Web
data class WebAclArgs(val captchaConfig: Output<WebAclCaptchaConfigArgs>? = null, val customResponseBodies: Output<List<WebAclCustomResponseBodyArgs>>? = null, val defaultAction: Output<WebAclDefaultActionArgs>? = null, val description: Output<String>? = null, val name: Output<String>? = null, val rules: Output<List<WebAclRuleArgs>>? = null, val scope: Output<String>? = null, val tags: Output<Map<String, String>>? = null, val tokenDomains: Output<List<String>>? = null, val visibilityConfig: Output<WebAclVisibilityConfigArgs>? = null) : ConvertibleToJava<WebAclArgs>
Creates a WAFv2 Web ACL resource.
Note: In
field_to_matchblocks, e.g., inbyte_match_statement, thebodyblock includes an optional argumentoversize_handling. AWS indicates this argument will be required starting February 2023. To avoid configurations breaking when that change happens, treat theoversize_handlingargument as required as soon as possible.
Example Usage
This resource is based on aws.wafv2.RuleGroup, check the documentation of the aws.wafv2.RuleGroup resource to see examples of the various available statements.
Managed Rule
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.defaultAction(WebAclDefaultActionArgs.builder()
.allow()
.build())
.description("Example of a managed rule.")
.rules(WebAclRuleArgs.builder()
.name("rule-1")
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.count()
.build())
.priority(1)
.statement(WebAclRuleStatementArgs.builder()
.managedRuleGroupStatement(WebAclRuleStatementManagedRuleGroupStatementArgs.builder()
.name("AWSManagedRulesCommonRuleSet")
.ruleActionOverride(
%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference),
%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.scopeDownStatement(WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementArgs.builder()
.geoMatchStatement(WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementArgs.builder()
.countryCodes(
"US",
"NL")
.build())
.build())
.vendorName("AWS")
.build())
.build())
.tokenDomains(
"mywebsite.com",
"myotherwebsite.com")
.visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build())
.scope("REGIONAL")
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.visibilityConfig(WebAclVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-metric-name")
.sampledRequestsEnabled(false)
.build())
.build());
}
}Content copied to clipboard
Account Takeover Protection
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var atp_example = new WebAcl("atp-example", WebAclArgs.builder()
.defaultAction(WebAclDefaultActionArgs.builder()
.allow()
.build())
.description("Example of a managed ATP rule.")
.rules(WebAclRuleArgs.builder()
.name("atp-rule-1")
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.count()
.build())
.priority(1)
.statement(WebAclRuleStatementArgs.builder()
.managedRuleGroupStatement(WebAclRuleStatementManagedRuleGroupStatementArgs.builder()
.managedRuleGroupConfigs(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigArgs.builder()
.awsManagedRulesAtpRuleSet(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetArgs.builder()
.loginPath("/api/1/signin")
.requestInspection(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionArgs.builder()
.passwordField(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordFieldArgs.builder()
.identifier("/password")
.build())
.payloadType("JSON")
.usernameField(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameFieldArgs.builder()
.identifier("/email")
.build())
.build())
.responseInspection(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionArgs.builder()
.statusCode(WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCodeArgs.builder()
.failureCodes("403")
.successCodes("200")
.build())
.build())
.build())
.build())
.name("AWSManagedRulesATPRuleSet")
.vendorName("AWS")
.build())
.build())
.visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build())
.scope("CLOUDFRONT")
.visibilityConfig(WebAclVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-metric-name")
.sampledRequestsEnabled(false)
.build())
.build());
}
}Content copied to clipboard
Rate Based
Rate-limit US and NL-based clients to 10,000 requests for every 5 minutes.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleActionBlockArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementScopeDownStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.defaultAction(WebAclDefaultActionArgs.builder()
.allow()
.build())
.description("Example of a Cloudfront rate based statement.")
.rules(WebAclRuleArgs.builder()
.action(WebAclRuleActionArgs.builder()
.block()
.build())
.name("rule-1")
.priority(1)
.statement(WebAclRuleStatementArgs.builder()
.rateBasedStatement(WebAclRuleStatementRateBasedStatementArgs.builder()
.aggregateKeyType("IP")
.limit(10000)
.scopeDownStatement(WebAclRuleStatementRateBasedStatementScopeDownStatementArgs.builder()
.geoMatchStatement(WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementArgs.builder()
.countryCodes(
"US",
"NL")
.build())
.build())
.build())
.build())
.visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build())
.scope("CLOUDFRONT")
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.visibilityConfig(WebAclVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-metric-name")
.sampledRequestsEnabled(false)
.build())
.build());
}
}Content copied to clipboard
Rule Group Reference
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.RuleGroup;
import com.pulumi.aws.wafv2.RuleGroupArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionCountArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleStatementGeoMatchStatementArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupRuleActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.RuleGroupVisibilityConfigArgs;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionBlockArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionCountArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementRuleGroupReferenceStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(10)
.scope("REGIONAL")
.rules(
RuleGroupRuleArgs.builder()
.name("rule-1")
.priority(1)
.action(RuleGroupRuleActionArgs.builder()
.count()
.build())
.statement(RuleGroupRuleStatementArgs.builder()
.geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
.countryCodes("NL")
.build())
.build())
.visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build(),
RuleGroupRuleArgs.builder()
.name("rule-to-exclude-a")
.priority(10)
.action(RuleGroupRuleActionArgs.builder()
.allow()
.build())
.statement(RuleGroupRuleStatementArgs.builder()
.geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
.countryCodes("US")
.build())
.build())
.visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build(),
RuleGroupRuleArgs.builder()
.name("rule-to-exclude-b")
.priority(15)
.action(RuleGroupRuleActionArgs.builder()
.allow()
.build())
.statement(RuleGroupRuleStatementArgs.builder()
.geoMatchStatement(RuleGroupRuleStatementGeoMatchStatementArgs.builder()
.countryCodes("GB")
.build())
.build())
.visibilityConfig(RuleGroupRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build())
.visibilityConfig(RuleGroupVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-metric-name")
.sampledRequestsEnabled(false)
.build())
.build());
var test = new WebAcl("test", WebAclArgs.builder()
.scope("REGIONAL")
.defaultAction(WebAclDefaultActionArgs.builder()
.block()
.build())
.rules(WebAclRuleArgs.builder()
.name("rule-1")
.priority(1)
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.count()
.build())
.statement(WebAclRuleStatementArgs.builder()
.ruleGroupReferenceStatement(WebAclRuleStatementRuleGroupReferenceStatementArgs.builder()
.arn(example.arn())
.excludedRules(
WebAclRuleStatementRuleGroupReferenceStatementExcludedRuleArgs.builder()
.name("rule-to-exclude-b")
.build(),
WebAclRuleStatementRuleGroupReferenceStatementExcludedRuleArgs.builder()
.name("rule-to-exclude-a")
.build())
.build())
.build())
.visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-rule-metric-name")
.sampledRequestsEnabled(false)
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.visibilityConfig(WebAclVisibilityConfigArgs.builder()
.cloudwatchMetricsEnabled(false)
.metricName("friendly-metric-name")
.sampledRequestsEnabled(false)
.build())
.build());
}
}Content copied to clipboard
Import
WAFv2 Web ACLs can be imported using ID/Name/Scope e.g.,
$ pulumi import aws:wafv2/webAcl:WebAcl example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONALContent copied to clipboard
Constructors
Link copied to clipboard
constructor(captchaConfig: Output<WebAclCaptchaConfigArgs>? = null, customResponseBodies: Output<List<WebAclCustomResponseBodyArgs>>? = null, defaultAction: Output<WebAclDefaultActionArgs>? = null, description: Output<String>? = null, name: Output<String>? = null, rules: Output<List<WebAclRuleArgs>>? = null, scope: Output<String>? = null, tags: Output<Map<String, String>>? = null, tokenDomains: Output<List<String>>? = null, visibilityConfig: Output<WebAclVisibilityConfigArgs>? = null)
Properties
Link copied to clipboard
Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details.
Link copied to clipboard
Defines custom response bodies that can be referenced by custom_response actions. See custom_response_body below for details.
Link copied to clipboard
Action to perform if none of the rules contained in the WebACL match. See default_ action below for details.
Link copied to clipboard
Friendly description of the WebACL.
Link copied to clipboard
Rule blocks used to identify the web requests that you want to allow, block, or count. See rule below for details.
Link copied to clipboard
Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
Link copied to clipboard
Defines and enables Amazon CloudWatch metrics and web request sample collection. See visibility_config below for details.