WebAcl
Provides a WAF Regional Web ACL Resource for use with Application Load Balancer.
Example Usage
Regular Rule
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var ipset = new Aws.WafRegional.IpSet("ipset", new Aws.WafRegional.IpSetArgs
{
IpSetDescriptors =
{
new Aws.WafRegional.Inputs.IpSetIpSetDescriptorArgs
{
Type = "IPV4",
Value = "192.0.7.0/24",
},
},
});
var wafrule = new Aws.WafRegional.Rule("wafrule", new Aws.WafRegional.RuleArgs
{
MetricName = "tfWAFRule",
Predicates =
{
new Aws.WafRegional.Inputs.RulePredicateArgs
{
DataId = ipset.Id,
Negated = false,
Type = "IPMatch",
},
},
});
var wafacl = new Aws.WafRegional.WebAcl("wafacl", new Aws.WafRegional.WebAclArgs
{
DefaultAction = new Aws.WafRegional.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
MetricName = "tfWebACL",
Rules =
{
new Aws.WafRegional.Inputs.WebAclRuleArgs
{
Action = new Aws.WafRegional.Inputs.WebAclRuleActionArgs
{
Type = "BLOCK",
},
Priority = 1,
RuleId = wafrule.Id,
Type = "REGULAR",
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ipset, err := wafregional.NewIpSet(ctx, "ipset", &wafregional.IpSetArgs{
IpSetDescriptors: wafregional.IpSetIpSetDescriptorArray{
&wafregional.IpSetIpSetDescriptorArgs{
Type: pulumi.String("IPV4"),
Value: pulumi.String("192.0.7.0/24"),
},
},
})
if err != nil {
return err
}
wafrule, err := wafregional.NewRule(ctx, "wafrule", &wafregional.RuleArgs{
MetricName: pulumi.String("tfWAFRule"),
Predicates: wafregional.RulePredicateArray{
&wafregional.RulePredicateArgs{
DataId: ipset.ID(),
Negated: pulumi.Bool(false),
Type: pulumi.String("IPMatch"),
},
},
})
if err != nil {
return err
}
_, err = wafregional.NewWebAcl(ctx, "wafacl", &wafregional.WebAclArgs{
DefaultAction: &wafregional.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
MetricName: pulumi.String("tfWebACL"),
Rules: wafregional.WebAclRuleArray{
&wafregional.WebAclRuleArgs{
Action: &wafregional.WebAclRuleActionArgs{
Type: pulumi.String("BLOCK"),
},
Priority: pulumi.Int(1),
RuleId: wafrule.ID(),
Type: pulumi.String("REGULAR"),
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
ipset = aws.wafregional.IpSet("ipset", ip_set_descriptors=[{
"type": "IPV4",
"value": "192.0.7.0/24",
}])
wafrule = aws.wafregional.Rule("wafrule",
metric_name="tfWAFRule",
predicates=[{
"dataId": ipset.id,
"negated": False,
"type": "IPMatch",
}])
wafacl = aws.wafregional.WebAcl("wafacl",
default_action={
"type": "ALLOW",
},
metric_name="tfWebACL",
rules=[{
"action": {
"type": "BLOCK",
},
"priority": 1,
"rule_id": wafrule.id,
"type": "REGULAR",
}])import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ipset = new aws.wafregional.IpSet("ipset", {
ipSetDescriptors: [{
type: "IPV4",
value: "192.0.7.0/24",
}],
});
const wafrule = new aws.wafregional.Rule("wafrule", {
metricName: "tfWAFRule",
predicates: [{
dataId: ipset.id,
negated: false,
type: "IPMatch",
}],
});
const wafacl = new aws.wafregional.WebAcl("wafacl", {
defaultAction: {
type: "ALLOW",
},
metricName: "tfWebACL",
rules: [{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: wafrule.id,
type: "REGULAR",
}],
});Group Rule
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var example = new Aws.WafRegional.WebAcl("example", new Aws.WafRegional.WebAclArgs
{
DefaultAction = new Aws.WafRegional.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
MetricName = "example",
Rules =
{
new Aws.WafRegional.Inputs.WebAclRuleArgs
{
OverrideAction = new Aws.WafRegional.Inputs.WebAclRuleOverrideActionArgs
{
Type = "NONE",
},
Priority = 1,
RuleId = aws_wafregional_rule_group.Example.Id,
Type = "GROUP",
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := wafregional.NewWebAcl(ctx, "example", &wafregional.WebAclArgs{
DefaultAction: &wafregional.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
MetricName: pulumi.String("example"),
Rules: wafregional.WebAclRuleArray{
&wafregional.WebAclRuleArgs{
OverrideAction: &wafregional.WebAclRuleOverrideActionArgs{
Type: pulumi.String("NONE"),
},
Priority: pulumi.Int(1),
RuleId: pulumi.String(aws_wafregional_rule_group.Example.Id),
