oci_waas_waas_policy

This resource provides the Waas Policy resource in Oracle Cloud Infrastructure Web Application Acceleration and Security service.

Creates a new Web Application Acceleration and Security (WAAS) policy in the specified compartment. A WAAS policy must be established before creating Web Application Firewall (WAF) rules. To use WAF rules, your web application's origin servers must defined in the WaasPolicy schema.

A domain name must be specified when creating a WAAS policy. The domain name should be different from the origins specified in your WaasPolicy. Once domain name is entered and stored, it is unchangeable.

Use the record data returned in the cname field of the WaasPolicy object to create a CNAME record in your DNS configuration that will direct your domain's traffic through the WAF.

For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.

You must specify a display name and domain for the WAAS policy. The display name does not have to be unique and can be changed. The domain name should be different from every origin specified in WaasPolicy.

All Oracle Cloud Infrastructure resources, including WAAS policies, receive a unique, Oracle-assigned ID called an Oracle Cloud Identifier (OCID). When a resource is created, you can find its OCID in the response. You can also retrieve a resource's OCID by using a list API operation for that resource type, or by viewing the resource in the Console. Fore more information, see Resource Identifiers.

Note: After sending the POST request, the new object's state will temporarily be CREATING. Ensure that the resource's state has changed to ACTIVE before use.

Example Usage

resource "oci_waas_waas_policy" "test_waas_policy" {
    #Required
    compartment_id = var.compartment_id
    domain = var.waas_policy_domain

    #Optional
    additional_domains = var.waas_policy_additional_domains
    defined_tags = {"Operations.CostCenter"= "42"}
    display_name = var.waas_policy_display_name
    freeform_tags = {"Department"= "Finance"}
    origin_groups {

        #Optional
        origins = var.waas_policy_origin_groups_origins
    }
    origins {
        #Required
        uri = var.waas_policy_origins_uri

        #Optional
        custom_headers {
            #Required
            name = var.waas_policy_origins_custom_headers_name
            value = var.waas_policy_origins_custom_headers_value
        }
        http_port = var.waas_policy_origins_http_port
        https_port = var.waas_policy_origins_https_port
    }
    policy_config {

        #Optional
        certificate_id = oci_waas_certificate.test_certificate.id
        cipher_group = var.waas_policy_policy_config_cipher_group
        client_address_header = var.waas_policy_policy_config_client_address_header
        health_checks {

            #Optional
            expected_response_code_group = var.waas_policy_policy_config_health_checks_expected_response_code_group
            expected_response_text = var.waas_policy_policy_config_health_checks_expected_response_text
            headers = var.waas_policy_policy_config_health_checks_headers
            healthy_threshold = var.waas_policy_policy_config_health_checks_healthy_threshold
            interval_in_seconds = var.waas_policy_policy_config_health_checks_interval_in_seconds
            is_enabled = var.waas_policy_policy_config_health_checks_is_enabled
            is_response_text_check_enabled = var.waas_policy_policy_config_health_checks_is_response_text_check_enabled
            method = var.waas_policy_policy_config_health_checks_method
            path = var.waas_policy_policy_config_health_checks_path
            timeout_in_seconds = var.waas_policy_policy_config_health_checks_timeout_in_seconds
            unhealthy_threshold = var.waas_policy_policy_config_health_checks_unhealthy_threshold
        }
        is_behind_cdn = var.waas_policy_policy_config_is_behind_cdn
        is_cache_control_respected = var.waas_policy_policy_config_is_cache_control_respected
        is_https_enabled = var.waas_policy_policy_config_is_https_enabled
        is_https_forced = var.waas_policy_policy_config_is_https_forced
        is_origin_compression_enabled = var.waas_policy_policy_config_is_origin_compression_enabled
        is_response_buffering_enabled = var.waas_policy_policy_config_is_response_buffering_enabled
        is_sni_enabled = var.waas_policy_policy_config_is_sni_enabled
        load_balancing_method {
            #Required
            method = var.waas_policy_policy_config_load_balancing_method_method

