aws::wafv2-web-acl¶

Creates a web acl.

Example¶

aws::wafv2-web-acl web-acl-example
    name: "web-acl-example"
    description: "web-acl-example-desc"
    scope: "REGIONAL"
    default-action: "BLOCK"

    visibility-config
        metric-name: "web-acl-example"
        cloud-watch-metrics-enabled: false
        sampled-requests-enabled: false
    end

    rule
        name: web-acl-example-rule-1
        priority: 0
        override-action: "COUNT"

        visibility-config
            metric-name: "web-acl-example-rule-1"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            rule-group-reference-statement
                rule-group: $(aws::wafv2-rule-group rule-group-example)
            end
        end
    end

    rule
        name: "web-acl-example-rule-2"
        priority: 1
        override-action: "COUNT"

        visibility-config
            metric-name: "web-acl-example-rule-2"
            cloud-watch-metrics-enabled: false
            sampled-requests-enabled: false
        end

        statement
            managed-rule-group-statement
                name: "AWSManagedRulesAnonymousIpList"
                vendor-name: "AWS"
            end
        end
    end
end

Attributes¶

Attribute	Description
scope	The scope where the resource is going to be created. Resources can only use and associate with other similar scoped resources. Valid values are `CLOUDFRONT` or `REGIONAL`. (Required)
tags map	The tags associated with the resources.
name	The name of the web acl. (Required)
description	The description of the web acl.
default-action	The default action when no rules match. Valid values are `ALLOW` or `BLOCK`. (Required)
rule set subresource	A set of rules having the request filters for the web acl. Maximum allowed items are `10`. (Required) name The name of the rule. (Required) priority The priority of the rule. The priority assigned needs to be ordered in increasing order starting from 0. (Required) visibility-config The visibility configuration for the rule. (Required) action The action to perform if the rule passes. Cannot be set if `override-action` is set. Valid values are `ALLOW`, `BLOCK`, `COUNT`, `CAPTCHA` or `CHALLENGE`. override-action The override action to perform if the rule passes. Cannot be set if `action` is set. Valid values are `NONE` or `COUNT`. statement subresource The statement configuration having the individual conditions. and-statement subresource And statement configuration. statement set The set of statement resource associated with the AND statement. (Required) not-statement subresource Not statement configuration. statement The statement resource associated with the NOT statement. (Required) or-statement subresource Or statement configuration. statement set The set of statement resource associated with the OR statement. Minimum required items are `2`. (Required) byte-match-statement subresource Byte Match statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD`, `URI_PATH`, `HEADERS`, `COOKIES`, `HEADER_ORDER`, `JSON_BODY` or `JA3_FINGERPRINT`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. body subresource The body to match. oversize-handling The oversize handling for the body. Valid values are `MATCH`, `NO_MATCH` or `CONTINUE`. (Required) headers subresource The headers to match. match-pattern subresource The match pattern for the headers. (Required) all When set to `true`, the pattern will match all headers. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-headers list The list of headers to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-headers list The list of headers to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the headers. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the headers. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) cookies subresource The cookies to match. match-pattern subresource The match pattern for the cookies. (Required) all When set to `true`, the pattern will match all cookies. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-cookies list The list of cookies to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-cookies list The list of cookies to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the cookies. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the cookies. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) header-order subresource The header order to match. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) json-body subresource The JSON body to match. match-pattern subresource The match pattern for the body. (Required) all When set to `true`, the pattern will match all paths. Cannot be set if `included-paths` is set. include-paths list The list of paths to include in the pattern. Cannot be set if `all` is set. match-scope The match scope for the body. Valid values are `ALL`, `KEY` or `VALUE`. (Required) invalid-fallback-behavior The invalid fallback behavior for the body. Valid values are `MATCH`, `NO_MATCH` or `EVALUATE_AS_STRING`. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) ja3-fingerprint subresource The JA3 fingerprint to match. fallback-behavior The fallback behavior for the JA3 fingerprint. Valid values are `MATCH` or `NO_MATCH`. (Required) positional-constraint The positional search type for the search string. Valid values are `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS` or `CONTAINS_WORD`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `10`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) search-string The search string you want aws to search for in the request. (Required) geo-match-statement subresource Geo statement configuration. country-codes set A set of 2 character country codes based on ISO 3166 on which to filter the request. (Required) ip-set-reference-statement subresource IP set reference statement configuration. ip-set The ip set resource to associate with. (Required) ip-set-forwarded-ip-config subresource The forwarded IP configuration for the ip set. header-name The name of the header to use for the forwarded IP. (Required) fallback-behavior The fallback behavior for the forwarded IP. Valid values are `MATCH` or `NO_MATCH`. (Required) position The position of the forwarded IP. Valid values are `FIRST`, `LAST` or `ANY`. (Required) regex-pattern-set-reference-statement subresource Regex pattern reference statement configuration. regex-match-statement subresource Regex match statement configuration. regex-string The regex pattern to match the condition. (Required) field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD`, `URI_PATH`, `HEADERS`, `COOKIES`, `HEADER_ORDER`, `JSON_BODY` or `JA3_FINGERPRINT`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. body subresource The body to match. oversize-handling The oversize handling for the body. Valid values are `MATCH`, `NO_MATCH` or `CONTINUE`. (Required) headers subresource The headers to match. match-pattern subresource The match pattern for the headers. (Required) all When set to `true`, the pattern will match all headers. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-headers list The list of headers to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-headers list The list of headers to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the headers. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the headers. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) cookies subresource The cookies to match. match-pattern subresource The match pattern for the cookies. (Required) all When set to `true`, the pattern will match all cookies. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-cookies list The list of cookies to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-cookies list The list of cookies to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the cookies. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the cookies. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) header-order subresource The header order to match. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) json-body subresource The JSON body to match. match-pattern subresource The match pattern for the body. (Required) all When set to `true`, the pattern will match all paths. Cannot be set if `included-paths` is set. include-paths list The list of paths to include in the pattern. Cannot be set if `all` is set. match-scope The match scope for the body. Valid values are `ALL`, `KEY` or `VALUE`. (Required) invalid-fallback-behavior The invalid fallback behavior for the body. Valid values are `MATCH`, `NO_MATCH` or `EVALUATE_AS_STRING`. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) ja3-fingerprint subresource The JA3 fingerprint to match. fallback-behavior The fallback behavior for the JA3 fingerprint. Valid values are `MATCH` or `NO_MATCH`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `10`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) size-constraint-statement subresource Size constraint statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD`, `URI_PATH`, `HEADERS`, `COOKIES`, `HEADER_ORDER`, `JSON_BODY` or `JA3_FINGERPRINT`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. body subresource The body to match. oversize-handling The oversize handling for the body. Valid values are `MATCH`, `NO_MATCH` or `CONTINUE`. (Required) headers subresource The headers to match. match-pattern subresource The match pattern for the headers. (Required) all When set to `true`, the pattern will match all headers. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-headers list The list of headers to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-headers list The list of headers to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the headers. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the headers. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) cookies subresource The cookies to match. match-pattern subresource The match pattern for the cookies. (Required) all When set to `true`, the pattern will match all cookies. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-cookies list The list of cookies to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-cookies list The list of cookies to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the cookies. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the cookies. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) header-order subresource The header order to match. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) json-body subresource The JSON body to match. match-pattern subresource The match pattern for the body. (Required) all When set to `true`, the pattern will match all paths. Cannot be set if `included-paths` is set. include-paths list The list of paths to include in the pattern. Cannot be set if `all` is set. match-scope The match scope for the body. Valid values are `ALL`, `KEY` or `VALUE`. (Required) invalid-fallback-behavior The invalid fallback behavior for the body. Valid values are `MATCH`, `NO_MATCH` or `EVALUATE_AS_STRING`. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) ja3-fingerprint subresource The JA3 fingerprint to match. fallback-behavior The fallback behavior for the JA3 fingerprint. Valid values are `MATCH` or `NO_MATCH`. (Required) comparison-operator The comparison operator for the size specified. Valid values are `EQ`, `NE`, `LE`, `LT`, `GE` or `GT`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `10`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) size The size in byte for the constraint to work on. (Required) sqli-match-statement subresource Sql Injection statement configuration. xss-match-statement subresource Xss match statement configuration. field-to-match subresource The field setting to match the condition. (Required) match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD`, `URI_PATH`, `HEADERS`, `COOKIES`, `HEADER_ORDER`, `JSON_BODY` or `JA3_FINGERPRINT`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. body subresource The body to match. oversize-handling The oversize handling for the body. Valid values are `MATCH`, `NO_MATCH` or `CONTINUE`. (Required) headers subresource The headers to match. match-pattern subresource The match pattern for the headers. (Required) all When set to `true`, the pattern will match all headers. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-headers list The list of headers to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-headers list The list of headers to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the headers. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the headers. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) cookies subresource The cookies to match. match-pattern subresource The match pattern for the cookies. (Required) all When set to `true`, the pattern will match all cookies. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-cookies list The list of cookies to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-cookies list The list of cookies to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the cookies. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the cookies. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) header-order subresource The header order to match. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) json-body subresource The JSON body to match. match-pattern subresource The match pattern for the body. (Required) all When set to `true`, the pattern will match all paths. Cannot be set if `included-paths` is set. include-paths list The list of paths to include in the pattern. Cannot be set if `all` is set. match-scope The match scope for the body. Valid values are `ALL`, `KEY` or `VALUE`. (Required) invalid-fallback-behavior The invalid fallback behavior for the body. Valid values are `MATCH`, `NO_MATCH` or `EVALUATE_AS_STRING`. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) ja3-fingerprint subresource The JA3 fingerprint to match. fallback-behavior The fallback behavior for the JA3 fingerprint. Valid values are `MATCH` or `NO_MATCH`. (Required) text-transformation set subresource Text transformation configuration on the data provided before doing the check. Maximum allowed items are `10`. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) label-match-statement subresource Label match statement configuration. scope The part of the web request that you want AWS WAF to inspect. Valid values are `LABEL` or `NAMESPACE`. (Required) key The value that you want AWS WAF to search for. (Required) rate-based-statement subresource Rate based statement configuration. aggregate-key-type The aggregate key type for the rate based statement. Defaults to `IP`. Valid values are `IP`, `FORWARDED_IP`, `CONSTANT` or `CUSTOM_KEYS`. limit The rate limit for the rate based statement. Minimum allowed value is `100`. (Required) scope-down-statement The statement resource associated with the rate based statement. custom-keys set subresource The list of custom key configs for the rate based statement. Maximum allowed items are `5`. header subresource The header to use for the rate limit. name The name of the header to use for the rate limit. text-transformation set subresource The text transformations to apply to the header before using it for the rate limit. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) cookie subresource The cookie to use for the rate limit. name The name of the cookie to use for the rate limit. text-transformation set subresource The text transformations to apply to the cookie before using it for the rate limit. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) query-string subresource The query string to use for the rate limit. text-transformation set subresource The text transformations to apply to the query string before using it for the rate limit. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) query-argument subresource The query argument to use for the rate limit. name The name of the query argument to use for the rate limit. text-transformation set subresource The text transformations to apply to the query argument before using it for the rate limit. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) http-method subresource The HTTP method to use for the rate limit. ip subresource The IP to use for the rate limit. label-namespace subresource The label namespace to use for the rate limit. namespace The namespace to use for the rate limit. Must be a string of 1 to 1024 characters and ends with a colon (:). The string can contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), underscore (_), and colon (:). The string cannot start with a colon (:). Valid values satisfy the regex: `[^(?!:)(?:[A-Za-z0-9_-]+:){1,1023}$]`. uri-path subresource The URI path to use for the rate limit. text-transformation set subresource The text transformations to apply to the URI path before using it for the rate limit. priority The priority of the text transformation. (Required) type The type of the text transformation. Valid values are `NONE`, `COMPRESS_WHITE_SPACE`, `HTML_ENTITY_DECODE`, `LOWERCASE`, `CMD_LINE`, `URL_DECODE`, `BASE64_DECODE`, `HEX_DECODE`, `MD5`, `REPLACE_COMMENTS`, `ESCAPE_SEQ_DECODE`, `SQL_HEX_DECODE`, `CSS_DECODE`, `JS_DECODE`, `NORMALIZE_PATH`, `NORMALIZE_PATH_WIN`, `REMOVE_NULLS`, `REPLACE_NULLS`, `BASE64_DECODE_EXT`, `URL_DECODE_UNI` or `UTF8_TO_UNICODE`. (Required) forwarded-ip subresource The forwarded IP to use