Type: pulumi.String("GROUP"),
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
example = aws.wafregional.WebAcl("example",
default_action={
"type": "ALLOW",
},
metric_name="example",
rules=[{
"overrideAction": {
"type": "NONE",
},
"priority": 1,
"rule_id": aws_wafregional_rule_group["example"]["id"],
"type": "GROUP",
}])import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.wafregional.WebAcl("example", {
defaultAction: {
type: "ALLOW",
},
metricName: "example",
rules: [{
overrideAction: {
type: "NONE",
},
priority: 1,
ruleId: aws_wafregional_rule_group_example.id,
type: "GROUP",
}],
});Logging
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var example = new Aws.WafRegional.WebAcl("example", new Aws.WafRegional.WebAclArgs
{
LoggingConfiguration = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = aws_kinesis_firehose_delivery_stream.Example.Arn,
RedactedFields = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatch =
{
{
{ "type", "URI" },
},
{
{ "data", "referer" },
{ "type", "HEADER" },
},
},
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := wafregional.NewWebAcl(ctx, "example", &wafregional.WebAclArgs{
LoggingConfiguration: &wafregional.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.String(aws_kinesis_firehose_delivery_stream.Example.Arn),
RedactedFields: &wafregional.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatch: pulumi.Array{
pulumi.StringMap{
"type": pulumi.String("URI"),
},
pulumi.StringMap{
"data": pulumi.String("referer"),
"type": pulumi.String("HEADER"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
example = aws.wafregional.WebAcl("example", logging_configuration={
"log_destination": aws_kinesis_firehose_delivery_stream["example"]["arn"],
"redactedFields": {
"fieldToMatch": [
{
"type": "URI",
},
{
"data": "referer",
"type": "HEADER",
},
],
},
})import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.wafregional.WebAcl("example", {
loggingConfiguration: {
logDestination: aws_kinesis_firehose_delivery_stream_example.arn,
redactedFields: {
fieldToMatches: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
},
});Create a WebAcl Resource
new WebAcl(name: string, args: WebAclArgs, opts?: CustomResourceOptions);def WebAcl(resource_name, opts=None, default_action=None, logging_configuration=None, metric_name=None, name=None, rules=None, tags=None, __props__=None);func NewWebAcl(ctx *Context, name string, args WebAclArgs, opts ...ResourceOption) (*WebAcl, error)public WebAcl(string name, WebAclArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
WebAcl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The WebAcl resource accepts the following input properties:
- Default
Action WebAcl Default Action Args The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Name string
The name or description of the web ACL.
- Rules
List<Web
Acl Rule Args> Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dictionary<string, string>
Key-value map of resource tags
- Default
Action WebAcl Default Action The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Configuration block to enable WAF logging. Detailed below.
- Name string
The name or description of the web ACL.
- Rules
[]Web
Acl Rule Set of configuration blocks containing rules for the web ACL. Detailed below.
- map[string]string
Key-value map of resource tags
- default
Action WebAcl Default Action The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration Configuration block to enable WAF logging. Detailed below.
- name string
The name or description of the web ACL.
- rules
Web
Acl Rule[] Set of configuration blocks containing rules for the web ACL. Detailed below.
- {[key: string]: string}
Key-value map of resource tags
- default_
action Dict[WebAcl Default Action] The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- metric_
name str The name or description for the Amazon CloudWatch metric of this web ACL.
- logging_
configuration Dict[WebAcl Logging Configuration] Configuration block to enable WAF logging. Detailed below.
- name str
The name or description of the web ACL.
- rules
List[Web
Acl Rule] Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dict[str, str]
Key-value map of resource tags
Outputs
All input properties are implicitly available as output properties. Additionally, the WebAcl resource produces the following output properties:
Look up an Existing WebAcl Resource
Get an existing WebAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WebAclState, opts?: CustomResourceOptions): WebAclstatic get(resource_name, id, opts=None, arn=None, default_action=None, logging_configuration=None, metric_name=None, name=None, rules=None, tags=None, __props__=None);func GetWebAcl(ctx *Context, name string, id IDInput, state *WebAclState, opts ...ResourceOption) (*WebAcl, error)public static WebAcl Get(string name, Input<string> id, WebAclState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
Amazon Resource Name (ARN) of the WAF Regional WebACL.
- Default
Action WebAcl Default Action Args The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
The name or description of the web ACL.
- Rules
List<Web
Acl Rule Args> Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dictionary<string, string>
Key-value map of resource tags
- Arn string
Amazon Resource Name (ARN) of the WAF Regional WebACL.
- Default
Action WebAcl Default Action The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- Logging
Configuration WebAcl Logging Configuration Configuration block to enable WAF logging. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
The name or description of the web ACL.
- Rules
[]Web
Acl Rule Set of configuration blocks containing rules for the web ACL. Detailed below.
- map[string]string
Key-value map of resource tags
- arn string
Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default
Action WebAcl Default Action The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- logging
Configuration WebAcl Logging Configuration Configuration block to enable WAF logging. Detailed below.
- metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- name string
The name or description of the web ACL.
- rules
Web
Acl Rule[] Set of configuration blocks containing rules for the web ACL. Detailed below.
- {[key: string]: string}
Key-value map of resource tags
- arn str
Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default_
action Dict[WebAcl Default Action] The action that you want AWS WAF Regional to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL.
- logging_
configuration Dict[WebAcl Logging Configuration] Configuration block to enable WAF logging. Detailed below.
- metric_
name str The name or description for the Amazon CloudWatch metric of this web ACL.
- name str
The name or description of the web ACL.
- rules
List[Web
Acl Rule] Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dict[str, str]
Key-value map of resource tags
Supporting Types
WebAclDefaultAction
WebAclLoggingConfiguration
- Log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields Args Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- Log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log_
destination str Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields Dict[WebAcl Logging Configuration Redacted Fields] Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
WebAclLoggingConfigurationRedactedFields
- Field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match Args> Set of configuration blocks for fields to redact. Detailed below.
- Field
To []WebMatches Acl Logging Configuration Redacted Fields Field To Match Set of configuration blocks for fields to redact. Detailed below.
- field
To WebMatches Acl Logging Configuration Redacted Fields Field To Match[] Set of configuration blocks for fields to redact. Detailed below.
- field
To List[WebMatches Acl Logging Configuration Redacted Fields Field To Match] Set of configuration blocks for fields to redact. Detailed below.
WebAclLoggingConfigurationRedactedFieldsFieldToMatch
- Type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT- Data string
When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- Type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT- Data string
When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT- data string
When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type str
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT- data str
When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
WebAclRule
- Priority int
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string ID of the associated WAF (Regional) rule (e.g.
aws.wafregional.Rule). WAF (Global) rules cannot be used.- Action
Web
Acl Rule Action Args Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below.- Override
Action WebAcl Rule Override Action Args Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below.- Type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT
- Priority int
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string ID of the associated WAF (Regional) rule (e.g.
aws.wafregional.Rule). WAF (Global) rules cannot be used.- Action
Web
Acl Rule Action Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below.- Override
Action WebAcl Rule Override Action Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below.- Type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT
- priority number
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id string ID of the associated WAF (Regional) rule (e.g.
aws.wafregional.Rule). WAF (Global) rules cannot be used.- action
Web
Acl Rule Action Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below.- override
Action WebAcl Rule Override Action Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below.- type string
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT
- priority float
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule_
id str ID of the associated WAF (Regional) rule (e.g.
aws.wafregional.Rule). WAF (Global) rules cannot be used.- action
Dict[Web
Acl Rule Action] Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below.- override
Action Dict[WebAcl Rule Override Action] Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below.- type str
Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. e.g.
ALLOW,BLOCKorCOUNT
WebAclRuleAction
WebAclRuleOverrideAction
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.