aws::wafv2-web-acl

Creates a web acl.

Example

aws::wafv2-web-acl web-acl-example
    name: "web-acl-example"
    description: "web-acl-example-desc"
    scope: "REGIONAL"
    default-action: "BLOCK"

    visibility-config
        metric-name: "web-acl-example"
        cloud-watch-metrics-enabled: false
        sampled-requests-enabled: false
    end

    rule
        name: web-acl-example-rule-1
        priority: 0
        override-action: "COUNT"

        visibility-config
            metric-name: "web-acl-example-rule-1"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            rule-group-reference-statement
                rule-group: $(aws::wafv2-rule-group rule-group-example)
            end
        end
    end

    rule
        name: "web-acl-example-rule-2"
        priority: 1
        override-action: "COUNT"

        visibility-config
            metric-name: "web-acl-example-rule-2"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            managed-rule-group-statement
                name: "AWSManagedRulesAnonymousIpList"
                vendor-name: "AWS"
            end
        end
    end
end

Attributes

Attribute Description
scope

The scope where the resource is going to be created.

Resources can only use and associate with other similar scoped resources. Valid values are CLOUDFRONT or REGIONAL. (Required)

tags map The tags associated with the resources.
name The name of the web acl. (Required)
description The description of the web acl.
default-action The default action when no rules match. Valid values are ALLOW or BLOCK. (Required)
rule set subresource

A set of rules having the request filters for the web acl. (Required)

name
The name of the rule. (Required)
priority
The priority of the rule. The priority assigned needs to be ordered in increasing order starting from 0. (Required)
visibility-config
The visibility configuration for the rule. (Required)
action
The action to perform if the rule passes. Cannot be set if override-action is set. Valid values are ALLOW, BLOCK, COUNT, CAPTCHA or CHALLENGE.
override-action
The override action to perform if the rule passes. Cannot be set if action is set. Valid values are NONE or COUNT.
statement subresource

The statement configuration having the individual conditions.

and-statement subresource

And statement configuration.

statement set
The set of statement resource associated with the AND statement. (Required)
not-statement subresource

Not statement configuration.

statement
The statement resource associated with the NOT statement. (Required)
or-statement subresource

Or statement configuration.

statement set
The set of statement resource associated with the OR statement. Minimum required items are 2. (Required)
byte-match-statement subresource

Byte Match statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
body subresource

The body to match.

oversize-handling
The oversize handling for the body. Valid values are MATCH, NO_MATCH or CONTINUE. (Required)
headers subresource

The headers to match.

match-pattern subresource

The match pattern for the headers. (Required)

all
When set to true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
excluded-headers list
The list of headers to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-headers list
The list of headers to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the headers. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the headers. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
cookies subresource

The cookies to match.

match-pattern subresource

The match pattern for the cookies. (Required)

all
When set to true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
excluded-cookies list
The list of cookies to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-cookies list
The list of cookies to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the cookies. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the cookies. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
header-order subresource

The header order to match.

oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
json-body subresource

The JSON body to match.

match-pattern subresource

The match pattern for the body. (Required)

all
When set to true, the pattern will match all paths. Cannot be set if included-paths is set.
include-paths list
The list of paths to include in the pattern. Cannot be set if all is set.
match-scope
The match scope for the body. Valid values are ALL, KEY or VALUE. (Required)
invalid-fallback-behavior
The invalid fallback behavior for the body. Valid values are MATCH, NO_MATCH or EVALUATE_AS_STRING.
oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
ja3-fingerprint subresource

The JA3 fingerprint to match.

fallback-behavior
The fallback behavior for the JA3 fingerprint. Valid values are MATCH or NO_MATCH. (Required)
positional-constraint
The positional search type for the search string. Valid values are EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS or CONTAINS_WORD. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
search-string
The search string you want aws to search for in the request. (Required)
geo-match-statement subresource

Geo statement configuration.

country-codes set
A set of 2 character country codes based on ISO 3166 on which to filter the request. (Required)
ip-set-reference-statement subresource

IP set reference statement configuration.

ip-set
The ip set resource to associate with. (Required)
ip-set-forwarded-ip-config subresource

The forwarded IP configuration for the ip set.

header-name
The name of the header to use for the forwarded IP. (Required)
fallback-behavior
The fallback behavior for the forwarded IP. Valid values are MATCH or NO_MATCH. (Required)
position
The position of the forwarded IP. Valid values are FIRST, LAST or ANY. (Required)
regex-pattern-set-reference-statement subresource
Regex pattern reference statement configuration.
regex-match-statement subresource

Regex match statement configuration.

regex-string
The regex pattern to match the condition. (Required)
field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
body subresource

The body to match.

oversize-handling
The oversize handling for the body. Valid values are MATCH, NO_MATCH or CONTINUE. (Required)
headers subresource

The headers to match.

match-pattern subresource

The match pattern for the headers. (Required)

all
When set to true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
excluded-headers list
The list of headers to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-headers list
The list of headers to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the headers. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the headers. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
cookies subresource

The cookies to match.

match-pattern subresource

The match pattern for the cookies. (Required)

all
When set to true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
excluded-cookies list
The list of cookies to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-cookies list
The list of cookies to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the cookies. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the cookies. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
header-order subresource

The header order to match.

oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
json-body subresource

The JSON body to match.

match-pattern subresource

The match pattern for the body. (Required)

all
When set to true, the pattern will match all paths. Cannot be set if included-paths is set.
include-paths list
The list of paths to include in the pattern. Cannot be set if all is set.
match-scope
The match scope for the body. Valid values are ALL, KEY or VALUE. (Required)
invalid-fallback-behavior
The invalid fallback behavior for the body. Valid values are MATCH, NO_MATCH or EVALUATE_AS_STRING.
oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
ja3-fingerprint subresource

The JA3 fingerprint to match.

fallback-behavior
The fallback behavior for the JA3 fingerprint. Valid values are MATCH or NO_MATCH. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
size-constraint-statement subresource

Size constraint statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
body subresource

The body to match.

oversize-handling
The oversize handling for the body. Valid values are MATCH, NO_MATCH or CONTINUE. (Required)
headers subresource

The headers to match.

match-pattern subresource

The match pattern for the headers. (Required)

all
When set to true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
excluded-headers list
The list of headers to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-headers list
The list of headers to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the headers. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the headers. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
cookies subresource

The cookies to match.

match-pattern subresource

The match pattern for the cookies. (Required)

all
When set to true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
excluded-cookies list
The list of cookies to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-cookies list
The list of cookies to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the cookies. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the cookies. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
header-order subresource

The header order to match.

oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
json-body subresource

The JSON body to match.

match-pattern subresource

The match pattern for the body. (Required)

all
When set to true, the pattern will match all paths. Cannot be set if included-paths is set.
include-paths list
The list of paths to include in the pattern. Cannot be set if all is set.
match-scope
The match scope for the body. Valid values are ALL, KEY or VALUE. (Required)
invalid-fallback-behavior
The invalid fallback behavior for the body. Valid values are MATCH, NO_MATCH or EVALUATE_AS_STRING.
oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
ja3-fingerprint subresource

The JA3 fingerprint to match.

fallback-behavior
The fallback behavior for the JA3 fingerprint. Valid values are MATCH or NO_MATCH. (Required)
comparison-operator
The comparison operator for the size specified. Valid values are EQ, NE, LE, LT, GE or GT. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
size
The size in byte for the constraint to work on. (Required)
sqli-match-statement subresource
Sql Injection statement configuration.
xss-match-statement subresource

Xss match statement configuration.

field-to-match subresource

The field setting to match the condition. (Required)

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
body subresource

The body to match.

