelude.Maybe SourceMetadata,
+    -- | Indicates whether the rule group is stateless or stateful. If the rule
+    -- group is stateless, it contains stateless rules. If it is stateful, it
+    -- contains stateful rules.
+    --
+    -- This setting is required for requests that do not include the
+    -- @RuleGroupARN@.
+    type' :: Prelude.Maybe RuleGroupType,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the rule group. The token marks the state of
+    -- the rule group resource at the time of the request.
+    --
+    -- To make changes to the rule group, you provide the token in your
+    -- request. Network Firewall uses the token to ensure that the rule group
+    -- hasn\'t changed since you last retrieved it. If it has changed, the
+    -- operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the rule group again to get a current copy of it with a current
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateRuleGroup' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'updateRuleGroup_description' - A description of the rule group.
+--
+-- 'dryRun', 'updateRuleGroup_dryRun' - Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+--
+-- 'encryptionConfiguration', 'updateRuleGroup_encryptionConfiguration' - A complex type that contains settings for encryption of your rule group
+-- resources.
+--
+-- 'ruleGroup', 'updateRuleGroup_ruleGroup' - An object that defines the rule group rules.
+--
+-- You must provide either this rule group setting or a @Rules@ setting,
+-- but not both.
+--
+-- 'ruleGroupArn', 'updateRuleGroup_ruleGroupArn' - The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'ruleGroupName', 'updateRuleGroup_ruleGroupName' - The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'rules', 'updateRuleGroup_rules' - A string containing stateful rule group rules specifications in Suricata
+-- flat format, with one rule per line. Use this to import your existing
+-- Suricata compatible rule groups.
+--
+-- You must provide either this rules setting or a populated @RuleGroup@
+-- setting, but not both.
+--
+-- You can provide your rule group specification in Suricata flat format
+-- through this setting when you create or update your rule group. The call
+-- response returns a RuleGroup object that Network Firewall has populated
+-- from your string.
+--
+-- 'sourceMetadata', 'updateRuleGroup_sourceMetadata' - A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to keep track of
+-- updates made to the originating rule group.
+--
+-- 'type'', 'updateRuleGroup_type' - Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+--
+-- 'updateToken', 'updateRuleGroup_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+newUpdateRuleGroup ::
+  -- | 'updateToken'
+  Prelude.Text ->
+  UpdateRuleGroup
+newUpdateRuleGroup pUpdateToken_ =
+  UpdateRuleGroup'
+    { description = Prelude.Nothing,
+      dryRun = Prelude.Nothing,
+      encryptionConfiguration = Prelude.Nothing,
+      ruleGroup = Prelude.Nothing,
+      ruleGroupArn = Prelude.Nothing,
+      ruleGroupName = Prelude.Nothing,
+      rules = Prelude.Nothing,
+      sourceMetadata = Prelude.Nothing,
+      type' = Prelude.Nothing,
+      updateToken = pUpdateToken_
+    }
+
+-- | A description of the rule group.
+updateRuleGroup_description :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe Prelude.Text)
+updateRuleGroup_description = Lens.lens (\UpdateRuleGroup' {description} -> description) (\s@UpdateRuleGroup' {} a -> s {description = a} :: UpdateRuleGroup)
+
+-- | Indicates whether you want Network Firewall to just check the validity
+-- of the request, rather than run the request.
+--
+-- If set to @TRUE@, Network Firewall checks whether the request can run
+-- successfully, but doesn\'t actually make the requested changes. The call
+-- returns the value that the request would return if you ran it with dry
+-- run set to @FALSE@, but doesn\'t make additions or changes to your
+-- resources. This option allows you to make sure that you have the
+-- required permissions to run the request and that your request parameters
+-- are valid.
+--
+-- If set to @FALSE@, Network Firewall makes the requested changes to your
+-- resources.
+updateRuleGroup_dryRun :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe Prelude.Bool)
+updateRuleGroup_dryRun = Lens.lens (\UpdateRuleGroup' {dryRun} -> dryRun) (\s@UpdateRuleGroup' {} a -> s {dryRun = a} :: UpdateRuleGroup)
+
+-- | A complex type that contains settings for encryption of your rule group
+-- resources.
+updateRuleGroup_encryptionConfiguration :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe EncryptionConfiguration)
+updateRuleGroup_encryptionConfiguration = Lens.lens (\UpdateRuleGroup' {encryptionConfiguration} -> encryptionConfiguration) (\s@UpdateRuleGroup' {} a -> s {encryptionConfiguration = a} :: UpdateRuleGroup)
+
+-- | An object that defines the rule group rules.
+--
+-- You must provide either this rule group setting or a @Rules@ setting,
+-- but not both.
+updateRuleGroup_ruleGroup :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe RuleGroup)
+updateRuleGroup_ruleGroup = Lens.lens (\UpdateRuleGroup' {ruleGroup} -> ruleGroup) (\s@UpdateRuleGroup' {} a -> s {ruleGroup = a} :: UpdateRuleGroup)
+
+-- | The Amazon Resource Name (ARN) of the rule group.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateRuleGroup_ruleGroupArn :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe Prelude.Text)
+updateRuleGroup_ruleGroupArn = Lens.lens (\UpdateRuleGroup' {ruleGroupArn} -> ruleGroupArn) (\s@UpdateRuleGroup' {} a -> s {ruleGroupArn = a} :: UpdateRuleGroup)
+
+-- | The descriptive name of the rule group. You can\'t change the name of a
+-- rule group after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateRuleGroup_ruleGroupName :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe Prelude.Text)
+updateRuleGroup_ruleGroupName = Lens.lens (\UpdateRuleGroup' {ruleGroupName} -> ruleGroupName) (\s@UpdateRuleGroup' {} a -> s {ruleGroupName = a} :: UpdateRuleGroup)
+
+-- | A string containing stateful rule group rules specifications in Suricata
+-- flat format, with one rule per line. Use this to import your existing
+-- Suricata compatible rule groups.
+--
+-- You must provide either this rules setting or a populated @RuleGroup@
+-- setting, but not both.
+--
+-- You can provide your rule group specification in Suricata flat format
+-- through this setting when you create or update your rule group. The call
+-- response returns a RuleGroup object that Network Firewall has populated
+-- from your string.
+updateRuleGroup_rules :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe Prelude.Text)
+updateRuleGroup_rules = Lens.lens (\UpdateRuleGroup' {rules} -> rules) (\s@UpdateRuleGroup' {} a -> s {rules = a} :: UpdateRuleGroup)
+
+-- | A complex type that contains metadata about the rule group that your own
+-- rule group is copied from. You can use the metadata to keep track of
+-- updates made to the originating rule group.
+updateRuleGroup_sourceMetadata :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe SourceMetadata)
+updateRuleGroup_sourceMetadata = Lens.lens (\UpdateRuleGroup' {sourceMetadata} -> sourceMetadata) (\s@UpdateRuleGroup' {} a -> s {sourceMetadata = a} :: UpdateRuleGroup)
+
+-- | Indicates whether the rule group is stateless or stateful. If the rule
+-- group is stateless, it contains stateless rules. If it is stateful, it
+-- contains stateful rules.
+--
+-- This setting is required for requests that do not include the
+-- @RuleGroupARN@.
+updateRuleGroup_type :: Lens.Lens' UpdateRuleGroup (Prelude.Maybe RuleGroupType)
+updateRuleGroup_type = Lens.lens (\UpdateRuleGroup' {type'} -> type') (\s@UpdateRuleGroup' {} a -> s {type' = a} :: UpdateRuleGroup)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateRuleGroup_updateToken :: Lens.Lens' UpdateRuleGroup Prelude.Text
+updateRuleGroup_updateToken = Lens.lens (\UpdateRuleGroup' {updateToken} -> updateToken) (\s@UpdateRuleGroup' {} a -> s {updateToken = a} :: UpdateRuleGroup)
+
+instance Core.AWSRequest UpdateRuleGroup where
+  type
+    AWSResponse UpdateRuleGroup =
+      UpdateRuleGroupResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateRuleGroupResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..:> "UpdateToken")
+            Prelude.<*> (x Data..:> "RuleGroupResponse")
+      )
+
+instance Prelude.Hashable UpdateRuleGroup where
+  hashWithSalt _salt UpdateRuleGroup' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` dryRun
+      `Prelude.hashWithSalt` encryptionConfiguration
+      `Prelude.hashWithSalt` ruleGroup
+      `Prelude.hashWithSalt` ruleGroupArn
+      `Prelude.hashWithSalt` ruleGroupName
+      `Prelude.hashWithSalt` rules
+      `Prelude.hashWithSalt` sourceMetadata
+      `Prelude.hashWithSalt` type'
+      `Prelude.hashWithSalt` updateToken
+
+instance Prelude.NFData UpdateRuleGroup where
+  rnf UpdateRuleGroup' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf dryRun
+      `Prelude.seq` Prelude.rnf encryptionConfiguration
+      `Prelude.seq` Prelude.rnf ruleGroup
+      `Prelude.seq` Prelude.rnf ruleGroupArn
+      `Prelude.seq` Prelude.rnf ruleGroupName
+      `Prelude.seq` Prelude.rnf rules
+      `Prelude.seq` Prelude.rnf sourceMetadata
+      `Prelude.seq` Prelude.rnf type'
+      `Prelude.seq` Prelude.rnf updateToken
+
+instance Data.ToHeaders UpdateRuleGroup where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateRuleGroup" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateRuleGroup where
+  toJSON UpdateRuleGroup' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("Description" Data..=) Prelude.<$> description,
+            ("DryRun" Data..=) Prelude.<$> dryRun,
+            ("EncryptionConfiguration" Data..=)
+              Prelude.<$> encryptionConfiguration,
+            ("RuleGroup" Data..=) Prelude.<$> ruleGroup,
+            ("RuleGroupArn" Data..=) Prelude.<$> ruleGroupArn,
+            ("RuleGroupName" Data..=) Prelude.<$> ruleGroupName,
+            ("Rules" Data..=) Prelude.<$> rules,
+            ("SourceMetadata" Data..=)
+              Prelude.<$> sourceMetadata,
+            ("Type" Data..=) Prelude.<$> type',
+            Prelude.Just ("UpdateToken" Data..= updateToken)
+          ]
+      )
+
+instance Data.ToPath UpdateRuleGroup where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateRuleGroup where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateRuleGroupResponse' smart constructor.
+data UpdateRuleGroupResponse = UpdateRuleGroupResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | A token used for optimistic locking. Network Firewall returns a token to
+    -- your requests that access the rule group. The token marks the state of
+    -- the rule group resource at the time of the request.
+    --
+    -- To make changes to the rule group, you provide the token in your
+    -- request. Network Firewall uses the token to ensure that the rule group
+    -- hasn\'t changed since you last retrieved it. If it has changed, the
+    -- operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the rule group again to get a current copy of it with a current
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Text,
+    -- | The high-level properties of a rule group. This, along with the
+    -- RuleGroup, define the rule group. You can retrieve all objects for a
+    -- rule group by calling DescribeRuleGroup.
+    ruleGroupResponse :: RuleGroupResponse
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateRuleGroupResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'updateRuleGroupResponse_httpStatus' - The response's http status code.
+--
+-- 'updateToken', 'updateRuleGroupResponse_updateToken' - A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'ruleGroupResponse', 'updateRuleGroupResponse_ruleGroupResponse' - The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+newUpdateRuleGroupResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'updateToken'
+  Prelude.Text ->
+  -- | 'ruleGroupResponse'
+  RuleGroupResponse ->
+  UpdateRuleGroupResponse
+newUpdateRuleGroupResponse
+  pHttpStatus_
+  pUpdateToken_
+  pRuleGroupResponse_ =
+    UpdateRuleGroupResponse'
+      { httpStatus = pHttpStatus_,
+        updateToken = pUpdateToken_,
+        ruleGroupResponse = pRuleGroupResponse_
+      }
+
+-- | The response's http status code.
+updateRuleGroupResponse_httpStatus :: Lens.Lens' UpdateRuleGroupResponse Prelude.Int
+updateRuleGroupResponse_httpStatus = Lens.lens (\UpdateRuleGroupResponse' {httpStatus} -> httpStatus) (\s@UpdateRuleGroupResponse' {} a -> s {httpStatus = a} :: UpdateRuleGroupResponse)
+
+-- | A token used for optimistic locking. Network Firewall returns a token to
+-- your requests that access the rule group. The token marks the state of
+-- the rule group resource at the time of the request.
