pulumi-aws-kotlin/com.pulumi.aws.wafv2.kotlin/WebAclArgs

WebAclArgs

data class WebAclArgs(val captchaConfig: Output<WebAclCaptchaConfigArgs>? = null, val customResponseBodies: Output<List<WebAclCustomResponseBodyArgs>>? = null, val defaultAction: Output<WebAclDefaultActionArgs>? = null, val description: Output<String>? = null, val name: Output<String>? = null, val rules: Output<List<WebAclRuleArgs>>? = null, val scope: Output<String>? = null, val tags: Output<Map<String, String>>? = null, val tokenDomains: Output<List<String>>? = null, val visibilityConfig: Output<WebAclVisibilityConfigArgs>? = null) : ConvertibleToJava<WebAclArgs>

Creates a WAFv2 Web ACL resource.

Note: In field_to_match blocks, e.g., in byte_match_statement, the body block includes an optional argument oversize_handling. AWS indicates this argument will be required starting February 2023. To avoid configurations breaking when that change happens, treat the oversize_handling argument as required as soon as possible.

Example Usage

This resource is based on aws.wafv2.RuleGroup, check the documentation of the aws.wafv2.RuleGroup resource to see examples of the various available statements.

Managed Rule

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new WebAcl("example", WebAclArgs.builder()
            .defaultAction(WebAclDefaultActionArgs.builder()
                .allow()
                .build())
            .description("Example of a managed rule.")
            .rules(WebAclRuleArgs.builder()
                .name("rule-1")
                .overrideAction(WebAclRuleOverrideActionArgs.builder()
                    .count()
                    .build())
                .priority(1)
                .statement(WebAclRuleStatementArgs.builder()
                    .managedRuleGroupStatement(WebAclRuleStatementManagedRuleGroupStatementArgs.builder()
                        .name("AWSManagedRulesCommonRuleSet")
                        .ruleActionOverride(
                            %!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference),
                            %!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .scopeDownStatement(WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementArgs.builder()
                            .geoMatchStatement(WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementArgs.builder()
                                .countryCodes(
                                    "US",
                                    "NL")
                                .build())
                            .build())
                        .vendorName("AWS")
                        .build())
                    .build())
                .tokenDomains(
                    "mywebsite.com",
                    "myotherwebsite.com")
                .visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
                    .cloudwatchMetricsEnabled(false)
                    .metricName("friendly-rule-metric-name")
                    .sampledRequestsEnabled(false)
                    .build())
                .build())
            .scope("REGIONAL")
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .visibilityConfig(WebAclVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());
    }
}
Content copied to clipboard

Account Takeover Protection

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var atp_example = new WebAcl("atp-example", WebAclArgs.builder()
            .defaultAction(WebAclDefaultActionArgs.builder()
                .allow()
                .build())
            .description("Example of a managed ATP rule.")
            .rules(WebAclRuleArgs.builder()
                .name("atp-rule-1")
                .overrideAction(WebAclRuleOverrideActionArgs.builder()
                    .count()
                    .build())
                .priority(1)
                .statement(WebAclRuleStatementArgs.builder()
                    .managedRuleGroupStatement(WebAclRuleStatementManagedRuleGroupStatementArgs.builder()
                        .managedRuleGroupConfigs(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigArgs.builder()
                            .awsManagedRulesAtpRuleSet(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetArgs.builder()
                                .loginPath("/api/1/signin")
                                .requestInspection(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionArgs.builder()
                                    .passwordField(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordFieldArgs.builder()
                                        .identifier("/password")
                                        .build())
                                    .payloadType("JSON")
                                    .usernameField(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameFieldArgs.builder()
                                        .identifier("/email")
                                        .build())
                                    .build())
                                .responseInspection(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionArgs.builder()
                                    .statusCode(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCodeArgs.builder()
                                        .failureCodes("403")
                                        .successCodes("200")
                                        .build())
                                    .build())
                                .build())
                            .build())
                        .name("AWSManagedRulesATPRuleSet")
                        .vendorName("AWS")
                        .build())
                    .build())
                .visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
                    .cloudwatchMetricsEnabled(false)
                    .metricName("friendly-rule-metric-name")
                    .sampledRequestsEnabled(false)
                    .build())
                .build())
            .scope("CLOUDFRONT")
            .visibilityConfig(WebAclVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());
    }
}
Content copied to clipboard

Rate Based

Rate-limit US and NL-based clients to 10,000 requests for every 5 minutes.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleActionBlockArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementScopeDownStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new WebAcl("example", WebAclArgs.builder()
            .defaultAction(WebAclDefaultActionArgs.builder()
                .allow()
                .build())
            .description("Example of a Cloudfront rate based statement.")
            .rules(WebAclRuleArgs.builder()
                .action(WebAclRuleActionArgs.builder()
                    .block()
                    .build())
                .name("rule-1")
                .priority(1)
                .statement(WebAclRuleStatementArgs.builder()
                    .rateBasedStatement(WebAclRuleStatementRateBasedStatementArgs.builder()
                        .aggregateKeyType("IP")
                        .limit(10000)
                        .scopeDownStatement(WebAclRuleStatementRateBasedStatementScopeDownStatementArgs.builder()
                            .geoMatchStatement(WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementArgs.builder()
                                .countryCodes(
                                    "US",
                                    "NL")
                                .build())
                            .build())
                        .build())
                    .build())
                .visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
                    .cloudwatchMetricsEnabled(false)
                    .metricName("friendly-rule-metric-name")
                    .sampledRequestsEnabled(false)
                    .build())
                .build())
            .scope("CLOUDFRONT")
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .visibilityConfig(WebAclVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());
    }
}
Content copied to clipboard

Rule Group Reference

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.RuleGroup;
import com.pulumi.aws.wafv2.RuleGroupArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionCountArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupVisibilityConfigArgs;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionBlockArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRuleGroupReferenceStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(10)
            .scope("REGIONAL")
            .rules(
                RuleGroupRuleArgs.builder()
                    .name("rule-1")
                    .priority(1)
                    .action(RuleGroupRuleActionArgs.builder()
                        .count()
                        .build())
                    .statement(RuleGroupRuleStatementArgs.builder()
                        .geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
                            .countryCodes("NL")
                            .build())
                        .build())
                    .visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
                        .cloudwatchMetricsEnabled(false)
                        .metricName("friendly-rule-metric-name")
                        .sampledRequestsEnabled(false)
                        .build())
                    .build(),
                RuleGroupRuleArgs.builder()
                    .name("rule-to-exclude-a")
                    .priority(10)
                    .action(RuleGroupRuleActionArgs.builder()
                        .allow()
                        .build())
                    .statement(RuleGroupRuleStatementArgs.builder()
                        .geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
                            .countryCodes("US")
                            .build())
                        .build())
                    .visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
                        .cloudwatchMetricsEnabled(false)
                        .metricName("friendly-rule-metric-name")
                        .sampledRequestsEnabled(false)
                        .build())
                    .build(),
                RuleGroupRuleArgs.builder()
                    .name("rule-to-exclude-b")
                    .priority(15)
                    .action(RuleGroupRuleActionArgs.builder()
                        .allow()
                        .build())
                    .statement(RuleGroupRuleStatementArgs.builder()
                        .geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
                            .countryCodes("GB")
                            .build())
                        .build())
                    .visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
                        .cloudwatchMetricsEnabled(false)
                        .metricName("friendly-rule-metric-name")
                        .sampledRequestsEnabled(false)
                        .build())
                    .build())
            .visibilityConfig(RuleGroupVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());
        var test = new WebAcl("test", WebAclArgs.builder()
            .scope("REGIONAL")
            .defaultAction(WebAclDefaultActionArgs.builder()
                .block()
                .build())
            .rules(WebAclRuleArgs.builder()
                .name("rule-1")
                .priority(1)
                .overrideAction(WebAclRuleOverrideActionArgs.builder()
                    .count()
                    .build())
                .statement(WebAclRuleStatementArgs.builder()
                    .ruleGroupReferenceStatement(WebAclRuleStatementRuleGroupReferenceStatementArgs.builder()
                        .arn(example.arn())
                        .excludedRules(
                            WebAclRuleStatementRuleGroupReferenceStatementExcludedRuleArgs.builder()
                                .name("rule-to-exclude-b")
                                .build(),
                            WebAclRuleStatementRuleGroupReferenceStatementExcludedRuleArgs.builder()
                                .name("rule-to-exclude-a")
                                .build())
                        .build())
                    .build())
                .visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
                    .cloudwatchMetricsEnabled(false)
                    .metricName("friendly-rule-metric-name")
                    .sampledRequestsEnabled(false)
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .visibilityConfig(WebAclVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());
    }
}
Content copied to clipboard

Import

WAFv2 Web ACLs can be imported using ID/Name/Scope e.g.,

$ pulumi import aws:wafv2/webAcl:WebAcl example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL
Content copied to clipboard

Constructors

Link copied to clipboard
fun WebAclArgs(captchaConfig: Output<WebAclCaptchaConfigArgs>? = null, customResponseBodies: Output<List<WebAclCustomResponseBodyArgs>>? = null, defaultAction: Output<WebAclDefaultActionArgs>? = null, description: Output<String>? = null, name: Output<String>? = null, rules: Output<List<WebAclRuleArgs>>? = null, scope: Output<String>? = null, tags: Output<Map<String, String>>? = null, tokenDomains: Output<List<String>>? = null, visibilityConfig: Output<WebAclVisibilityConfigArgs>? = null)

Functions

Link copied to clipboard
open override fun toJava(): WebAclArgs

Properties

Link copied to clipboard
val captchaConfig: Output<WebAclCaptchaConfigArgs>? = null

Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details.

Link copied to clipboard
val customResponseBodies: Output<List<WebAclCustomResponseBodyArgs>>? = null

Defines custom response bodies that can be referenced by custom_response actions. See custom_response_body below for details.

Link copied to clipboard
val defaultAction: Output<WebAclDefaultActionArgs>? = null

Action to perform if none of the rules contained in the WebACL match. See default_ action below for details.

Link copied to clipboard
val description: Output<String>? = null

Friendly description of the WebACL.

Link copied to clipboard
val name: Output<String>? = null

Friendly name of the WebACL.

Link copied to clipboard
val rules: Output<List<WebAclRuleArgs>>? = null

Rule blocks used to identify the web requests that you want to allow, block, or count. See rule below for details.

Link copied to clipboard
val scope: Output<String>? = null

Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

Map of key-value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tokenDomains: Output<List<String>>? = null

Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.

Link copied to clipboard
val visibilityConfig: Output<WebAclVisibilityConfigArgs>? = null

Defines and enables Amazon CloudWatch metrics and web request sample collection. See visibility_config below for details.