            #Optional
            domain = var.waas_policy_policy_config_load_balancing_method_domain
            expiration_time_in_seconds = var.waas_policy_policy_config_load_balancing_method_expiration_time_in_seconds
            name = var.waas_policy_policy_config_load_balancing_method_name
        }
        tls_protocols = var.waas_policy_policy_config_tls_protocols
        websocket_path_prefixes = var.waas_policy_policy_config_websocket_path_prefixes
    }
    waf_config {

        #Optional
        access_rules {
            #Required
            action = var.waas_policy_waf_config_access_rules_action
            criteria {
                #Required
                condition = var.waas_policy_waf_config_access_rules_criteria_condition
                value = var.waas_policy_waf_config_access_rules_criteria_value

                #Optional
                is_case_sensitive = var.waas_policy_waf_config_access_rules_criteria_is_case_sensitive
            }
            name = var.waas_policy_waf_config_access_rules_name

            #Optional
            block_action = var.waas_policy_waf_config_access_rules_block_action
            block_error_page_code = var.waas_policy_waf_config_access_rules_block_error_page_code
            block_error_page_description = var.waas_policy_waf_config_access_rules_block_error_page_description
            block_error_page_message = var.waas_policy_waf_config_access_rules_block_error_page_message
            block_response_code = var.waas_policy_waf_config_access_rules_block_response_code
            bypass_challenges = var.waas_policy_waf_config_access_rules_bypass_challenges
            captcha_footer = var.waas_policy_waf_config_access_rules_captcha_footer
            captcha_header = var.waas_policy_waf_config_access_rules_captcha_header
            captcha_submit_label = var.waas_policy_waf_config_access_rules_captcha_submit_label
            captcha_title = var.waas_policy_waf_config_access_rules_captcha_title
            redirect_response_code = var.waas_policy_waf_config_access_rules_redirect_response_code
            redirect_url = var.waas_policy_waf_config_access_rules_redirect_url
            response_header_manipulation {
                #Required
                action = var.waas_policy_waf_config_access_rules_response_header_manipulation_action
                header = var.waas_policy_waf_config_access_rules_response_header_manipulation_header

                #Optional
                value = var.waas_policy_waf_config_access_rules_response_header_manipulation_value
            }
        }
        address_rate_limiting {
            #Required
            is_enabled = var.waas_policy_waf_config_address_rate_limiting_is_enabled

            #Optional
            allowed_rate_per_address = var.waas_policy_waf_config_address_rate_limiting_allowed_rate_per_address
            block_response_code = var.waas_policy_waf_config_address_rate_limiting_block_response_code
            max_delayed_count_per_address = var.waas_policy_waf_config_address_rate_limiting_max_delayed_count_per_address
        }
        caching_rules {
            #Required
            action = var.waas_policy_waf_config_caching_rules_action
            criteria {
                #Required
                condition = var.waas_policy_waf_config_caching_rules_criteria_condition
                value = var.waas_policy_waf_config_caching_rules_criteria_value
            }
            name = var.waas_policy_waf_config_caching_rules_name

            #Optional
            caching_duration = var.waas_policy_waf_config_caching_rules_caching_duration
            client_caching_duration = var.waas_policy_waf_config_caching_rules_client_caching_duration
            is_client_caching_enabled = var.waas_policy_waf_config_caching_rules_is_client_caching_enabled
            key = var.waas_policy_waf_config_caching_rules_key
        }
        captchas {
            #Required
            failure_message = var.waas_policy_waf_config_captchas_failure_message
            session_expiration_in_seconds = var.waas_policy_waf_config_captchas_session_expiration_in_seconds
            submit_label = var.waas_policy_waf_config_captchas_submit_label
            title = var.waas_policy_waf_config_captchas_title
            url = var.waas_policy_waf_config_captchas_url

            #Optional
            footer_text = var.waas_policy_waf_config_captchas_footer_text
            header_text = var.waas_policy_waf_config_captchas_header_text
        }
        custom_protection_rules {

            #Optional
            action = var.waas_policy_waf_config_custom_protection_rules_action
            exclusions {

                #Optional
                exclusions = var.waas_policy_waf_config_custom_protection_rules_exclusions_exclusions
                target = var.waas_policy_waf_config_custom_protection_rules_exclusions_target
            }
            id = var.waas_policy_waf_config_custom_protection_rules_id
        }
        device_fingerprint_challenge {
            #Required
            is_enabled = var.waas_policy_waf_config_device_fingerprint_challenge_is_enabled

