Creates a WAFv2 Rule Group resource.
resource "aws_wafv2_rule_group" "example" {
name = "example-rule"
scope = "REGIONAL"
capacity = 2
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_ip_set" "test" {
name = "test"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["1.1.1.1/32", "2.2.2.2/32"]
}
resource "aws_wafv2_regex_pattern_set" "test" {
name = "test"
scope = "REGIONAL"
regular_expression {
regex_string = "one"
}
}
resource "aws_wafv2_rule_group" "example" {
name = "complex-example"
description = "An rule group containing all statements"
scope = "REGIONAL"
capacity = 500
rule {
name = "rule-1"
priority = 1
action {
block {}
}
statement {
not_statement {
statement {
and_statement {
statement {
geo_match_statement {
country_codes = ["US"]
}
}
statement {
byte_match_statement {
positional_constraint = "CONTAINS"
search_string = "word"
field_to_match {
all_query_arguments {}
}
text_transformation {
priority = 5
type = "CMD_LINE"
}
text_transformation {
priority = 2
type = "LOWERCASE"
}
}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-1"
sampled_requests_enabled = false
}
}
rule {
name = "rule-2"
priority = 2
action {
count {}
}
statement {
or_statement {
statement {
regex_match_statement {
regex_string = "[a-z]([a-z0-9_-]*[a-z0-9])?"
field_to_match {
single_header {
name = "user-agent"
}
}
text_transformation {
priority = 6
type = "NONE"
}
}
}
statement {
sqli_match_statement {
field_to_match {
body {}
}
text_transformation {
priority = 5
type = "URL_DECODE"
}
text_transformation {
priority = 4
type = "HTML_ENTITY_DECODE"
}
text_transformation {
priority = 3
type = "COMPRESS_WHITE_SPACE"
}
}
}
statement {
xss_match_statement {
field_to_match {
method {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-2"
sampled_requests_enabled = false
}
captcha_config {
immunity_time_property {
immunity_time = 240
}
}
}
rule {
name = "rule-3"
priority = 3
action {
block {}
}
statement {
size_constraint_statement {
comparison_operator = "GT"
size = 100
field_to_match {
single_query_argument {
name = "username"
}
}
text_transformation {
priority = 5
type = "NONE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-3"
sampled_requests_enabled = false
}
}
rule {
name = "rule-4"
priority = 4
action {
block {}
}
statement {
or_statement {
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.test.arn
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.test.arn
field_to_match {
single_header {
name = "referer"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-4"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
captcha_config {
immunity_time_property {
immunity_time = 120
}
}
tags = {
Name = "example-and-statement"
Code = "123456"
}
}
This resource supports the following arguments:
capacity
- (Required, Forces new resource) The web ACL capacity units (WCUs) required for this rule group. See here for general information and here for capacity specific information.custom_response_body
- (Optional) Defines custom response bodies that can be referenced by custom_response
actions. See Custom Response Body below for details.description
- (Optional) A friendly description of the rule group.name
- (Required, Forces new resource) A friendly name of the rule group.rule
- (Optional) The rule blocks used to identify the web requests that you want to allow
, block
, or count
. See Rules below for details.scope
- (Required, Forces new resource) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT
or REGIONAL
. To work with CloudFront, you must also specify the region us-east-1
(N. Virginia) on the AWS provider.tags
- (Optional) An array of key:value pairs to associate with the resource. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.visibility_config
- (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.Each custom_response_body
block supports the following arguments:
key
- (Required) A unique key identifying the custom response body. This is referenced by the custom_response_body_key
argument in the Custom Response block.content
- (Required) The payload of the custom response.content_type
- (Required) The type of content in the payload that you are defining in the content
argument. Valid values are TEXT_PLAIN
, TEXT_HTML
, or APPLICATION_JSON
.Each rule
supports the following arguments:
action
- (Required) The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the aws_wafv2_web_acl
level can override the rule action setting. See Action below for details.captcha_config
- (Optional) Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details.name
- (Required, Forces new resource) A friendly name of the rule.priority
- (Required) If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the rules
in order based on the value of priority
. AWS WAF processes rules with lower priority first.rule_label
- (Optional) Labels to apply to web requests that match the rule match statement. See Rule Label below for details.statement
- (Required) The AWS WAF processing statement for the rule, for example byte_match_statement
or geo_match_statement
. See Statement below for details.visibility_config
- (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.The action
block supports the following arguments:
allow
- (Optional) Instructs AWS WAF to allow the web request. See Allow below for details.block
- (Optional) Instructs AWS WAF to block the web request. See Block below for details.captcha
- (Optional) Instructs AWS WAF to run a CAPTCHA
check against the web request. See Captcha below for details.challenge
- (Optional) Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See Challenge below for details.count
- (Optional) Instructs AWS WAF to count the web request and allow it. See Count below for details.The allow
block supports the following arguments:
custom_request_handling
- (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.The block
block supports the following arguments:
custom_response
- (Optional) Defines a custom response for the web request. See Custom Response below for details.The captcha
block supports the following arguments:
custom_request_handling
- (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.The challenge
block supports the following arguments:
custom_request_handling