+--
+-- To make changes to the rule group, you provide the token in your
+-- request. Network Firewall uses the token to ensure that the rule group
+-- hasn\'t changed since you last retrieved it. If it has changed, the
+-- operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the rule group again to get a current copy of it with a current
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateRuleGroupResponse_updateToken :: Lens.Lens' UpdateRuleGroupResponse Prelude.Text
+updateRuleGroupResponse_updateToken = Lens.lens (\UpdateRuleGroupResponse' {updateToken} -> updateToken) (\s@UpdateRuleGroupResponse' {} a -> s {updateToken = a} :: UpdateRuleGroupResponse)
+
+-- | The high-level properties of a rule group. This, along with the
+-- RuleGroup, define the rule group. You can retrieve all objects for a
+-- rule group by calling DescribeRuleGroup.
+updateRuleGroupResponse_ruleGroupResponse :: Lens.Lens' UpdateRuleGroupResponse RuleGroupResponse
+updateRuleGroupResponse_ruleGroupResponse = Lens.lens (\UpdateRuleGroupResponse' {ruleGroupResponse} -> ruleGroupResponse) (\s@UpdateRuleGroupResponse' {} a -> s {ruleGroupResponse = a} :: UpdateRuleGroupResponse)
+
+instance Prelude.NFData UpdateRuleGroupResponse where
+  rnf UpdateRuleGroupResponse' {..} =
+    Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf ruleGroupResponse
diff --git a/gen/Amazonka/NetworkFirewall/UpdateSubnetChangeProtection.hs b/gen/Amazonka/NetworkFirewall/UpdateSubnetChangeProtection.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/UpdateSubnetChangeProtection.hs
@@ -0,0 +1,397 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.UpdateSubnetChangeProtection
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.UpdateSubnetChangeProtection
+  ( -- * Creating a Request
+    UpdateSubnetChangeProtection (..),
+    newUpdateSubnetChangeProtection,
+
+    -- * Request Lenses
+    updateSubnetChangeProtection_firewallArn,
+    updateSubnetChangeProtection_firewallName,
+    updateSubnetChangeProtection_updateToken,
+    updateSubnetChangeProtection_subnetChangeProtection,
+
+    -- * Destructuring the Response
+    UpdateSubnetChangeProtectionResponse (..),
+    newUpdateSubnetChangeProtectionResponse,
+
+    -- * Response Lenses
+    updateSubnetChangeProtectionResponse_firewallArn,
+    updateSubnetChangeProtectionResponse_firewallName,
+    updateSubnetChangeProtectionResponse_subnetChangeProtection,
+    updateSubnetChangeProtectionResponse_updateToken,
+    updateSubnetChangeProtectionResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUpdateSubnetChangeProtection' smart constructor.
+data UpdateSubnetChangeProtection = UpdateSubnetChangeProtection'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    --
+    -- You must specify the ARN or the name, and you can specify both.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | A setting indicating whether the firewall is protected against changes
+    -- to the subnet associations. Use this setting to protect against
+    -- accidentally modifying the subnet associations for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    subnetChangeProtection :: Prelude.Bool
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateSubnetChangeProtection' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateSubnetChangeProtection_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'firewallName', 'updateSubnetChangeProtection_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+--
+-- 'updateToken', 'updateSubnetChangeProtection_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'subnetChangeProtection', 'updateSubnetChangeProtection_subnetChangeProtection' - A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+newUpdateSubnetChangeProtection ::
+  -- | 'subnetChangeProtection'
+  Prelude.Bool ->
+  UpdateSubnetChangeProtection
+newUpdateSubnetChangeProtection
+  pSubnetChangeProtection_ =
+    UpdateSubnetChangeProtection'
+      { firewallArn =
+          Prelude.Nothing,
+        firewallName = Prelude.Nothing,
+        updateToken = Prelude.Nothing,
+        subnetChangeProtection =
+          pSubnetChangeProtection_
+      }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateSubnetChangeProtection_firewallArn :: Lens.Lens' UpdateSubnetChangeProtection (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtection_firewallArn = Lens.lens (\UpdateSubnetChangeProtection' {firewallArn} -> firewallArn) (\s@UpdateSubnetChangeProtection' {} a -> s {firewallArn = a} :: UpdateSubnetChangeProtection)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- You must specify the ARN or the name, and you can specify both.
+updateSubnetChangeProtection_firewallName :: Lens.Lens' UpdateSubnetChangeProtection (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtection_firewallName = Lens.lens (\UpdateSubnetChangeProtection' {firewallName} -> firewallName) (\s@UpdateSubnetChangeProtection' {} a -> s {firewallName = a} :: UpdateSubnetChangeProtection)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateSubnetChangeProtection_updateToken :: Lens.Lens' UpdateSubnetChangeProtection (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtection_updateToken = Lens.lens (\UpdateSubnetChangeProtection' {updateToken} -> updateToken) (\s@UpdateSubnetChangeProtection' {} a -> s {updateToken = a} :: UpdateSubnetChangeProtection)
+
+-- | A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+updateSubnetChangeProtection_subnetChangeProtection :: Lens.Lens' UpdateSubnetChangeProtection Prelude.Bool
+updateSubnetChangeProtection_subnetChangeProtection = Lens.lens (\UpdateSubnetChangeProtection' {subnetChangeProtection} -> subnetChangeProtection) (\s@UpdateSubnetChangeProtection' {} a -> s {subnetChangeProtection = a} :: UpdateSubnetChangeProtection)
+
+instance Core.AWSRequest UpdateSubnetChangeProtection where
+  type
+    AWSResponse UpdateSubnetChangeProtection =
+      UpdateSubnetChangeProtectionResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          UpdateSubnetChangeProtectionResponse'
+            Prelude.<$> (x Data..?> "FirewallArn")
+            Prelude.<*> (x Data..?> "FirewallName")
+            Prelude.<*> (x Data..?> "SubnetChangeProtection")
+            Prelude.<*> (x Data..?> "UpdateToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance
+  Prelude.Hashable
+    UpdateSubnetChangeProtection
+  where
+  hashWithSalt _salt UpdateSubnetChangeProtection' {..} =
+    _salt
+      `Prelude.hashWithSalt` firewallArn
+      `Prelude.hashWithSalt` firewallName
+      `Prelude.hashWithSalt` updateToken
+      `Prelude.hashWithSalt` subnetChangeProtection
+
+instance Prelude.NFData UpdateSubnetChangeProtection where
+  rnf UpdateSubnetChangeProtection' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf subnetChangeProtection
+
+instance Data.ToHeaders UpdateSubnetChangeProtection where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "NetworkFirewall_20201112.UpdateSubnetChangeProtection" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.0" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UpdateSubnetChangeProtection where
+  toJSON UpdateSubnetChangeProtection' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("FirewallArn" Data..=) Prelude.<$> firewallArn,
+            ("FirewallName" Data..=) Prelude.<$> firewallName,
+            ("UpdateToken" Data..=) Prelude.<$> updateToken,
+            Prelude.Just
+              ( "SubnetChangeProtection"
+                  Data..= subnetChangeProtection
+              )
+          ]
+      )
+
+instance Data.ToPath UpdateSubnetChangeProtection where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UpdateSubnetChangeProtection where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUpdateSubnetChangeProtectionResponse' smart constructor.
+data UpdateSubnetChangeProtectionResponse = UpdateSubnetChangeProtectionResponse'
+  { -- | The Amazon Resource Name (ARN) of the firewall.
+    firewallArn :: Prelude.Maybe Prelude.Text,
+    -- | The descriptive name of the firewall. You can\'t change the name of a
+    -- firewall after you create it.
+    firewallName :: Prelude.Maybe Prelude.Text,
+    -- | A setting indicating whether the firewall is protected against changes
+    -- to the subnet associations. Use this setting to protect against
+    -- accidentally modifying the subnet associations for a firewall that is in
+    -- use. When you create a firewall, the operation initializes this setting
+    -- to @TRUE@.
+    subnetChangeProtection :: Prelude.Maybe Prelude.Bool,
+    -- | An optional token that you can use for optimistic locking. Network
+    -- Firewall returns a token to your requests that access the firewall. The
+    -- token marks the state of the firewall resource at the time of the
+    -- request.
+    --
+    -- To make an unconditional change to the firewall, omit the token in your
+    -- update request. Without the token, Network Firewall performs your
+    -- updates regardless of whether the firewall has changed since you last
+    -- retrieved it.
+    --
+    -- To make a conditional change to the firewall, provide the token in your
+    -- update request. Network Firewall uses the token to ensure that the
+    -- firewall hasn\'t changed since you last retrieved it. If it has changed,
+    -- the operation fails with an @InvalidTokenException@. If this happens,
+    -- retrieve the firewall again to get a current copy of it with a new
+    -- token. Reapply your changes as needed, then try the operation again
+    -- using the new token.
+    updateToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UpdateSubnetChangeProtectionResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'firewallArn', 'updateSubnetChangeProtectionResponse_firewallArn' - The Amazon Resource Name (ARN) of the firewall.
+--
+-- 'firewallName', 'updateSubnetChangeProtectionResponse_firewallName' - The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+--
+-- 'subnetChangeProtection', 'updateSubnetChangeProtectionResponse_subnetChangeProtection' - A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+--
+-- 'updateToken', 'updateSubnetChangeProtectionResponse_updateToken' - An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+--
+-- 'httpStatus', 'updateSubnetChangeProtectionResponse_httpStatus' - The response's http status code.
+newUpdateSubnetChangeProtectionResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UpdateSubnetChangeProtectionResponse
+newUpdateSubnetChangeProtectionResponse pHttpStatus_ =
+  UpdateSubnetChangeProtectionResponse'
+    { firewallArn =
+        Prelude.Nothing,
+      firewallName = Prelude.Nothing,
+      subnetChangeProtection =
+        Prelude.Nothing,
+      updateToken = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Resource Name (ARN) of the firewall.
+updateSubnetChangeProtectionResponse_firewallArn :: Lens.Lens' UpdateSubnetChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtectionResponse_firewallArn = Lens.lens (\UpdateSubnetChangeProtectionResponse' {firewallArn} -> firewallArn) (\s@UpdateSubnetChangeProtectionResponse' {} a -> s {firewallArn = a} :: UpdateSubnetChangeProtectionResponse)
+
+-- | The descriptive name of the firewall. You can\'t change the name of a
+-- firewall after you create it.
+updateSubnetChangeProtectionResponse_firewallName :: Lens.Lens' UpdateSubnetChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtectionResponse_firewallName = Lens.lens (\UpdateSubnetChangeProtectionResponse' {firewallName} -> firewallName) (\s@UpdateSubnetChangeProtectionResponse' {} a -> s {firewallName = a} :: UpdateSubnetChangeProtectionResponse)
+
+-- | A setting indicating whether the firewall is protected against changes
+-- to the subnet associations. Use this setting to protect against
+-- accidentally modifying the subnet associations for a firewall that is in
+-- use. When you create a firewall, the operation initializes this setting
+-- to @TRUE@.
+updateSubnetChangeProtectionResponse_subnetChangeProtection :: Lens.Lens' UpdateSubnetChangeProtectionResponse (Prelude.Maybe Prelude.Bool)
+updateSubnetChangeProtectionResponse_subnetChangeProtection = Lens.lens (\UpdateSubnetChangeProtectionResponse' {subnetChangeProtection} -> subnetChangeProtection) (\s@UpdateSubnetChangeProtectionResponse' {} a -> s {subnetChangeProtection = a} :: UpdateSubnetChangeProtectionResponse)
+
+-- | An optional token that you can use for optimistic locking. Network
+-- Firewall returns a token to your requests that access the firewall. The
+-- token marks the state of the firewall resource at the time of the
+-- request.
+--
+-- To make an unconditional change to the firewall, omit the token in your
+-- update request. Without the token, Network Firewall performs your
+-- updates regardless of whether the firewall has changed since you last
+-- retrieved it.
+--
+-- To make a conditional change to the firewall, provide the token in your
+-- update request. Network Firewall uses the token to ensure that the
+-- firewall hasn\'t changed since you last retrieved it. If it has changed,
+-- the operation fails with an @InvalidTokenException@. If this happens,
+-- retrieve the firewall again to get a current copy of it with a new
+-- token. Reapply your changes as needed, then try the operation again
+-- using the new token.
+updateSubnetChangeProtectionResponse_updateToken :: Lens.Lens' UpdateSubnetChangeProtectionResponse (Prelude.Maybe Prelude.Text)
+updateSubnetChangeProtectionResponse_updateToken = Lens.lens (\UpdateSubnetChangeProtectionResponse' {updateToken} -> updateToken) (\s@UpdateSubnetChangeProtectionResponse' {} a -> s {updateToken = a} :: UpdateSubnetChangeProtectionResponse)
+
+-- | The response's http status code.
+updateSubnetChangeProtectionResponse_httpStatus :: Lens.Lens' UpdateSubnetChangeProtectionResponse Prelude.Int
+updateSubnetChangeProtectionResponse_httpStatus = Lens.lens (\UpdateSubnetChangeProtectionResponse' {httpStatus} -> httpStatus) (\s@UpdateSubnetChangeProtectionResponse' {} a -> s {httpStatus = a} :: UpdateSubnetChangeProtectionResponse)
+
+instance
+  Prelude.NFData
+    UpdateSubnetChangeProtectionResponse
+  where
+  rnf UpdateSubnetChangeProtectionResponse' {..} =
+    Prelude.rnf firewallArn
+      `Prelude.seq` Prelude.rnf firewallName
+      `Prelude.seq` Prelude.rnf subnetChangeProtection
+      `Prelude.seq` Prelude.rnf updateToken
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/NetworkFirewall/Waiters.hs b/gen/Amazonka/NetworkFirewall/Waiters.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/NetworkFirewall/Waiters.hs
@@ -0,0 +1,24 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.NetworkFirewall.Waiters
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.NetworkFirewall.Waiters where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.NetworkFirewall.Lens
+import Amazonka.NetworkFirewall.Types
+import qualified Amazonka.Prelude as Prelude
diff --git a/src/.gitkeep b/src/.gitkeep
new file mode 100644
--- /dev/null
+++ b/src/.gitkeep
diff --git a/test/Main.hs b/test/Main.hs
new file mode 100644
--- /dev/null
+++ b/test/Main.hs
@@ -0,0 +1,23 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Main
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Main (main) where
+
+import Test.Amazonka.NetworkFirewall
+import Test.Amazonka.NetworkFirewall.Internal
+import Test.Tasty
+
+main :: IO ()
+main =
+  defaultMain $
+    testGroup
+      "NetworkFirewall"
+      [ testGroup "tests" tests,
+        testGroup "fixtures" fixtures
+      ]
diff --git a/test/Test/Amazonka/Gen/NetworkFirewall.hs b/test/Test/Amazonka/Gen/NetworkFirewall.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/Gen/NetworkFirewall.hs
@@ -0,0 +1,658 @@
+{-# OPTIONS_GHC -fno-warn-orphans #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Test.Amazonka.Gen.NetworkFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.Gen.NetworkFirewall where
+
+import Amazonka.NetworkFirewall
+import qualified Data.Proxy as Proxy
+import Test.Amazonka.Fixture
+import Test.Amazonka.NetworkFirewall.Internal
+import Test.Amazonka.Prelude
+import Test.Tasty
+
+-- Auto-generated: the actual test selection needs to be manually placed into
+-- the top-level so that real test data can be incrementally added.
+--
+-- This commented snippet is what the entire set should look like:
+
+-- fixtures :: TestTree
+-- fixtures =
+--     [ testGroup "request"
+--         [ requestAssociateFirewallPolicy $
+--             newAssociateFirewallPolicy
+--
+--         , requestAssociateSubnets $
+--             newAssociateSubnets
+--
+--         , requestCreateFirewall $
+--             newCreateFirewall
+--
+--         , requestCreateFirewallPolicy $
+--             newCreateFirewallPolicy
+--
+--         , requestCreateRuleGroup $
+--             newCreateRuleGroup
+--
+--         , requestDeleteFirewall $
+--             newDeleteFirewall
+--
+--         , requestDeleteFirewallPolicy $
+--             newDeleteFirewallPolicy
+--
+--         , requestDeleteResourcePolicy $
+--             newDeleteResourcePolicy
+--
+--         , requestDeleteRuleGroup $
+--             newDeleteRuleGroup
+--
+--         , requestDescribeFirewall $
+--             newDescribeFirewall
+--
+--         , requestDescribeFirewallPolicy $
+--             newDescribeFirewallPolicy
+--
+--         , requestDescribeLoggingConfiguration $
+--             newDescribeLoggingConfiguration
+--
+--         , requestDescribeResourcePolicy $
+--             newDescribeResourcePolicy
+--
+--         , requestDescribeRuleGroup $
+--             newDescribeRuleGroup
+--
+--         , requestDescribeRuleGroupMetadata $
+--             newDescribeRuleGroupMetadata
+--
+--         , requestDisassociateSubnets $
+--             newDisassociateSubnets
+--
+--         , requestListFirewallPolicies $
+--             newListFirewallPolicies
+--
+--         , requestListFirewalls $
+--             newListFirewalls
+--
+--         , requestListRuleGroups $
+--             newListRuleGroups
+--
+--         , requestListTagsForResource $
+--             newListTagsForResource
+--
+--         , requestPutResourcePolicy $
+--             newPutResourcePolicy
+--
+--         , requestTagResource $
+--             newTagResource
+--
+--         , requestUntagResource $
+--             newUntagResource
+--
+--         , requestUpdateFirewallDeleteProtection $
+--             newUpdateFirewallDeleteProtection
+--
+--         , requestUpdateFirewallDescription $
+--             newUpdateFirewallDescription
+--
+--         , requestUpdateFirewallEncryptionConfiguration $
+--             newUpdateFirewallEncryptionConfiguration
+--
+--         , requestUpdateFirewallPolicy $
+--             newUpdateFirewallPolicy
+--
+--         , requestUpdateFirewallPolicyChangeProtection $
+--             newUpdateFirewallPolicyChangeProtection
+--
+--         , requestUpdateLoggingConfiguration $
+--             newUpdateLoggingConfiguration
+--
+--         , requestUpdateRuleGroup $
+--             newUpdateRuleGroup
+--
+--         , requestUpdateSubnetChangeProtection $
+--             newUpdateSubnetChangeProtection
+--
+--           ]
+
+--     , testGroup "response"
+--         [ responseAssociateFirewallPolicy $
+--             newAssociateFirewallPolicyResponse
+--
+--         , responseAssociateSubnets $
+--             newAssociateSubnetsResponse
+--
+--         , responseCreateFirewall $
+--             newCreateFirewallResponse
+--
+--         , responseCreateFirewallPolicy $
+--             newCreateFirewallPolicyResponse
+--
+--         , responseCreateRuleGroup $
+--             newCreateRuleGroupResponse
+--
+--         , responseDeleteFirewall $
+--             newDeleteFirewallResponse
+--
+--         , responseDeleteFirewallPolicy $
+--             newDeleteFirewallPolicyResponse
+--
+--         , responseDeleteResourcePolicy $
+--             newDeleteResourcePolicyResponse
+--
+--         , responseDeleteRuleGroup $
+--             newDeleteRuleGroupResponse
+--
+--         , responseDescribeFirewall $
+--             newDescribeFirewallResponse
+--
+--         , responseDescribeFirewallPolicy $
+--             newDescribeFirewallPolicyResponse
+--
+--         , responseDescribeLoggingConfiguration $
+--             newDescribeLoggingConfigurationResponse
+--
+--         , responseDescribeResourcePolicy $
+--             newDescribeResourcePolicyResponse
+--
+--         , responseDescribeRuleGroup $
+--             newDescribeRuleGroupResponse
+--
+--         , responseDescribeRuleGroupMetadata $
+--             newDescribeRuleGroupMetadataResponse
+--
+--         , responseDisassociateSubnets $
+--             newDisassociateSubnetsResponse
+--
+--         , responseListFirewallPolicies $
+--             newListFirewallPoliciesResponse
+--
+--         , responseListFirewalls $
+--             newListFirewallsResponse
+--
+--         , responseListRuleGroups $
+--             newListRuleGroupsResponse
+--
+--         , responseListTagsForResource $
+--             newListTagsForResourceResponse
+--
+--         , responsePutResourcePolicy $
+--             newPutResourcePolicyResponse
+--
+--         , responseTagResource $
+--             newTagResourceResponse
+--
+--         , responseUntagResource $
+--             newUntagResourceResponse
+--
+--         , responseUpdateFirewallDeleteProtection $
+--             newUpdateFirewallDeleteProtectionResponse
+--
+--         , responseUpdateFirewallDescription $
+--             newUpdateFirewallDescriptionResponse
+--
+--         , responseUpdateFirewallEncryptionConfiguration $
+--             newUpdateFirewallEncryptionConfigurationResponse
+--
+--         , responseUpdateFirewallPolicy $
+--             newUpdateFirewallPolicyResponse
+--
+--         , responseUpdateFirewallPolicyChangeProtection $
+--             newUpdateFirewallPolicyChangeProtectionResponse
+--
+--         , responseUpdateLoggingConfiguration $
+--             newUpdateLoggingConfigurationResponse
+--
+--         , responseUpdateRuleGroup $
+--             newUpdateRuleGroupResponse
+--
+--         , responseUpdateSubnetChangeProtection $
+--             newUpdateSubnetChangeProtectionResponse
+--
+--           ]
+--     ]
+
+-- Requests
+
+requestAssociateFirewallPolicy :: AssociateFirewallPolicy -> TestTree
+requestAssociateFirewallPolicy =
+  req
+    "AssociateFirewallPolicy"
+    "fixture/AssociateFirewallPolicy.yaml"
+
+requestAssociateSubnets :: AssociateSubnets -> TestTree
+requestAssociateSubnets =
+  req
+    "AssociateSubnets"
+    "fixture/AssociateSubnets.yaml"
+
+requestCreateFirewall :: CreateFirewall -> TestTree
+requestCreateFirewall =
+  req
+    "CreateFirewall"
+    "fixture/CreateFirewall.yaml"
+
+requestCreateFirewallPolicy :: CreateFirewallPolicy -> TestTree
+requestCreateFirewallPolicy =
+  req
+    "CreateFirewallPolicy"
+    "fixture/CreateFirewallPolicy.yaml"
+
+requestCreateRuleGroup :: CreateRuleGroup -> TestTree
+requestCreateRuleGroup =
+  req
+    "CreateRuleGroup"
+    "fixture/CreateRuleGroup.yaml"
+
+requestDeleteFirewall :: DeleteFirewall -> TestTree
+requestDeleteFirewall =
+  req
+    "DeleteFirewall"
+    "fixture/DeleteFirewall.yaml"
+
+requestDeleteFirewallPolicy :: DeleteFirewallPolicy -> TestTree
+requestDeleteFirewallPolicy =
+  req
+    "DeleteFirewallPolicy"
+    "fixture/DeleteFirewallPolicy.yaml"
+
+requestDeleteResourcePolicy :: DeleteResourcePolicy -> TestTree
+requestDeleteResourcePolicy =
+  req
+    "DeleteResourcePolicy"
+    "fixture/DeleteResourcePolicy.yaml"
+
+requestDeleteRuleGroup :: DeleteRuleGroup -> TestTree
+requestDeleteRuleGroup =
+  req
+    "DeleteRuleGroup"
+    "fixture/DeleteRuleGroup.yaml"
+
+requestDescribeFirewall :: DescribeFirewall -> TestTree
+requestDescribeFirewall =
+  req
+    "DescribeFirewall"
+    "fixture/DescribeFirewall.yaml"
+
+requestDescribeFirewallPolicy :: DescribeFirewallPolicy -> TestTree
+requestDescribeFirewallPolicy =
+  req
+    "DescribeFirewallPolicy"
+    "fixture/DescribeFirewallPolicy.yaml"
+
+requestDescribeLoggingConfiguration :: DescribeLoggingConfiguration -> TestTree
+requestDescribeLoggingConfiguration =
+  req
+    "DescribeLoggingConfiguration"
+    "fixture/DescribeLoggingConfiguration.yaml"
+
+requestDescribeResourcePolicy :: DescribeResourcePolicy -> TestTree
+requestDescribeResourcePolicy =
+  req
+    "DescribeResourcePolicy"
+    "fixture/DescribeResourcePolicy.yaml"
+
+requestDescribeRuleGroup :: DescribeRuleGroup -> TestTree
+requestDescribeRuleGroup =
+  req
+    "DescribeRuleGroup"
+    "fixture/DescribeRuleGroup.yaml"
+
+requestDescribeRuleGroupMetadata :: DescribeRuleGroupMetadata -> TestTree
+requestDescribeRuleGroupMetadata =
+  req
+    "DescribeRuleGroupMetadata"
+    "fixture/DescribeRuleGroupMetadata.yaml"
+
+requestDisassociateSubnets :: DisassociateSubnets -> TestTree
+requestDisassociateSubnets =
+  req
+    "DisassociateSubnets"
+    "fixture/DisassociateSubnets.yaml"
+
+requestListFirewallPolicies :: ListFirewallPolicies -> TestTree
+requestListFirewallPolicies =
+  req
+    "ListFirewallPolicies"
+    "fixture/ListFirewallPolicies.yaml"
+
+requestListFirewalls :: ListFirewalls -> TestTree
+requestListFirewalls =
+  req
+    "ListFirewalls"
+    "fixture/ListFirewalls.yaml"
+
+requestListRuleGroups :: ListRuleGroups -> TestTree
+requestListRuleGroups =
+  req
+    "ListRuleGroups"
+    "fixture/ListRuleGroups.yaml"
+
+requestListTagsForResource :: ListTagsForResource -> TestTree
+requestListTagsForResource =
+  req
+    "ListTagsForResource"
+    "fixture/ListTagsForResource.yaml"
+
+requestPutResourcePolicy :: PutResourcePolicy -> TestTree
+requestPutResourcePolicy =
+  req
+    "PutResourcePolicy"
+    "fixture/PutResourcePolicy.yaml"
+
+requestTagResource :: TagResource -> TestTree
+requestTagResource =
+  req
+    "TagResource"
+    "fixture/TagResource.yaml"
+
+requestUntagResource :: UntagResource -> TestTree
+requestUntagResource =
+  req
+    "UntagResource"
+    "fixture/UntagResource.yaml"
+
+requestUpdateFirewallDeleteProtection :: UpdateFirewallDeleteProtection -> TestTree
+requestUpdateFirewallDeleteProtection =
+  req
+    "UpdateFirewallDeleteProtection"
+    "fixture/UpdateFirewallDeleteProtection.yaml"
+
+requestUpdateFirewallDescription :: UpdateFirewallDescription -> TestTree
+requestUpdateFirewallDescription =
+  req
+    "UpdateFirewallDescription"
+    "fixture/UpdateFirewallDescription.yaml"
+
+requestUpdateFirewallEncryptionConfiguration :: UpdateFirewallEncryptionConfiguration -> TestTree
+requestUpdateFirewallEncryptionConfiguration =
+  req
+    "UpdateFirewallEncryptionConfiguration"
+    "fixture/UpdateFirewallEncryptionConfiguration.yaml"
+
+requestUpdateFirewallPolicy :: UpdateFirewallPolicy -> TestTree
+requestUpdateFirewallPolicy =
+  req
+    "UpdateFirewallPolicy"
+    "fixture/UpdateFirewallPolicy.yaml"
+
+requestUpdateFirewallPolicyChangeProtection :: UpdateFirewallPolicyChangeProtection -> TestTree
+requestUpdateFirewallPolicyChangeProtection =
+  req
+    "UpdateFirewallPolicyChangeProtection"
+    "fixture/UpdateFirewallPolicyChangeProtection.yaml"
+
+requestUpdateLoggingConfiguration :: UpdateLoggingConfiguration -> TestTree
+requestUpdateLoggingConfiguration =
+  req
+    "UpdateLoggingConfiguration"
+    "fixture/UpdateLoggingConfiguration.yaml"
+
+requestUpdateRuleGroup :: UpdateRuleGroup -> TestTree
+requestUpdateRuleGroup =
+  req
+    "UpdateRuleGroup"
+    "fixture/UpdateRuleGroup.yaml"
+
+requestUpdateSubnetChangeProtection :: UpdateSubnetChangeProtection -> TestTree
+requestUpdateSubnetChangeProtection =
+  req
+    "UpdateSubnetChangeProtection"
+    "fixture/UpdateSubnetChangeProtection.yaml"
+
+-- Responses
+
+responseAssociateFirewallPolicy :: AssociateFirewallPolicyResponse -> TestTree
+responseAssociateFirewallPolicy =
+  res
+    "AssociateFirewallPolicyResponse"
+    "fixture/AssociateFirewallPolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy AssociateFirewallPolicy)
+
+responseAssociateSubnets :: AssociateSubnetsResponse -> TestTree
+responseAssociateSubnets =
+  res
+    "AssociateSubnetsResponse"
+    "fixture/AssociateSubnetsResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy AssociateSubnets)
+
+responseCreateFirewall :: CreateFirewallResponse -> TestTree
+responseCreateFirewall =
+  res
+    "CreateFirewallResponse"
+    "fixture/CreateFirewallResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy CreateFirewall)
+
+responseCreateFirewallPolicy :: CreateFirewallPolicyResponse -> TestTree
+responseCreateFirewallPolicy =
+  res
+    "CreateFirewallPolicyResponse"
+    "fixture/CreateFirewallPolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy CreateFirewallPolicy)
+
+responseCreateRuleGroup :: CreateRuleGroupResponse -> TestTree
+responseCreateRuleGroup =
+  res
+    "CreateRuleGroupResponse"
+    "fixture/CreateRuleGroupResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy CreateRuleGroup)
+
+responseDeleteFirewall :: DeleteFirewallResponse -> TestTree
+responseDeleteFirewall =
+  res
+    "DeleteFirewallResponse"
+    "fixture/DeleteFirewallResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DeleteFirewall)
+
+responseDeleteFirewallPolicy :: DeleteFirewallPolicyResponse -> TestTree
+responseDeleteFirewallPolicy =
+  res
+    "DeleteFirewallPolicyResponse"
+    "fixture/DeleteFirewallPolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DeleteFirewallPolicy)
+
+responseDeleteResourcePolicy :: DeleteResourcePolicyResponse -> TestTree
+responseDeleteResourcePolicy =
+  res
+    "DeleteResourcePolicyResponse"
+    "fixture/DeleteResourcePolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DeleteResourcePolicy)
+
+responseDeleteRuleGroup :: DeleteRuleGroupResponse -> TestTree
+responseDeleteRuleGroup =
+  res
+    "DeleteRuleGroupResponse"
+    "fixture/DeleteRuleGroupResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DeleteRuleGroup)
+
+responseDescribeFirewall :: DescribeFirewallResponse -> TestTree
+responseDescribeFirewall =
+  res
+    "DescribeFirewallResponse"
+    "fixture/DescribeFirewallResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeFirewall)
+
+responseDescribeFirewallPolicy :: DescribeFirewallPolicyResponse -> TestTree
+responseDescribeFirewallPolicy =
+  res
+    "DescribeFirewallPolicyResponse"
+    "fixture/DescribeFirewallPolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeFirewallPolicy)
+
+responseDescribeLoggingConfiguration :: DescribeLoggingConfigurationResponse -> TestTree
+responseDescribeLoggingConfiguration =
+  res
+    "DescribeLoggingConfigurationResponse"
+    "fixture/DescribeLoggingConfigurationResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeLoggingConfiguration)
+
+responseDescribeResourcePolicy :: DescribeResourcePolicyResponse -> TestTree
+responseDescribeResourcePolicy =
+  res
+    "DescribeResourcePolicyResponse"
+    "fixture/DescribeResourcePolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeResourcePolicy)
+
+responseDescribeRuleGroup :: DescribeRuleGroupResponse -> TestTree
+responseDescribeRuleGroup =
+  res
+    "DescribeRuleGroupResponse"
+    "fixture/DescribeRuleGroupResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeRuleGroup)
+
+responseDescribeRuleGroupMetadata :: DescribeRuleGroupMetadataResponse -> TestTree
+responseDescribeRuleGroupMetadata =
+  res
+    "DescribeRuleGroupMetadataResponse"
+    "fixture/DescribeRuleGroupMetadataResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeRuleGroupMetadata)
+
+responseDisassociateSubnets :: DisassociateSubnetsResponse -> TestTree
+responseDisassociateSubnets =
+  res
+    "DisassociateSubnetsResponse"
+    "fixture/DisassociateSubnetsResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DisassociateSubnets)
+
+responseListFirewallPolicies :: ListFirewallPoliciesResponse -> TestTree
+responseListFirewallPolicies =
+  res
+    "ListFirewallPoliciesResponse"
+    "fixture/ListFirewallPoliciesResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListFirewallPolicies)
+
+responseListFirewalls :: ListFirewallsResponse -> TestTree
+responseListFirewalls =
+  res
+    "ListFirewallsResponse"
+    "fixture/ListFirewallsResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListFirewalls)
+
+responseListRuleGroups :: ListRuleGroupsResponse -> TestTree
+responseListRuleGroups =
+  res
+    "ListRuleGroupsResponse"
+    "fixture/ListRuleGroupsResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListRuleGroups)
+
+responseListTagsForResource :: ListTagsForResourceResponse -> TestTree
+responseListTagsForResource =
+  res
+    "ListTagsForResourceResponse"
+    "fixture/ListTagsForResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListTagsForResource)
+
+responsePutResourcePolicy :: PutResourcePolicyResponse -> TestTree
+responsePutResourcePolicy =
+  res
+    "PutResourcePolicyResponse"
+    "fixture/PutResourcePolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy PutResourcePolicy)
+
+responseTagResource :: TagResourceResponse -> TestTree
+responseTagResource =
+  res
+    "TagResourceResponse"
+    "fixture/TagResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy TagResource)
+
+responseUntagResource :: UntagResourceResponse -> TestTree
+responseUntagResource =
+  res
+    "UntagResourceResponse"
+    "fixture/UntagResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UntagResource)
+
+responseUpdateFirewallDeleteProtection :: UpdateFirewallDeleteProtectionResponse -> TestTree
+responseUpdateFirewallDeleteProtection =
+  res
+    "UpdateFirewallDeleteProtectionResponse"
+    "fixture/UpdateFirewallDeleteProtectionResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateFirewallDeleteProtection)
+
+responseUpdateFirewallDescription :: UpdateFirewallDescriptionResponse -> TestTree
+responseUpdateFirewallDescription =
+  res
+    "UpdateFirewallDescriptionResponse"
+    "fixture/UpdateFirewallDescriptionResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateFirewallDescription)
+
+responseUpdateFirewallEncryptionConfiguration :: UpdateFirewallEncryptionConfigurationResponse -> TestTree
+responseUpdateFirewallEncryptionConfiguration =
+  res
+    "UpdateFirewallEncryptionConfigurationResponse"
+    "fixture/UpdateFirewallEncryptionConfigurationResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateFirewallEncryptionConfiguration)
+
+responseUpdateFirewallPolicy :: UpdateFirewallPolicyResponse -> TestTree
+responseUpdateFirewallPolicy =
+  res
+    "UpdateFirewallPolicyResponse"
+    "fixture/UpdateFirewallPolicyResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateFirewallPolicy)
+
+responseUpdateFirewallPolicyChangeProtection :: UpdateFirewallPolicyChangeProtectionResponse -> TestTree
+responseUpdateFirewallPolicyChangeProtection =
+  res
+    "UpdateFirewallPolicyChangeProtectionResponse"
+    "fixture/UpdateFirewallPolicyChangeProtectionResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateFirewallPolicyChangeProtection)
+
+responseUpdateLoggingConfiguration :: UpdateLoggingConfigurationResponse -> TestTree
+responseUpdateLoggingConfiguration =
+  res
+    "UpdateLoggingConfigurationResponse"
+    "fixture/UpdateLoggingConfigurationResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateLoggingConfiguration)
+
+responseUpdateRuleGroup :: UpdateRuleGroupResponse -> TestTree
+responseUpdateRuleGroup =
+  res
+    "UpdateRuleGroupResponse"
+    "fixture/UpdateRuleGroupResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateRuleGroup)
+
+responseUpdateSubnetChangeProtection :: UpdateSubnetChangeProtectionResponse -> TestTree
+responseUpdateSubnetChangeProtection =
+  res
+    "UpdateSubnetChangeProtectionResponse"
+    "fixture/UpdateSubnetChangeProtectionResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UpdateSubnetChangeProtection)
diff --git a/test/Test/Amazonka/NetworkFirewall.hs b/test/Test/Amazonka/NetworkFirewall.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/NetworkFirewall.hs
@@ -0,0 +1,20 @@
+-- |
+-- Module      : Test.Amazonka.NetworkFirewall
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.NetworkFirewall
+  ( tests,
+    fixtures,
+  )
+where
+
+import Test.Tasty (TestTree)
+
+tests :: [TestTree]
+tests = []
+
+fixtures :: [TestTree]
+fixtures = []
diff --git a/test/Test/Amazonka/NetworkFirewall/Internal.hs b/test/Test/Amazonka/NetworkFirewall/Internal.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/NetworkFirewall/Internal.hs
@@ -0,0 +1,8 @@
+-- |
+-- Module      : Test.Amazonka.NetworkFirewall.Internal
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.NetworkFirewall.Internal where
