aws::wafv2-rule-group

Creates a rule group.

Example

aws::wafv2-rule-group rule-group-example
    name: "rule-group-example"
    description: "rule-group-example-desc"
    scope: "REGIONAL"

    rule
        name: "rule-group-example-rule-1"
        priority: 0
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-1"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            xss-match-statement
                field-to-match
                    name: "header-field"
                    match-type: "SINGLE_HEADER"
                end

                text-transformation
                    priority: 0
                    type: "NONE"
                end
            end
        end
    end

    rule
        name: "rule-group-example-rule-2"
        priority: 1
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-2"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            byte-match-statement
                field-to-match
                    name: "header-field"
                    match-type: "SINGLE_HEADER"
                end

                positional-constraint: "EXACTLY"

                text-transformation
                    priority: 0
                    type: "NONE"
                end

                search-string: "something"
            end
        end
    end

    rule
        name: "rule-group-example-rule-3"
        priority: 2
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-3"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            size-constraint-statement
                field-to-match
                    match-type: "BODY"
                end

                comparison-operator: "EQ"

                text-transformation
                    priority: 0
                    type: "COMPRESS_WHITE_SPACE"
                end

                text-transformation
                    priority: 1
                    type: "HTML_ENTITY_DECODE"
                end

                size: 3
            end
        end
    end

    rule
        name: "rule-group-example-rule-4"
        priority: 3
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-4"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            and-statement
                statement
                    ip-set-reference-statement
                        ip-set: $(aws::wafv2-ip-set ip-set-example-ipv4)
                    end
                end

                statement
                    regex-pattern-set-reference-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end

                        regex-pattern-set: $(aws::wafv2-regex-pattern-set regex-pattern-set-example)
                    end
                end

                statement
                    sqli-match-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end
                    end
                end
            end
        end
    end

    rule
        name: "rule-group-example-rule-5"
        priority: 4
        action: "BLOCK"

        visibility-config
            metric-name: "rule-group-example-rule-5"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            or-statement
                statement
                    geo-match-statement
                        country-codes: [
                            "IN"
                        ]
                    end
                end

                statement
                    sqli-match-statement
                        field-to-match
                            match-type: "BODY"
                        end

                        text-transformation
                            priority: 0
                            type: "COMPRESS_WHITE_SPACE"
                        end
                    end
                end
            end
        end
    end

    visibility-config
        metric-name: "rule-group-example-metric"
        cloud-watch-metrics-enabled: false
        sampled-requests-enabled: false
    end
end

Attributes

Attribute Description
scope

The scope where the resource is going to be created.

Resources can only use and associate with other similar scoped resources. Valid values are CLOUDFRONT or REGIONAL. (Required)

tags map The tags associated with the resources.
name Name of the rule group. (Required)
description Description of the rule group.
capacity

The total WCU capacity for the rule group.

If not provided will be auto calculated based on the conditions provided by the rule configuration.

rule set subresource

A set of rule configurations that contains the conditions. Maximum allowed items are 10. (Required)

name
The name of the rule. (Required)
priority
The priority of the rule. The priority assigned needs to be ordered in increasing order starting from 0. (Required)
visibility-config
The visibility configuration for the rule. (Required)
action
The action to perform if the rule passes. Cannot be set if override-action is set. Valid values are ALLOW, BLOCK or COUNT.
override-action
The override action to perform if the rule passes. Cannot be set if action is set. Valid values are NONE or COUNT.
statement subresource

The statement configuration having the individual conditions.

and-statement subresource

And statement configuration.

statement set
The set of statement resource associated with the AND statement. (Required)
not-statement subresource

Not statement configuration.

statement
The statement resource associated with the NOT statement. (Required)
or-statement subresource

Or statement configuration.

statement set
The set of statement resource associated with the OR statement. Minimum required items are 2. (Required)
byte-match-statement subresource

Byte Match statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD or URI_PATH. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
positional-constraint
The positional search type for the search string. Valid values are EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS or CONTAINS_WORD. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 3.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE or URL_DECODE. (Required)
search-string
The search string you want aws to search for in the request. (Required)
geo-match-statement subresource

Geo statement configuration.

country-codes set
A set of 2 character country codes based on ISO 3166 on which to filter the request. (Required)
ip-set-reference-statement subresource

IP set reference statement configuration.

ip-set
The ip set resource to associate with. (Required)
regex-pattern-set-reference-statement subresource
Regex pattern reference statement configuration.
size-constraint-statement subresource

Size constraint statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD or URI_PATH. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
comparison-operator
The comparison operator for the size specified. Valid values are EQ, NE, LE, LT, GE or GT. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 3.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE or URL_DECODE. (Required)
size
The size in byte for the constraint to work on. (Required)
sqli-match-statement subresource
Sql Injection statement configuration.
xss-match-statement subresource

Xss match statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD or URI_PATH. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 3.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE or URL_DECODE. (Required)
rate-based-statement subresource

Rate based statement configuration.

aggregate-key-type
The aggregate key type for the rate based statement. Defaults to IP. Currently the only supported value is IP.
limit
The rate limit for the rate based statement. Minimum allowed value is 100. (Required)
scope-down-statement
The statement resource associated with the rate based statement.
managed-rule-group-statement subresource

Managed rule group statement configuration.

excluded-rules set
A set of rule names to be excluded that are part of the associated managed rule group.
name
The name of the managed rule group. (Required)
vendor-name
The vendor name of the managed rule group. (Required)
rule-group-reference-statement subresource

Rule group reference statement configuration.

rule-group
A rule group resource to reference with. (Required)
excluded-rules set
A set of rule names to be excluded that are part of the referenced rule group resource.
visibility-config subresource

The visibility configuration for the rule group. (Required)

metric-name
The name of the cloud watch metric. (Required)
cloud-watch-metrics-enabled
Enable cloud watch metrics when set to true. Defaults to false.
sampled-requests-enabled
Enable cloud watch metric sample request when set to true. Defaults to false.
policy The policy document. A policy path or policy string is allowed.

Outputs

Attribute Description
arn The arn of the rule group.
id The id of the rule group.