- (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.The count
block supports the following arguments:
custom_request_handling
- (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.The custom_request_handling
block supports the following arguments:
insert_header
- (Required) The insert_header
blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.The custom_response
block supports the following arguments:
custom_response_body_key
- (Optional) References the response body that you want AWS WAF to return to the web request client. This must reference a key
defined in a custom_response_body
block of this resource.response_code
- (Required) The HTTP status code to return to the client.response_header
- (Optional) The response_header
blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details.Each block supports the following arguments. Duplicate header names are not allowed:
name
- The name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, AWS WAF inserts the header x-amzn-waf-sample
.value
- The value of the custom header.Each block supports the following arguments:
name
- The label string.The processing guidance for a Rule, used by AWS WAF to determine whether a web request matches the rule. See the documentation for more information.
The statement
block supports the following arguments:
and_statement
- (Optional) A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details.byte_match_statement
- (Optional) A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details.geo_match_statement
- (Optional) A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details.label_match_statement
- (Optional) A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details.ip_set_reference_statement
- (Optional) A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details.not_statement
- (Optional) A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details.or_statement
- (Optional) A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details.rate_based_statement
- (Optional) A rate-based rule tracks the rate of requests for each originating IP address
, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute
time span. This statement can not be nested. See Rate Based Statement below for details.regex_match_statement
- (Optional) A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details.regex_pattern_set_reference_statement
- (Optional) A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details.size_constraint_statement
- (Optional) A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See Size Constraint Statement below for more details.sqli_match_statement
- (Optional) An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details.xss_match_statement
- (Optional) A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details.A logical rule statement used to combine other rule statements with AND
logic. You provide more than one statement
within the and_statement
.
The and_statement
block supports the following arguments:
statement
- (Required) The statements to combine with AND
logic. You can use any statements that can be nested. See Statement above for details.The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters.
The byte_match_statement
block supports the following arguments:
field_to_match
- (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.positional_constraint
- (Required) The area within the portion of a web request that you want AWS WAF to search for search_string
. Valid values include the following: EXACTLY
, STARTS_WITH
, ENDS_WITH
, CONTAINS
, CONTAINS_WORD
. See the AWS documentation for more information.search_string
- (Required) A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field_to_match
. The maximum length of the value is 50 bytes.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.The geo_match_statement
block supports the following arguments:
country_codes
- (Required) An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the ISO 3166
international standard. See the documentation for valid values.forwarded_ip_config
- (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.The label_match_statement
block supports the following arguments:
scope
- (Required) Specify whether you want to match using the label name or just the namespace. Valid values are LABEL
or NAMESPACE
.key
- (Required) The string to match against.A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an aws_wafv2_ip_set
that specifies the addresses you want to detect, then use the ARN
of that set in this statement.
The ip_set_reference_statement
block supports the following arguments:
arn
- (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references.ip_set_forwarded_ip_config
- (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.A logical rule statement used to negate the results of another rule statement. You provide one statement
within the not_statement
.
The not_statement
block supports the following arguments:
statement
- (Required) The statement to negate. You can use any statement that can be nested. See Statement above for details.A logical rule statement used to combine other rule statements with OR
logic. You provide more than one statement
within the or_statement
.
The or_statement
block supports the following arguments:
statement
- (Required) The statements to combine with OR
logic. You can use any statements that can be nested. See Statement above for details.A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests. See the documentation for more information.
You can't nest a rate_based_statement
, for example for use inside a not_statement
or or_statement
. It can only be referenced as a top-level
statement within a rule
.
The rate_based_statement
block supports the following arguments:
aggregate_key_type
- (Optional) Setting that indicates how to aggregate the request counts. Valid values include: CONSTANT
, CUSTOM_KEYS
, FORWARDED_IP
or IP
. Default: IP
.custom_key
- (Optional) Aggregate the request counts using one or more web request components as the aggregate keys. See custom_key
below for details.evaluation_window_sec
- (Optional) The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are 60
, 120
, 300
, and 600
. Defaults to 300
(5 minutes).
NOTE: This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.
forwarded_ip_config
- (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If aggregate_key_type
is set to FORWARDED_IP
, this block is required. See Forwarded IP Config below for details.limit
- (Required) The limit on requests per 5-minute period for a single originating IP address.scope_down_statement
- (Optional) An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details. If aggregate_key_type
is set to CONSTANT
, this block is required.A rule statement used to search web request components for a match against a single regular expression.
The regex_match_statement
block supports the following arguments:
regex_string
- (Required) The string representing the regular expression. Note: The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See AWS WAF quotas for details.field_to_match
- (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.A rule statement used to search web request components for matches with regular expressions. To use this, create a aws_wafv2_regex_pattern_set
that specifies the expressions that you want to detect, then use the ARN
of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.
The regex_pattern_set_reference_statement
block supports the following arguments:
arn
- (Required) The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.field_to_match
- (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component. AWS WAFv2 inspects up to the first 8192 bytes (8 KB) of a request body, and when inspecting the request URI Path, the slash /
in
the URI counts as one character.
The size_constraint_statement
block supports the following arguments:
comparison_operator
- (Required) The operator to use to compare the request part to the size setting. Valid values include: EQ
, NE
, LE
, LT
, GE
, or GT
.field_to_match
- (Optional) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.size
- (Required) The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code.
The sqli_match_statement
block supports the following arguments:
field_to_match
- (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.The XSS match statement provides the location in requests that you want AWS WAF to search and text transformations to use on the search area before AWS WAF searches for character sequences that are likely to be malicious strings.
The xss_match_statement
block supports the following arguments:
field_to_match
- (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.text_transformation
- (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
At least one required.
See Text Transformation below for details.The part of a web request that you want AWS WAF to inspect. Include the single field_to_match
type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in field_to_match
for each rule statement that requires it. To inspect more than one component of a web request, create a separate rule statement for each component. See the documentation for more details.
The field_to_match
block supports the following arguments:
all_query_arguments
- (Optional) Inspect all query arguments.body
- (Optional) Inspect the request body, which immediately follows the request headers.cookies
- (Optional) Inspect the cookies in the web request. See Cookies below for details.header_order
- (Optional) Inspect the request headers. See Header Order below for details.headers
- (Optional) Inspect the request headers. See Headers below for details.json_body
- (Optional) Inspect the request body as JSON. See JSON Body for details.method
- (Optional) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.query_string
- (Optional) Inspect the query string. This is the part of a URL that appears after a ?
character, if any.single_header
- (Optional) Inspect a single header. See Single Header below for details.single_query_argument
- (Optional) Inspect a single query argument. See Single Query Argument below for details.uri_path
- (Optional) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg
.The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. If the specified header isn't present in the request, AWS WAFv2 doesn't apply the rule to the web request at all. AWS WAFv2 only evaluates the first IP address found in the specified HTTP header.
The forwarded_ip_config
block supports the following arguments:
fallback_behavior
- (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: MATCH
or NO_MATCH
.header_name
- (Required) - The name of the HTTP header to use for the IP address.The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.
The ip_set_forwarded_ip_config
block supports the following arguments:
fallback_behavior
- (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: MATCH
or NO_MATCH
.header_name
- (Required) - The name of the HTTP header to use for the IP address.position
- (Required) - The position in the header to search for the IP address. Valid values include: FIRST
, LAST
, or ANY
. If ANY
is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. AWS WAF generates the string and then uses that as the field to match component in its inspection. AWS WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
The header_order
block supports the following arguments:
oversize_handling
- (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: CONTINUE
, MATCH
, NO_MATCH
. See the AWS documentation for more information.Inspect the request headers.
The headers
block supports the following arguments:
match_pattern
- (Required) The filter to use to identify the subset of headers to inspect in a web request. The match_pattern
block supports only one of the following arguments:
all
- An empty configuration block that is used for inspecting all headers.included_headers
- An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.excluded_headers
- An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.match_scope
- (Required) The parts of the headers to inspect with the rule inspection criteria. If you specify All
, AWS WAF inspects both keys and values. Valid values include the following: ALL
, Key
, Value
.oversize_handling
- (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: CONTINUE
, MATCH
, NO_MATCH
. See the AWS documentation for more information.The json_body
block supports the following arguments:
invalid_fallback_behavior
- (Optional) What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are EVALUATE_AS_STRING
, MATCH
and NO_MATCH
.match_pattern
- (Required) The patterns to look for in the JSON body. You must specify exactly one setting: either all
or included_paths
. See JsonMatchPattern for details.match_scope
- (Required) The parts of the JSON to match against using the match_pattern
. Valid values are ALL
, KEY
and VALUE
.oversize_handling
- (Optional) What to do if the body is larger than can be inspected. Valid values are CONTINUE
(default), MATCH
and NO_MATCH
.Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
(provided as lowercase strings).
The single_header
block supports the following arguments:
name
- (Optional) The name of the query header to inspect. This setting must be provided as lower case characters.Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName
or SalesRegion
(provided as lowercase strings).
The single_query_argument
block supports the following arguments:
name
- (Optional) The name of the query header to inspect. This setting must be provided as lower case characters.Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the FieldToMatch specification.
The cookies
block supports the following arguments:
match_pattern
- (Required) The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either all
, included_cookies
or excluded_cookies
. More details: CookieMatchPatternmatch_scope
- (Required) The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: ALL
, KEY
, VALUE
oversize_handling
- (Required) What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: CONTINUE
, MATCH
, NO_MATCH
The text_transformation
block supports the following arguments:
priority
- (Required) The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.type
- (Required) The transformation to apply, please refer to the Text Transformation documentation for more details.The visibility_config
block supports the following arguments:
cloudwatch_metrics_enabled
- (Required) A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see AWS WAF Metrics.metric_name
- (Required, Forces new resource) A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example All
and Default_Action
.sampled_requests_enabled
- (Required) A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.The captcha_config
block supports the following arguments:
immunity_time_property
- (Optional) Defines custom immunity time. See Immunity Time Property below for details.The immunity_time_property
block supports the following arguments:
immunity_time
- (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.This resource exports the following attributes in addition to the arguments above:
id
- The ID of the WAF rule group.arn
- The ARN of the WAF rule group.tags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.custom_key
BlockAggregate the request counts using one or more web request components as the aggregate keys. With this option, you must specify the aggregate keys in the custom_keys
block. To aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate_key_type
to IP
or FORWARDED_IP
.
The custom_key
block supports the following arguments:
cookie
- (Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit cookie
below for details.forwarded_ip
- (Optional) Use the first IP address in an HTTP header as an aggregate key. See forwarded_ip
below for details.http_method
- (Optional) Use the request's HTTP method as an aggregate key. See RateLimit http_method
below for details.header
- (Optional) Use the value of a header in the request as an aggregate key. See RateLimit header
below for details.ip
- (Optional) Use the request's originating IP address as an aggregate key. See RateLimit ip
below for details.label_namespace
- (Optional) Use the specified label namespace as an aggregate key. See RateLimit label_namespace
below for details.query_argument
- (Optional) Use the specified query argument as an aggregate key. See RateLimit query_argument
below for details.query_string
- (Optional) Use the request's query string as an aggregate key. See RateLimit query_string
below for details.uri_path
- (Optional) Use the request's URI path as an aggregate key. See RateLimit uri_path
below for details.cookie
BlockUse the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.
The cookie
block supports the following arguments:
name
: The name of the cookie to use.text_transformation
: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.forwarded_ip
BlockUse the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance. When you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP
in your rate-based statement's aggregate_key_type
. With this option, you must specify the header to use in the rate-based rule's Forwarded IP Config block.
The forwarded_ip
block is configured as an empty block {}
.
http_method
BlockUse the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.
The http_method
block is configured as an empty block {}
.
header
BlockUse the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.
The header
block supports the following arguments:
name
: The name of the header to use.text_transformation
: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.ip
BlockUse the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance. When you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying IP
in your rate-based statement's aggregate_key_type
.
The ip
block is configured as an empty block {}
.
label_namespace
BlockUse the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance. This uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL. For information about label namespaces and names, see Label syntax and naming requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the WAF Developer Guide.
The label_namespace
block supports the following arguments:
namespace
: The namespace to use for aggregationquery_argument
BlockUse the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.
The query_argument
block supports the following arguments:
name
: The name of the query argument to use.text_transformation
: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.query_string
BlockUse the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.
The query_string
block supports the following arguments:
text_transformation
: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.uri_path
BlockUse the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.
The uri_path
block supports the following arguments:
text_transformation
: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.In Terraform v1.5.0 and later, use an import
block to import WAFv2 Rule Group using ID/name/scope
. For example:
import {
to = aws_wafv2_rule_group.example
id = "a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL"
}
Using terraform import
, import WAFv2 Rule Group using ID/name/scope
. For example:
% terraform import aws_wafv2_rule_group.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL