aws::wafv2-rule-group¶

Creates a rule group.

Example¶

aws::wafv2-rule-group rule-group-example
    name: "rule-group-example"
    description: "rule-group-example-desc"
    scope: "REGIONAL"

    rule
        name: "rule-group-example-rule-1"
        priority: 0
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-1"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            xss-match-statement
                field-to-match
                    name: "header-field"
                    match-type: "SINGLE_HEADER"
                end

                text-transformation
                    priority: 0
                    type: "NONE"
                end
            end
        end
    end

    rule
        name: "rule-group-example-rule-2"
        priority: 1
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-2"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            byte-match-statement
                field-to-match
                    name: "header-field"
                    match-type: "SINGLE_HEADER"
                end

                positional-constraint: "EXACTLY"

                text-transformation
                    priority: 0
                    type: "NONE"
                end

                search-string: "something"
            end
        end
    end

    rule
        name: "rule-group-example-rule-3"
        priority: 2
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-3"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            size-constraint-statement
                field-to-match
                    match-type: "BODY"
                end

                comparison-operator: "EQ"

                text-transformation
                    priority: 0
                    type: "COMPRESS_WHITE_SPACE"
                end

                text-transformation
                    priority: 1
                    type: "HTML_ENTITY_DECODE"
                end

                size: 3
            end
        end
    end

    rule
        name: "rule-group-example-rule-4"
        priority: 3
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-4"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            and-statement
                statement
                    ip-set-reference-statement
                        ip-set: $(aws::wafv2-ip-set ip-set-example-ipv4)
                    end
                end

                statement
                    regex-pattern-set-reference-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end

                        regex-pattern-set: $(aws::wafv2-regex-pattern-set regex-pattern-set-example)
                    end
                end

                statement
                    sqli-match-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end
                    end
                end
            end
        end
    end

    rule
        name: "rule-group-example-rule-5"
        priority: 4
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-5"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            or-statement
                statement
                    geo-match-statement
                        country-codes: [
                            "IN"
                        ]
                    end
                end

                statement
                    sqli-match-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end
                    end
                end
            end
        end
    end

    visibility-config
        metric-name: "rule-group-example-metric"
        cloud-watch-metrics-enabled: false
        sampled-requests-enabled: false
    end
end

Attributes¶

Attribute	Description
scope	The scope where the resource is going to be created. Resources can only use and associate with other similar scoped resources. Valid values are `CLOUDFRONT` or `REGIONAL`. (Required)
tags map	The tags associated with the resources.
name	Name of the rule group. (Required)
description	Description of the rule group.
capacity	The total WCU capacity for the rule group. If not provided will be auto calculated based on the conditions provided by the rule configuration.
rule set subresource	A set of rule configurations that contains the conditions. Maximum allowed items are `10`. (Required) name The name of the rule. (Required) priority The priority of the rule. The priority assigned needs to be ordered in increasing order starting from 0. (Required) visibility-config The visibility configuration for the rule. (Required) action The action to perform if the rule passes. Cannot be set if `override-action` is set. Valid values are `ALLOW`, `BLOCK` or `COUNT`. override-action The override action to perform if the rule passes. Cannot be set if `action` is set. Valid values are `NONE` or `COUNT`. statement subresource The statement configuration having the individual conditions. and-statement subresource And statement configuration. statement set The set of statement resource associated with the AND statement. (Required) not-statement subresource Not statement configuration. statement The statement resource associated with the NOT statement. (Required) or-statement subresource Or statement configuration. statement set The set of statement resource associated with the OR statement. Minimum required items are `2`. (Required) byte-match-statement subresource Byte Match statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD` or `URI_PATH`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. positional-constraint The positional search type for the search string. Valid values are `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS` or `CONTAINS_WORD`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `3`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE` or `URL_DECODE`. (Required) search-string The search string you want aws to search for in the request. (Required) geo-match-statement subresource Geo statement configuration. country-codes set A set of 2 character country codes based on ISO 3166 on which to filter the request. (Required) ip-set-reference-statement subresource IP set reference statement configuration. ip-set The ip set resource to associate with. (Required) regex-pattern-set-reference-statement subresource Regex pattern reference statement configuration. size-constraint-statement subresource Size constraint statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD` or `URI_PATH`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. comparison-operator The comparison operator for the size specified. Valid values are `EQ`, `NE`, `LE`, `LT`, `GE` or `GT`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `3`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE` or `URL_DECODE`. (Required) size The size in byte for the constraint to work on. (Required) sqli-match-statement subresource Sql Injection statement configuration. xss-match-statement subresource Xss match statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD` or `URI_PATH`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `3`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE` or `URL_DECODE`. (Required) rate-based-statement subresource Rate based statement configuration. aggregate-key-type The aggregate key type for the rate based statement. Defaults to `IP`. Currently the only supported value is `IP`. limit The rate limit for the rate based statement. Minimum allowed value is `100`. (Required) scope-down-statement The statement resource associated with the rate based statement. managed-rule-group-statement subresource Managed rule group statement configuration. excluded-rules set A set of rule names to be excluded that are part of the associated managed rule group. name The name of the managed rule group. (Required) vendor-name The vendor name of the managed rule group. (Required) rule-group-reference-statement subresource Rule group reference statement configuration. rule-group A rule group resource to reference with. (Required) excluded-rules set A set of rule names to be excluded that are part of the referenced rule group resource.
visibility-config subresource	The visibility configuration for the rule group. (Required) metric-name The name of the cloud watch metric. (Required) cloud-watch-metrics-enabled Enable cloud watch metrics when set to `true`. Defaults to `false`. sampled-requests-enabled Enable cloud watch metric sample request when set to `true`. Defaults to `false`.
policy	The policy document. A policy path or policy string is allowed.

Outputs¶

Attribute	Description
arn	The arn of the rule group.
id	The id of the rule group.