oversize-handling
The oversize handling for the body. Valid values are MATCH, NO_MATCH or CONTINUE. (Required)
headers subresource

The headers to match.

match-pattern subresource

The match pattern for the headers. (Required)

all
When set to true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
excluded-headers list
The list of headers to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-headers list
The list of headers to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the headers. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the headers. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
cookies subresource

The cookies to match.

match-pattern subresource

The match pattern for the cookies. (Required)

all
When set to true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
excluded-cookies list
The list of cookies to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-cookies list
The list of cookies to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the cookies. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the cookies. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
header-order subresource

The header order to match.

oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
json-body subresource

The JSON body to match.

match-pattern subresource

The match pattern for the body. (Required)

all
When set to true, the pattern will match all paths. Cannot be set if included-paths is set.
include-paths list
The list of paths to include in the pattern. Cannot be set if all is set.
match-scope
The match scope for the body. Valid values are ALL, KEY or VALUE. (Required)
invalid-fallback-behavior
The invalid fallback behavior for the body. Valid values are MATCH, NO_MATCH or EVALUATE_AS_STRING.
oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
ja3-fingerprint subresource

The JA3 fingerprint to match.

fallback-behavior
The fallback behavior for the JA3 fingerprint. Valid values are MATCH or NO_MATCH. (Required)
text-transformation set subresource

Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
label-match-statement subresource

Label match statement configuration.

scope
The part of the web request that you want AWS WAF to inspect. Valid values are LABEL or NAMESPACE. (Required)
key
The value that you want AWS WAF to search for. (Required)
rate-based-statement subresource

Rate based statement configuration.

aggregate-key-type
The aggregate key type for the rate based statement. Defaults to IP. Valid values are IP, FORWARDED_IP, CONSTANT or CUSTOM_KEYS.
limit
The rate limit for the rate based statement. Minimum allowed value is 100. (Required)
scope-down-statement
The statement resource associated with the rate based statement.
custom-keys set subresource

The list of custom key configs for the rate based statement. Maximum allowed items are 5.

header subresource

The header to use for the rate limit.

name
The name of the header to use for the rate limit.
text-transformation set subresource

The text transformations to apply to the header before using it for the rate limit.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
cookie subresource

The cookie to use for the rate limit.

name
The name of the cookie to use for the rate limit.
text-transformation set subresource

The text transformations to apply to the cookie before using it for the rate limit.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
query-string subresource

The query string to use for the rate limit.

text-transformation set subresource

The text transformations to apply to the query string before using it for the rate limit.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
query-argument subresource

The query argument to use for the rate limit.

name
The name of the query argument to use for the rate limit.
text-transformation set subresource

The text transformations to apply to the query argument before using it for the rate limit.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
http-method subresource
The HTTP method to use for the rate limit.
ip subresource
The IP to use for the rate limit.
label-namespace subresource

The label namespace to use for the rate limit.

namespace
The namespace to use for the rate limit. Must be a string of 1 to 1024 characters and ends with a colon (:). The string can contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), underscore (_), and colon (:). The string cannot start with a colon (:). Valid values satisfy the regex: [^(?!:)(?:[A-Za-z0-9_-]+:){1,1023}$].
uri-path subresource

The URI path to use for the rate limit.

text-transformation set subresource

The text transformations to apply to the URI path before using it for the rate limit.

priority
The priority of the text transformation. (Required)
type
The type of the text transformation. Valid values are NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
forwarded-ip subresource
The forwarded IP to use for the rate limit.
forwarded-ip-config subresource

The forwarded IP configuration for the rate based statement.

fallback-behavior
The fallback behavior for the rate limit. Valid values are MATCH or NO_MATCH. (Required)
header-name
The name of the HTTP header to be used for the IP address. (Required)
evaluation-window
The evaluation window in sec for the rate based statement. Defaults to 300. Valid values are 60.0, 120.0, 300.0 or ``600.0`.
managed-rule-group-statement subresource

Managed rule group statement configuration.

excluded-rules set
A set of rule names to be excluded that are part of the associated managed rule group.
name
The name of the managed rule group. (Required)
vendor-name
The vendor name of the managed rule group. (Required)
rule-group-reference-statement subresource

Rule group reference statement configuration.

rule-group
A rule group resource to reference with. (Required)
excluded-rules set
A set of rule names to be excluded that are part of the referenced rule group resource.
custom-request-handling subresource

The custom request handling configuration for the rule.

insert-headers map
A list of custom request handling actions to be inserted into the request header. (Required)
captcha-config subresource

The captcha configuration for the rule.

immunity-time
The time in seconds that the client should be immune to captcha after failing the challenge. Minimum allowed value is 60. (Required)
challenge-config subresource

The challenge configuration for the rule.

immunity-time
The time in seconds that the client should be immune to challenge after failing the challenge. Minimum allowed value is 300. (Required)
custom-response subresource

The custom response configuration for the rule.

custom-response-body-key
The custom response body key.
response-code
The HTTP status code to define custom set of rules. (Required)
response-headers map
A list of custom response headers.
action-labels set
The action labels for the rule. The string containing the label name and optional prefix and namespaces.
visibility-config subresource

The visibility config for the web acl. (Required)

metric-name
The name of the cloud watch metric. (Required)
cloud-watch-metrics-enabled
Enable cloud watch metrics when set to true. Defaults to false.
sampled-requests-enabled
Enable cloud watch metric sample request when set to true. Defaults to false.
load-balancers set A set of Application Load Balancer that will be associated with the web acl.
logging-configuration subresource

The logging configuration for the web acl.

redacted-field set subresource

The set of field match setting to take out of logging.

match-type
The field match type. Valid values are SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
name
The name of the field to match. Only required if match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
body subresource

The body to match.

oversize-handling
The oversize handling for the body. Valid values are MATCH, NO_MATCH or CONTINUE. (Required)
headers subresource

The headers to match.

match-pattern subresource

The match pattern for the headers. (Required)

all
When set to true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
excluded-headers list
The list of headers to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-headers list
The list of headers to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the headers. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the headers. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
cookies subresource

The cookies to match.

match-pattern subresource

The match pattern for the cookies. (Required)

all
When set to true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
excluded-cookies list
The list of cookies to exclude from the pattern. Cannot be set if any of all or included-headers is set.
included-cookies list
The list of cookies to include in the pattern. Cannot be set if any of all or excluded-headers is set.
match-scope
The match scope for the cookies. Valid values are ALL, KEY or VALUE. (Required)
oversize-handling
The oversize handling for the cookies. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
header-order subresource

The header order to match.

oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
json-body subresource

The JSON body to match.

match-pattern subresource

The match pattern for the body. (Required)

all
When set to true, the pattern will match all paths. Cannot be set if included-paths is set.
include-paths list
The list of paths to include in the pattern. Cannot be set if all is set.
match-scope
The match scope for the body. Valid values are ALL, KEY or VALUE. (Required)
invalid-fallback-behavior
The invalid fallback behavior for the body. Valid values are MATCH, NO_MATCH or EVALUATE_AS_STRING.
oversize-handling
The oversize handling for the body. Valid values are CONTINUE, MATCH or NO_MATCH. (Required)
ja3-fingerprint subresource

The JA3 fingerprint to match.

fallback-behavior
The fallback behavior for the JA3 fingerprint. Valid values are MATCH or NO_MATCH. (Required)
log-destination-configs set
A set of arn of AWS Kinesis Data Firehouse to associate with the web acl.
custom-response-body set subresource

A set of custom response body for the web acl.

name
The custom response body name. (Required)
content
The custom response body content. (Required)

Outputs

Attribute Description
id The id of the web acl.
arn The arn of the web acl.
capacity The total capacity based on the associated rules of the web acl.