            #Optional
            action = var.waas_policy_waf_config_device_fingerprint_challenge_action
            action_expiration_in_seconds = var.waas_policy_waf_config_device_fingerprint_challenge_action_expiration_in_seconds
            challenge_settings {

                #Optional
                block_action = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_block_action
                block_error_page_code = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_block_error_page_code
                block_error_page_description = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_block_error_page_description
                block_error_page_message = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_block_error_page_message
                block_response_code = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_block_response_code
                captcha_footer = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_captcha_footer
                captcha_header = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_captcha_header
                captcha_submit_label = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_captcha_submit_label
                captcha_title = var.waas_policy_waf_config_device_fingerprint_challenge_challenge_settings_captcha_title
            }
            failure_threshold = var.waas_policy_waf_config_device_fingerprint_challenge_failure_threshold
            failure_threshold_expiration_in_seconds = var.waas_policy_waf_config_device_fingerprint_challenge_failure_threshold_expiration_in_seconds
            max_address_count = var.waas_policy_waf_config_device_fingerprint_challenge_max_address_count
            max_address_count_expiration_in_seconds = var.waas_policy_waf_config_device_fingerprint_challenge_max_address_count_expiration_in_seconds
        }
        human_interaction_challenge {
            #Required
            is_enabled = var.waas_policy_waf_config_human_interaction_challenge_is_enabled

            #Optional
            action = var.waas_policy_waf_config_human_interaction_challenge_action
            action_expiration_in_seconds = var.waas_policy_waf_config_human_interaction_challenge_action_expiration_in_seconds
            challenge_settings {

                #Optional
                block_action = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_block_action
                block_error_page_code = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_block_error_page_code
                block_error_page_description = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_block_error_page_description
                block_error_page_message = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_block_error_page_message
                block_response_code = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_block_response_code
                captcha_footer = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_captcha_footer
                captcha_header = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_captcha_header
                captcha_submit_label = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_captcha_submit_label
                captcha_title = var.waas_policy_waf_config_human_interaction_challenge_challenge_settings_captcha_title
            }
            failure_threshold = var.waas_policy_waf_config_human_interaction_challenge_failure_threshold
            failure_threshold_expiration_in_seconds = var.waas_policy_waf_config_human_interaction_challenge_failure_threshold_expiration_in_seconds
            interaction_threshold = var.waas_policy_waf_config_human_interaction_challenge_interaction_threshold
            is_nat_enabled = var.waas_policy_waf_config_human_interaction_challenge_is_nat_enabled
            recording_period_in_seconds = var.waas_policy_waf_config_human_interaction_challenge_recording_period_in_seconds
            set_http_header {
                #Required
                name = var.waas_policy_waf_config_human_interaction_challenge_set_http_header_name
                value = var.waas_policy_waf_config_human_interaction_challenge_set_http_header_value
            }
        }
        js_challenge {
            #Required
            is_enabled = var.waas_policy_waf_config_js_challenge_is_enabled

            #Optional
            action = var.waas_policy_waf_config_js_challenge_action
            action_expiration_in_seconds = var.waas_policy_waf_config_js_challenge_action_expiration_in_seconds
            are_redirects_challenged = var.waas_policy_waf_config_js_challenge_are_redirects_challenged
            challenge_settings {

                #Optional
                block_action = var.waas_policy_waf_config_js_challenge_challenge_settings_block_action
                block_error_page_code = var.waas_policy_waf_config_js_challenge_challenge_settings_block_error_page_code
                block_error_page_description = var.waas_policy_waf_config_js_challenge_challenge_settings_block_error_page_description
                block_error_page_message = var.waas_policy_waf_config_js_challenge_challenge_settings_block_error_page_message
                block_response_code = var.waas_policy_waf_config_js_challenge_challenge_settings_block_response_code
                captcha_footer = var.waas_policy_waf_config_js_challenge_challenge_settings_captcha_footer
                captcha_header = var.waas_policy_waf_config_js_challenge_challenge_settings_captcha_header
                captcha_submit_label = var.waas_policy_waf_config_js_challenge_challenge_settings_captcha_submit_label
                captcha_title = var.waas_policy_waf_config_js_challenge_challenge_settings_captcha_title
            }
            criteria {
                #Required
                condition = var.waas_policy_waf_config_js_challenge_criteria_condition
                value = var.waas_policy_waf_config_js_challenge_criteria_value

                #Optional
                is_case_sensitive = var.waas_policy_waf_config_js_challenge_criteria_is_case_sensitive
            }
            failure_threshold = var.waas_policy_waf_config_js_challenge_failure_threshold
            is_nat_enabled = var.waas_policy_waf_config_js_challenge_is_nat_enabled
            set_http_header {
                #Required
                name = var.waas_policy_waf_config_js_challenge_set_http_header_name
                value = var.waas_policy_waf_config_js_challenge_set_http_header_value
            }
        }
        origin = var.waas_policy_waf_config_origin
        origin_groups = var.waas_policy_waf_config_origin_groups
        protection_settings {

            #Optional
            allowed_http_methods = var.waas_policy_waf_config_protection_settings_allowed_http_methods
            block_action = var.waas_policy_waf_config_protection_settings_block_action
            block_error_page_code = var.waas_policy_waf_config_protection_settings_block_error_page_code
            block_error_page_description = var.waas_policy_waf_config_protection_settings_block_error_page_description
            block_error_page_message = var.waas_policy_waf_config_protection_settings_block_error_page_message
            block_response_code = var.waas_policy_waf_config_protection_settings_block_response_code
            is_response_inspected = var.waas_policy_waf_config_protection_settings_is_response_inspected
            max_argument_count = var.waas_policy_waf_config_protection_settings_max_argument_count
            max_name_length_per_argument = var.waas_policy_waf_config_protection_settings_max_name_length_per_argument
            max_response_size_in_ki_b = var.waas_policy_waf_config_protection_settings_max_response_size_in_ki_b
            max_total_name_length_of_arguments = var.waas_policy_waf_config_protection_settings_max_total_name_length_of_arguments
            media_types = var.waas_policy_waf_config_protection_settings_media_types
            recommendations_period_in_days = var.waas_policy_waf_config_protection_settings_recommendations_period_in_days
        }
        whitelists {
            #Required
            name = var.waas_policy_waf_config_whitelists_name

            #Optional
            address_lists = var.waas_policy_waf_config_whitelists_address_lists
            addresses = var.waas_policy_waf_config_whitelists_addresses
        }
    }
}

Argument Reference

The following arguments are supported:

  • failure_threshold - (Optional) (Updatable) The number of failed requests before taking action. If unspecified, defaults to 10.
  • is_enabled - (Required) (Updatable) Enables or disables the JavaScript challenge Web Application Firewall feature.
  • is_nat_enabled - (Optional) (Updatable) When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses.
  • set_http_header - (Optional) (Updatable) Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.
  • origin - (Optional) (Updatable) The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins. Required when creating the WafConfig resource, but is not required upon updating the configuration.
  • origin_groups - (Optional) (Updatable) The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins field of a UpdateWaasPolicy request.
  • protection_settings - (Optional) (Updatable) The settings applied to protection rules.

  • whitelists - (Optional) (Updatable) A list of IP addresses that bypass the Web Application Firewall.
  • * IMPORTANT * Any change to a property that does not support update will force the destruction and recreation of the resource with the new property values

    Attributes Reference

    The following attributes are exported:

  • failure_threshold - The number of failed requests before taking action. If unspecified, defaults to 10.
  • is_enabled - Enables or disables the JavaScript challenge Web Application Firewall feature.
  • is_nat_enabled - When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses.
  • set_http_header - Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.
  • origin - The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins. Required when creating the WafConfig resource, but not on update.
  • origin_groups - The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins field of a UpdateWaasPolicy request.
  • protection_settings - The settings to apply to protection rules.

  • whitelists - A list of IP addresses that bypass the Web Application Firewall.
  • Timeouts

    The timeouts block allows you to specify timeouts for certain operations: * create - (Defaults to 2 hours), when creating the Waas Policy * update - (Defaults to 2 hours), when updating the Waas Policy * delete - (Defaults to 2 hours), when destroying the Waas Policy

    Import

    WaasPolicies can be imported using the id, e.g.

    $ terraform import oci_waas_waas_policy.test_waas_policy "id"