Use this data source to get the WAF rules of Fastly. A set of third-party rules from the OWASP Core Ruleset, commercial sources, and open source, in addition to Fastly-generated rules. They offer protection from injection attacks and cross site scripting amongst other key application-layer attacks.
Usage with publishers Filter:
data "fastly_waf_rules" "owasp" {
publishers = ["owasp"]
}
Usage with tags filter:
data "fastly_waf_rules" "tag" {
tags = ["language-html", "language-jsp"]
}
Usage with exclude filter:
data "fastly_waf_rules" "owasp_with_exclusions" {
publishers = ["owasp"]
exclude_modsec_rule_ids = [1010090]
}
Usage without filters:
data "fastly_waf_rules" "all" {
# This will retrieve the entire list of rules available from the API at the time.
}
Usage with WAF configuration resource:
variable "type_status" {
type = map(string)
default = {
score = "score"
threshold = "log"
strict = "log"
}
}
resource "fastly_service_vcl" "demo" {
name = "demofastly"
domain {
name = "example.com"
comment = "demo"
}
backend {
address = "127.0.0.1"
name = "origin1"
port = 80
}
condition {
name = "WAF_Prefetch"
type = "PREFETCH"
statement = "req.backend.is_origin"
}
# This condition will always be false
# adding it to the response object created below
# prevents Fastly from returning a 403 on all of your traffic.
condition {
name = "WAF_always_false"
statement = "false"
type = "REQUEST"
}
response_object {
name = "WAF_Response"
status = "403"
response = "Forbidden"
content_type = "text/html"
content = "<html><body>Forbidden</body></html>"
request_condition = "WAF_always_false"
}
waf {
prefetch_condition = "WAF_Prefetch"
response_object = "WAF_Response"
}
force_destroy = true
}
data "fastly_waf_rules" "owasp" {
publishers = ["owasp"]
}
resource "fastly_service_waf_configuration" "waf" {
waf_id = fastly_service_vcl.demo.waf[0].waf_id
http_violation_score_threshold = 100
dynamic "rule" {
for_each = data.fastly_waf_rules.owasp.rules
content {
modsec_rule_id = rule.value.modsec_rule_id
revision = rule.value.latest_revision_number
status = lookup(var.type_status, rule.value.type, "log")
}
}
}
publishers
- Inclusion filter by WAF rule's publishers.tags
- Inclusion filter by WAF rule's tags.exclude_modsec_rule_ids
- Exclusion filter by WAF rule's ModSecurity ID.rules
- The Web Application Firewall's rules result set.The rules
block supports:
modsec_rule_id
- The rule's modsecurity ID.latest_revision_number
- The rule's latest revision.type
- The rule's type.exclude_modsec_rule_ids
(List of Number) A list of modsecurity rules IDs to be excluded from the data set.modsec_rule_ids
(List of Number) A list of modsecurity rules IDs to be used as filters for the data set.publishers
(List of String) A list of publishers to be used as filters for the data set.tags
(List of String) A list of tags to be used as filters for the data set.id
(String) The ID of this resource.rules
(List of Object) The list of rules that results from any given combination of filters. (see below for nested schema)rules
Read-Only:
latest_revision_number
(Number)modsec_rule_id
(Number)type
(String)