for the rate limit. forwarded-ip-config subresource The forwarded IP configuration for the rate based statement. fallback-behavior The fallback behavior for the rate limit. Valid values are `MATCH` or `NO_MATCH`. (Required) header-name The name of the HTTP header to be used for the IP address. (Required) evaluation-window The evaluation window in sec for the rate based statement. Defaults to `300`. Valid values are `60.0`, `120.0`, `300.0` or ``600.0`. managed-rule-group-statement subresource Managed rule group statement configuration. excluded-rules set A set of rule names to be excluded that are part of the associated managed rule group. name The name of the managed rule group. (Required) vendor-name The vendor name of the managed rule group. (Required) rule-group-reference-statement subresource Rule group reference statement configuration. rule-group A rule group resource to reference with. (Required) excluded-rules set A set of rule names to be excluded that are part of the referenced rule group resource. custom-request-handling subresource The custom request handling configuration for the rule. insert-headers map A list of custom request handling actions to be inserted into the request header. (Required) captcha-config subresource The captcha configuration for the rule. immunity-time The time in seconds that the client should be immune to captcha after failing the challenge. Minimum allowed value is `60`. (Required) challenge-config subresource The challenge configuration for the rule. immunity-time The time in seconds that the client should be immune to challenge after failing the challenge. Minimum allowed value is `300`. (Required) custom-response subresource The custom response configuration for the rule. custom-response-body-key The custom response body key. response-code The HTTP status code to define custom set of rules. (Required) response-headers map A list of custom response headers. action-labels set The action labels for the rule. The string containing the label name and optional prefix and namespaces.
visibility-config subresource	The visibility config for the web acl. (Required) metric-name The name of the cloud watch metric. (Required) cloud-watch-metrics-enabled Enable cloud watch metrics when set to `true`. Defaults to `false`. sampled-requests-enabled Enable cloud watch metric sample request when set to `true`. Defaults to `false`.
load-balancers set	A set of Application Load Balancer that will be associated with the web acl.
logging-configuration subresource	The logging configuration for the web acl. redacted-field set subresource The set of field match setting to take out of logging. match-type The field match type. Valid values are `SINGLE_HEADER`, `SINGLE_QUERY_ARGUMENT`, `ALL_QUERY_ARGUMENTS`, `BODY`, `QUERY_STRING`, `METHOD`, `URI_PATH`, `HEADERS`, `COOKIES`, `HEADER_ORDER`, `JSON_BODY` or `JA3_FINGERPRINT`. (Required) name The name of the field to match. Only required if `match-type` set to `SINGLE_HEADER` or `SINGLE_QUERY_ARGUMENT`. body subresource The body to match. oversize-handling The oversize handling for the body. Valid values are `MATCH`, `NO_MATCH` or `CONTINUE`. (Required) headers subresource The headers to match. match-pattern subresource The match pattern for the headers. (Required) all When set to `true`, the pattern will match all headers. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-headers list The list of headers to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-headers list The list of headers to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the headers. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the headers. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) cookies subresource The cookies to match. match-pattern subresource The match pattern for the cookies. (Required) all When set to `true`, the pattern will match all cookies. Cannot be set if any of `included-headers` or `excluded-headers` is set. excluded-cookies list The list of cookies to exclude from the pattern. Cannot be set if any of `all` or `included-headers` is set. included-cookies list The list of cookies to include in the pattern. Cannot be set if any of `all` or `excluded-headers` is set. match-scope The match scope for the cookies. Valid values are `ALL`, `KEY` or `VALUE`. (Required) oversize-handling The oversize handling for the cookies. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) header-order subresource The header order to match. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) json-body subresource The JSON body to match. match-pattern subresource The match pattern for the body. (Required) all When set to `true`, the pattern will match all paths. Cannot be set if `included-paths` is set. include-paths list The list of paths to include in the pattern. Cannot be set if `all` is set. match-scope The match scope for the body. Valid values are `ALL`, `KEY` or `VALUE`. (Required) invalid-fallback-behavior The invalid fallback behavior for the body. Valid values are `MATCH`, `NO_MATCH` or `EVALUATE_AS_STRING`. oversize-handling The oversize handling for the body. Valid values are `CONTINUE`, `MATCH` or `NO_MATCH`. (Required) ja3-fingerprint subresource The JA3 fingerprint to match. fallback-behavior The fallback behavior for the JA3 fingerprint. Valid values are `MATCH` or `NO_MATCH`. (Required) log-destination-configs set A set of arn of AWS Kinesis Data Firehouse to associate with the web acl.
custom-response-body set subresource	A set of custom response body for the web acl. name The custom response body name. (Required) content The custom response body content. (Required)

Outputs¶

Attribute	Description
id	The id of the web acl.
arn	The arn of the web acl.
capacity	The total capacity based on the associated rules of the web acl.