fastly_waf_rules

Use this data source to get the WAF rules of Fastly. A set of third-party rules from the OWASP Core Ruleset, commercial sources, and open source, in addition to Fastly-generated rules. They offer protection from injection attacks and cross site scripting amongst other key application-layer attacks.

Example Usage

Usage with publishers Filter:

data "fastly_waf_rules" "owasp" {
  publishers = ["owasp"]
}

Usage with tags filter:

data "fastly_waf_rules" "tag" {
  tags = ["language-html", "language-jsp"]
}

Usage with exclude filter:

data "fastly_waf_rules" "owasp_with_exclusions" {
  publishers              = ["owasp"]
  exclude_modsec_rule_ids = [1010090]
}

Usage without filters:

data "fastly_waf_rules" "all" {
  # This will retrieve the entire list of rules available from the API at the time.
}

Usage with WAF configuration resource:

variable "type_status" {
  type    = map(string)
  default = {
    score     = "score"
    threshold = "log"
    strict    = "log"
  }
}

resource "fastly_service_vcl" "demo" {
  name = "demofastly"

  domain {
    name    = "example.com"
    comment = "demo"
  }

  backend {
    address = "127.0.0.1"
    name    = "origin1"
    port    = 80
  }

  condition {
    name      = "WAF_Prefetch"
    type      = "PREFETCH"
    statement = "req.backend.is_origin"
  }

  # This condition will always be false
  # adding it to the response object created below
  # prevents Fastly from returning a 403 on all of your traffic.
  condition {
    name      = "WAF_always_false"
    statement = "false"
    type      = "REQUEST"
  }

  response_object {
    name              = "WAF_Response"
    status            = "403"
    response          = "Forbidden"
    content_type      = "text/html"
    content           = "<html><body>Forbidden</body></html>"
    request_condition = "WAF_always_false"
  }

  waf {
    prefetch_condition = "WAF_Prefetch"
    response_object    = "WAF_Response"
  }

  force_destroy = true
}

data "fastly_waf_rules" "owasp" {
  publishers = ["owasp"]
}

resource "fastly_service_waf_configuration" "waf" {
  waf_id                         = fastly_service_vcl.demo.waf[0].waf_id
  http_violation_score_threshold = 100

  dynamic "rule" {
    for_each = data.fastly_waf_rules.owasp.rules
    content {
      modsec_rule_id = rule.value.modsec_rule_id
      revision       = rule.value.latest_revision_number
      status         = lookup(var.type_status, rule.value.type, "log")
    }
  }
}

Argument Reference

Attribute Reference

The rules block supports:

Schema

Optional

Read-Only

Nested Schema for rules

Read-Only: