1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. waf

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

waf

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.waf.AwaitableGetIpsetResult(id=None, name=None)
class pulumi_aws.waf.AwaitableGetRateBasedRuleResult(id=None, name=None)
class pulumi_aws.waf.AwaitableGetRuleResult(id=None, name=None)
class pulumi_aws.waf.AwaitableGetWebAclResult(id=None, name=None)
class pulumi_aws.waf.ByteMatchSet(resource_name, opts=None, byte_match_tuples=None, name=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Byte Match Set Resource

import pulumi
import pulumi_aws as aws

byte_set = aws.waf.ByteMatchSet("byteSet", byte_match_tuples=[{
    "fieldToMatch": {
        "data": "referer",
        "type": "HEADER",
    },
    "positionalConstraint": "CONTAINS",
    "targetString": "badrefer1",
    "textTransformation": "NONE",
}])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • byte_match_tuples (pulumi.Input[list]) – Specifies the bytes (typically a string that corresponds with ASCII characters) that you want to search for in web requests, the location in requests that you want to search, and other settings.

  • name (pulumi.Input[str]) – The name or description of the Byte Match Set.

The byte_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • positionalConstraint (pulumi.Input[str]) - Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want to search. e.g. CONTAINS, CONTAINS_WORD or EXACTLY. See docs for all supported values.

  • targetString (pulumi.Input[str]) - The value that you want to search for. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

byte_match_tuples: pulumi.Output[list] = None

Specifies the bytes (typically a string that corresponds with ASCII characters) that you want to search for in web requests, the location in requests that you want to search, and other settings.

  • fieldToMatch (dict) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (str) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (str) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • positionalConstraint (str) - Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want to search. e.g. CONTAINS, CONTAINS_WORD or EXACTLY. See docs for all supported values.

  • targetString (str) - The value that you want to search for. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (str) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

name: pulumi.Output[str] = None

The name or description of the Byte Match Set.

static get(resource_name, id, opts=None, byte_match_tuples=None, name=None)

Get an existing ByteMatchSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • byte_match_tuples (pulumi.Input[list]) – Specifies the bytes (typically a string that corresponds with ASCII characters) that you want to search for in web requests, the location in requests that you want to search, and other settings.

  • name (pulumi.Input[str]) – The name or description of the Byte Match Set.

The byte_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • positionalConstraint (pulumi.Input[str]) - Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want to search. e.g. CONTAINS, CONTAINS_WORD or EXACTLY. See docs for all supported values.

  • targetString (pulumi.Input[str]) - The value that you want to search for. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.GeoMatchSet(resource_name, opts=None, geo_match_constraints=None, name=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Geo Match Set Resource

import pulumi
import pulumi_aws as aws

geo_match_set = aws.waf.GeoMatchSet("geoMatchSet", geo_match_constraints=[
    {
        "type": "Country",
        "value": "US",
    },
    {
        "type": "Country",
        "value": "CA",
    },
])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • geo_match_constraints (pulumi.Input[list]) – The GeoMatchConstraint objects which contain the country that you want AWS WAF to search for.

  • name (pulumi.Input[str]) – The name or description of the GeoMatchSet.

The geo_match_constraints object supports the following:

  • type (pulumi.Input[str]) - The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

  • value (pulumi.Input[str]) - The country that you want AWS WAF to search for. This is the two-letter country code, e.g. US, CA, RU, CN, etc. See docs for all supported values.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

geo_match_constraints: pulumi.Output[list] = None

The GeoMatchConstraint objects which contain the country that you want AWS WAF to search for.

  • type (str) - The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

  • value (str) - The country that you want AWS WAF to search for. This is the two-letter country code, e.g. US, CA, RU, CN, etc. See docs for all supported values.

name: pulumi.Output[str] = None

The name or description of the GeoMatchSet.

static get(resource_name, id, opts=None, arn=None, geo_match_constraints=None, name=None)

Get an existing GeoMatchSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • geo_match_constraints (pulumi.Input[list]) – The GeoMatchConstraint objects which contain the country that you want AWS WAF to search for.

  • name (pulumi.Input[str]) – The name or description of the GeoMatchSet.

The geo_match_constraints object supports the following:

  • type (pulumi.Input[str]) - The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

  • value (pulumi.Input[str]) - The country that you want AWS WAF to search for. This is the two-letter country code, e.g. US, CA, RU, CN, etc. See docs for all supported values.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.GetIpsetResult(id=None, name=None)

A collection of values returned by getIpset.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.waf.GetRateBasedRuleResult(id=None, name=None)

A collection of values returned by getRateBasedRule.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.waf.GetRuleResult(id=None, name=None)

A collection of values returned by getRule.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.waf.GetWebAclResult(id=None, name=None)

A collection of values returned by getWebAcl.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.waf.IpSet(resource_name, opts=None, ip_set_descriptors=None, name=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF IPSet Resource

import pulumi
import pulumi_aws as aws

ipset = aws.waf.IpSet("ipset", ip_set_descriptors=[
    {
        "type": "IPV4",
        "value": "192.0.7.0/24",
    },
    {
        "type": "IPV4",
        "value": "10.16.16.0/16",
    },
])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ip_set_descriptors (pulumi.Input[list]) – One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR format) from which web requests originate.

  • name (pulumi.Input[str]) – The name or description of the IPSet.

The ip_set_descriptors object supports the following:

  • type (pulumi.Input[str]) - Type of the IP address - IPV4 or IPV6.

  • value (pulumi.Input[str]) - An IPv4 or IPv6 address specified via CIDR notation. e.g. 192.0.2.44/32 or 1111:0000:0000:0000:0000:0000:0000:0000/64

arn: pulumi.Output[str] = None

The ARN of the WAF IPSet.

ip_set_descriptors: pulumi.Output[list] = None

One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR format) from which web requests originate.

  • type (str) - Type of the IP address - IPV4 or IPV6.

  • value (str) - An IPv4 or IPv6 address specified via CIDR notation. e.g. 192.0.2.44/32 or 1111:0000:0000:0000:0000:0000:0000:0000/64

name: pulumi.Output[str] = None

The name or description of the IPSet.

static get(resource_name, id, opts=None, arn=None, ip_set_descriptors=None, name=None)

Get an existing IpSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN of the WAF IPSet.

  • ip_set_descriptors (pulumi.Input[list]) – One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR format) from which web requests originate.

  • name (pulumi.Input[str]) – The name or description of the IPSet.

The ip_set_descriptors object supports the following:

  • type (pulumi.Input[str]) - Type of the IP address - IPV4 or IPV6.

  • value (pulumi.Input[str]) - An IPv4 or IPv6 address specified via CIDR notation. e.g. 192.0.2.44/32 or 1111:0000:0000:0000:0000:0000:0000:0000/64

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.RateBasedRule(resource_name, opts=None, metric_name=None, name=None, predicates=None, rate_key=None, rate_limit=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Rate Based Rule Resource

import pulumi
import pulumi_aws as aws

ipset = aws.waf.IpSet("ipset", ip_set_descriptors=[{
    "type": "IPV4",
    "value": "192.0.7.0/24",
}])
wafrule = aws.waf.RateBasedRule("wafrule",
    metric_name="tfWAFRule",
    predicates=[{
        "dataId": ipset.id,
        "negated": False,
        "type": "IPMatch",
    }],
    rate_key="IP",
    rate_limit=100)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this rule.

  • name (pulumi.Input[str]) – The name or description of the rule.

  • predicates (pulumi.Input[list]) – The objects to include in a rule (documented below).

  • rate_key (pulumi.Input[str]) – Valid value is IP.

  • rate_limit (pulumi.Input[float]) – The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The predicates object supports the following:

  • dataId (pulumi.Input[str]) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (pulumi.Input[bool]) - Set this to false if you want to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (pulumi.Input[str]) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

metric_name: pulumi.Output[str] = None

The name or description for the Amazon CloudWatch metric of this rule.

name: pulumi.Output[str] = None

The name or description of the rule.

predicates: pulumi.Output[list] = None

The objects to include in a rule (documented below).

  • dataId (str) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (bool) - Set this to false if you want to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (str) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

rate_key: pulumi.Output[str] = None

Valid value is IP.

rate_limit: pulumi.Output[float] = None

The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.

tags: pulumi.Output[dict] = None

Key-value map of resource tags

static get(resource_name, id, opts=None, arn=None, metric_name=None, name=None, predicates=None, rate_key=None, rate_limit=None, tags=None)

Get an existing RateBasedRule resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this rule.

  • name (pulumi.Input[str]) – The name or description of the rule.

  • predicates (pulumi.Input[list]) – The objects to include in a rule (documented below).

  • rate_key (pulumi.Input[str]) – Valid value is IP.

  • rate_limit (pulumi.Input[float]) – The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The predicates object supports the following:

  • dataId (pulumi.Input[str]) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (pulumi.Input[bool]) - Set this to false if you want to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (pulumi.Input[str]) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.RegexMatchSet(resource_name, opts=None, name=None, regex_match_tuples=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Regex Match Set Resource

import pulumi
import pulumi_aws as aws

example_regex_pattern_set = aws.waf.RegexPatternSet("exampleRegexPatternSet", regex_pattern_strings=[
    "one",
    "two",
])
example_regex_match_set = aws.waf.RegexMatchSet("exampleRegexMatchSet", regex_match_tuples=[{
    "fieldToMatch": {
        "data": "User-Agent",
        "type": "HEADER",
    },
    "regexPatternSetId": example_regex_pattern_set.id,
    "textTransformation": "NONE",
}])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the Regex Match Set.

  • regex_match_tuples (pulumi.Input[list]) – The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.

The regex_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • regexPatternSetId (pulumi.Input[str]) - The ID of a WAF Regex Pattern Set.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

name: pulumi.Output[str] = None

The name or description of the Regex Match Set.

regex_match_tuples: pulumi.Output[list] = None

The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.

  • fieldToMatch (dict) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (str) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (str) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • regexPatternSetId (str) - The ID of a WAF Regex Pattern Set.

  • textTransformation (str) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

static get(resource_name, id, opts=None, arn=None, name=None, regex_match_tuples=None)

Get an existing RegexMatchSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • name (pulumi.Input[str]) – The name or description of the Regex Match Set.

  • regex_match_tuples (pulumi.Input[list]) – The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.

The regex_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - The part of a web request that you want to search, such as a specified header or a query string.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • regexPatternSetId (pulumi.Input[str]) - The ID of a WAF Regex Pattern Set.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.RegexPatternSet(resource_name, opts=None, name=None, regex_pattern_strings=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Regex Pattern Set Resource

import pulumi
import pulumi_aws as aws

example = aws.waf.RegexPatternSet("example", regex_pattern_strings=[
    "one",
    "two",
])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the Regex Pattern Set.

  • regex_pattern_strings (pulumi.Input[list]) – A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

name: pulumi.Output[str] = None

The name or description of the Regex Pattern Set.

regex_pattern_strings: pulumi.Output[list] = None

A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.

static get(resource_name, id, opts=None, arn=None, name=None, regex_pattern_strings=None)

Get an existing RegexPatternSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • name (pulumi.Input[str]) – The name or description of the Regex Pattern Set.

  • regex_pattern_strings (pulumi.Input[list]) – A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.Rule(resource_name, opts=None, metric_name=None, name=None, predicates=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Rule Resource

import pulumi
import pulumi_aws as aws

ipset = aws.waf.IpSet("ipset", ip_set_descriptors=[{
    "type": "IPV4",
    "value": "192.0.7.0/24",
}])
wafrule = aws.waf.Rule("wafrule",
    metric_name="tfWAFRule",
    predicates=[{
        "dataId": ipset.id,
        "negated": False,
        "type": "IPMatch",
    }])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can’t contain whitespace.

  • name (pulumi.Input[str]) – The name or description of the rule.

  • predicates (pulumi.Input[list]) – The objects to include in a rule (documented below).

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The predicates object supports the following:

  • dataId (pulumi.Input[str]) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (pulumi.Input[bool]) - Set this to false if you want to allow, block, or count requests based on the settings in the specified waf_byte_match_set, waf_ipset, waf.SizeConstraintSet, waf.SqlInjectionMatchSet or waf.XssMatchSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (pulumi.Input[str]) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

arn: pulumi.Output[str] = None

The ARN of the WAF rule.

metric_name: pulumi.Output[str] = None

The name or description for the Amazon CloudWatch metric of this rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can’t contain whitespace.

name: pulumi.Output[str] = None

The name or description of the rule.

predicates: pulumi.Output[list] = None

The objects to include in a rule (documented below).

  • dataId (str) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (bool) - Set this to false if you want to allow, block, or count requests based on the settings in the specified waf_byte_match_set, waf_ipset, waf.SizeConstraintSet, waf.SqlInjectionMatchSet or waf.XssMatchSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (str) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

tags: pulumi.Output[dict] = None

Key-value map of resource tags

static get(resource_name, id, opts=None, arn=None, metric_name=None, name=None, predicates=None, tags=None)

Get an existing Rule resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN of the WAF rule.

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can’t contain whitespace.

  • name (pulumi.Input[str]) – The name or description of the rule.

  • predicates (pulumi.Input[list]) – The objects to include in a rule (documented below).

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The predicates object supports the following:

  • dataId (pulumi.Input[str]) - A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.

  • negated (pulumi.Input[bool]) - Set this to false if you want to allow, block, or count requests based on the settings in the specified waf_byte_match_set, waf_ipset, waf.SizeConstraintSet, waf.SqlInjectionMatchSet or waf.XssMatchSet. For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address. If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.

  • type (pulumi.Input[str]) - The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.RuleGroup(resource_name, opts=None, activated_rules=None, metric_name=None, name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Rule Group Resource

import pulumi
import pulumi_aws as aws

example_rule = aws.waf.Rule("exampleRule", metric_name="example")
example_rule_group = aws.waf.RuleGroup("exampleRuleGroup",
    activated_rules=[{
        "action": {
            "type": "COUNT",
        },
        "priority": 50,
        "rule_id": example_rule.id,
    }],
    metric_name="example")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • activated_rules (pulumi.Input[list]) – A list of activated rules, see below

  • metric_name (pulumi.Input[str]) – A friendly name for the metrics from the rule group

  • name (pulumi.Input[str]) – A friendly name of the rule group

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The activated_rules object supports the following:

  • action (pulumi.Input[dict]) - Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

  • priority (pulumi.Input[float]) - Specifies the order in which the rules are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (pulumi.Input[str]) - The ID of a waf_rule

  • type (pulumi.Input[str]) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

activated_rules: pulumi.Output[list] = None

A list of activated rules, see below

  • action (dict) - Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.

    • type (str) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

  • priority (float) - Specifies the order in which the rules are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (str) - The ID of a waf_rule

  • type (str) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

arn: pulumi.Output[str] = None

The ARN of the WAF rule group.

metric_name: pulumi.Output[str] = None

A friendly name for the metrics from the rule group

name: pulumi.Output[str] = None

A friendly name of the rule group

tags: pulumi.Output[dict] = None

Key-value map of resource tags

static get(resource_name, id, opts=None, activated_rules=None, arn=None, metric_name=None, name=None, tags=None)

Get an existing RuleGroup resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • activated_rules (pulumi.Input[list]) – A list of activated rules, see below

  • arn (pulumi.Input[str]) – The ARN of the WAF rule group.

  • metric_name (pulumi.Input[str]) – A friendly name for the metrics from the rule group

  • name (pulumi.Input[str]) – A friendly name of the rule group

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The activated_rules object supports the following:

  • action (pulumi.Input[dict]) - Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

  • priority (pulumi.Input[float]) - Specifies the order in which the rules are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (pulumi.Input[str]) - The ID of a waf_rule

  • type (pulumi.Input[str]) - The rule type, either REGULAR, RATE_BASED, or GROUP. Defaults to REGULAR.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.SizeConstraintSet(resource_name, opts=None, name=None, size_constraints=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Size Constraint Set Resource

import pulumi
import pulumi_aws as aws

size_constraint_set = aws.waf.SizeConstraintSet("sizeConstraintSet", size_constraints=[{
    "comparison_operator": "EQ",
    "fieldToMatch": {
        "type": "BODY",
    },
    "size": "4096",
    "textTransformation": "NONE",
}])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the Size Constraint Set.

  • size_constraints (pulumi.Input[list]) – Specifies the parts of web requests that you want to inspect the size of.

The size_constraints object supports the following:

  • comparison_operator (pulumi.Input[str]) - The type of comparison you want to perform. e.g. EQ, NE, LT, GT. See docs for all supported values.

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for the size constraint.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • size (pulumi.Input[float]) - The size in bytes that you want to compare against the size of the specified field_to_match. Valid values are between 0 - 21474836480 bytes (0 - 20 GB).

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values. Note: if you choose BODY as type, you must choose NONE because CloudFront forwards only the first 8192 bytes for inspection.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

name: pulumi.Output[str] = None

The name or description of the Size Constraint Set.

size_constraints: pulumi.Output[list] = None

Specifies the parts of web requests that you want to inspect the size of.

  • comparison_operator (str) - The type of comparison you want to perform. e.g. EQ, NE, LT, GT. See docs for all supported values.

  • fieldToMatch (dict) - Specifies where in a web request to look for the size constraint.

    • data (str) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (str) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • size (float) - The size in bytes that you want to compare against the size of the specified field_to_match. Valid values are between 0 - 21474836480 bytes (0 - 20 GB).

  • textTransformation (str) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values. Note: if you choose BODY as type, you must choose NONE because CloudFront forwards only the first 8192 bytes for inspection.

static get(resource_name, id, opts=None, arn=None, name=None, size_constraints=None)

Get an existing SizeConstraintSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • name (pulumi.Input[str]) – The name or description of the Size Constraint Set.

  • size_constraints (pulumi.Input[list]) – Specifies the parts of web requests that you want to inspect the size of.

The size_constraints object supports the following:

  • comparison_operator (pulumi.Input[str]) - The type of comparison you want to perform. e.g. EQ, NE, LT, GT. See docs for all supported values.

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for the size constraint.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • size (pulumi.Input[float]) - The size in bytes that you want to compare against the size of the specified field_to_match. Valid values are between 0 - 21474836480 bytes (0 - 20 GB).

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values. Note: if you choose BODY as type, you must choose NONE because CloudFront forwards only the first 8192 bytes for inspection.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.SqlInjectionMatchSet(resource_name, opts=None, name=None, sql_injection_match_tuples=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF SQL Injection Match Set Resource

import pulumi
import pulumi_aws as aws

sql_injection_match_set = aws.waf.SqlInjectionMatchSet("sqlInjectionMatchSet", sql_injection_match_tuples=[{
    "fieldToMatch": {
        "type": "QUERY_STRING",
    },
    "textTransformation": "URL_DECODE",
}])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the SQL Injection Match Set.

  • sql_injection_match_tuples (pulumi.Input[list]) – The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.

The sql_injection_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for snippets of malicious SQL code.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

name: pulumi.Output[str] = None

The name or description of the SQL Injection Match Set.

sql_injection_match_tuples: pulumi.Output[list] = None

The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.

  • fieldToMatch (dict) - Specifies where in a web request to look for snippets of malicious SQL code.

    • data (str) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (str) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (str) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

static get(resource_name, id, opts=None, name=None, sql_injection_match_tuples=None)

Get an existing SqlInjectionMatchSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the SQL Injection Match Set.

  • sql_injection_match_tuples (pulumi.Input[list]) – The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.

The sql_injection_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for snippets of malicious SQL code.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.WebAcl(resource_name, opts=None, default_action=None, logging_configuration=None, metric_name=None, name=None, rules=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF Web ACL Resource

import pulumi
import pulumi_aws as aws

ipset = aws.waf.IpSet("ipset", ip_set_descriptors=[{
    "type": "IPV4",
    "value": "192.0.7.0/24",
}])
wafrule = aws.waf.Rule("wafrule",
    metric_name="tfWAFRule",
    predicates=[{
        "dataId": ipset.id,
        "negated": False,
        "type": "IPMatch",
    }])
waf_acl = aws.waf.WebAcl("wafAcl",
    default_action={
        "type": "ALLOW",
    },
    metric_name="tfWebACL",
    rules=[{
        "action": {
            "type": "BLOCK",
        },
        "priority": 1,
        "rule_id": wafrule.id,
        "type": "REGULAR",
    }])

import pulumi
import pulumi_aws as aws

example = aws.waf.WebAcl("example", logging_configuration={
    "log_destination": aws_kinesis_firehose_delivery_stream["example"]["arn"],
    "redactedFields": {
        "fieldToMatch": [
            {
                "type": "URI",
            },
            {
                "data": "referer",
                "type": "HEADER",
            },
        ],
    },
})
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • default_action (pulumi.Input[dict]) – Configuration block with action that you want AWS WAF to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL. Detailed below.

  • logging_configuration (pulumi.Input[dict]) – Configuration block to enable WAF logging. Detailed below.

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this web ACL.

  • name (pulumi.Input[str]) – The name or description of the web ACL.

  • rules (pulumi.Input[list]) – Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The default_action object supports the following:

  • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

The logging_configuration object supports the following:

  • log_destination (pulumi.Input[str]) - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream

  • redactedFields (pulumi.Input[dict]) - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

    • fieldToMatches (pulumi.Input[list]) - Set of configuration blocks for fields to redact. Detailed below.

      • data (pulumi.Input[str]) - When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.

      • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

The rules object supports the following:

  • action (pulumi.Input[dict]) - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • overrideAction (pulumi.Input[dict]) - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • priority (pulumi.Input[float]) - Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (pulumi.Input[str]) - ID of the associated WAF (Global) rule (e.g. waf.Rule). WAF (Regional) rules cannot be used.

  • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

arn: pulumi.Output[str] = None

The ARN of the WAF WebACL.

default_action: pulumi.Output[dict] = None

Configuration block with action that you want AWS WAF to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL. Detailed below.

  • type (str) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

logging_configuration: pulumi.Output[dict] = None

Configuration block to enable WAF logging. Detailed below.

  • log_destination (str) - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream

  • redactedFields (dict) - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

    • fieldToMatches (list) - Set of configuration blocks for fields to redact. Detailed below.

      • data (str) - When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.

      • type (str) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

metric_name: pulumi.Output[str] = None

The name or description for the Amazon CloudWatch metric of this web ACL.

name: pulumi.Output[str] = None

The name or description of the web ACL.

rules: pulumi.Output[list] = None

Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.

  • action (dict) - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.

    • type (str) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • overrideAction (dict) - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.

    • type (str) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • priority (float) - Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (str) - ID of the associated WAF (Global) rule (e.g. waf.Rule). WAF (Regional) rules cannot be used.

  • type (str) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

tags: pulumi.Output[dict] = None

Key-value map of resource tags

static get(resource_name, id, opts=None, arn=None, default_action=None, logging_configuration=None, metric_name=None, name=None, rules=None, tags=None)

Get an existing WebAcl resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN of the WAF WebACL.

  • default_action (pulumi.Input[dict]) – Configuration block with action that you want AWS WAF to take when a request doesn’t match the criteria in any of the rules that are associated with the web ACL. Detailed below.

  • logging_configuration (pulumi.Input[dict]) – Configuration block to enable WAF logging. Detailed below.

  • metric_name (pulumi.Input[str]) – The name or description for the Amazon CloudWatch metric of this web ACL.

  • name (pulumi.Input[str]) – The name or description of the web ACL.

  • rules (pulumi.Input[list]) – Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.

  • tags (pulumi.Input[dict]) – Key-value map of resource tags

The default_action object supports the following:

  • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

The logging_configuration object supports the following:

  • log_destination (pulumi.Input[str]) - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream

  • redactedFields (pulumi.Input[dict]) - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

    • fieldToMatches (pulumi.Input[list]) - Set of configuration blocks for fields to redact. Detailed below.

      • data (pulumi.Input[str]) - When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.

      • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

The rules object supports the following:

  • action (pulumi.Input[dict]) - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • overrideAction (pulumi.Input[dict]) - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.

    • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

  • priority (pulumi.Input[float]) - Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.

  • rule_id (pulumi.Input[str]) - ID of the associated WAF (Global) rule (e.g. waf.Rule). WAF (Regional) rules cannot be used.

  • type (pulumi.Input[str]) - The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.waf.XssMatchSet(resource_name, opts=None, name=None, xss_match_tuples=None, __props__=None, __name__=None, __opts__=None)

Provides a WAF XSS Match Set Resource

import pulumi
import pulumi_aws as aws

xss_match_set = aws.waf.XssMatchSet("xssMatchSet", xss_match_tuples=[
    {
        "fieldToMatch": {
            "type": "URI",
        },
        "textTransformation": "NONE",
    },
    {
        "fieldToMatch": {
            "type": "QUERY_STRING",
        },
        "textTransformation": "NONE",
    },
])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name or description of the SizeConstraintSet.

  • xss_match_tuples (pulumi.Input[list]) – The parts of web requests that you want to inspect for cross-site scripting attacks.

The xss_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for cross-site scripting attacks.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN)

name: pulumi.Output[str] = None

The name or description of the SizeConstraintSet.

xss_match_tuples: pulumi.Output[list] = None

The parts of web requests that you want to inspect for cross-site scripting attacks.

  • fieldToMatch (dict) - Specifies where in a web request to look for cross-site scripting attacks.

    • data (str) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (str) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (str) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

static get(resource_name, id, opts=None, arn=None, name=None, xss_match_tuples=None)

Get an existing XssMatchSet resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN)

  • name (pulumi.Input[str]) – The name or description of the SizeConstraintSet.

  • xss_match_tuples (pulumi.Input[list]) – The parts of web requests that you want to inspect for cross-site scripting attacks.

The xss_match_tuples object supports the following:

  • fieldToMatch (pulumi.Input[dict]) - Specifies where in a web request to look for cross-site scripting attacks.

    • data (pulumi.Input[str]) - When type is HEADER, enter the name of the header that you want to search, e.g. User-Agent or Referer. If type is any other value, omit this field.

    • type (pulumi.Input[str]) - The part of the web request that you want AWS WAF to search for a specified string. e.g. HEADER, METHOD or BODY. See docs for all supported values.

  • textTransformation (pulumi.Input[str]) - Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match. e.g. CMD_LINE, HTML_ENTITY_DECODE or NONE. See docs for all supported values.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.waf.get_ipset(name=None, opts=None)

waf.IpSet Retrieves a WAF IP Set Resource Id.

import pulumi
import pulumi_aws as aws

example = aws.waf.get_ipset(name="tfWAFIPSet")
Parameters

name (str) – The name of the WAF IP set.

pulumi_aws.waf.get_rate_based_rule(name=None, opts=None)

waf.RateBasedRule Retrieves a WAF Rate Based Rule Resource Id.

import pulumi
import pulumi_aws as aws

example = aws.waf.get_rate_based_rule(name="tfWAFRateBasedRule")
Parameters

name (str) – The name of the WAF rate based rule.

pulumi_aws.waf.get_rule(name=None, opts=None)

waf.Rule Retrieves a WAF Rule Resource Id.

import pulumi
import pulumi_aws as aws

example = aws.waf.get_rule(name="tfWAFRule")
Parameters

name (str) – The name of the WAF rule.

pulumi_aws.waf.get_web_acl(name=None, opts=None)

waf.WebAcl Retrieves a WAF Web ACL Resource Id.

import pulumi
import pulumi_aws as aws

example = aws.waf.get_web_acl(name="tfWAFWebACL")
Parameters

name (str) – The name of the WAF Web ACL.