Resource: awsWafWebAcl
Provides a WAF Web ACL Resource
Example Usage
This example blocks requests coming from 192070/24
and allows everything else.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsWafIpsetIpset = new aws.wafIpset.WafIpset(this, "ipset", {
ipSetDescriptors: [
{
type: "IPV4",
value: "192.0.7.0/24",
},
],
name: "tfIPSet",
});
const awsWafRuleWafrule = new aws.wafRule.WafRule(this, "wafrule", {
depends_on: [`\${${awsWafIpsetIpset.fqn}}`],
metricName: "tfWAFRule",
name: "tfWAFRule",
predicates: [
{
dataId: awsWafIpsetIpset.id,
negated: false,
type: "IPMatch",
},
],
});
new aws.wafWebAcl.WafWebAcl(this, "waf_acl", {
defaultAction: {
type: "ALLOW",
},
depends_on: [`\${${awsWafIpsetIpset.fqn}}`, `\${${awsWafRuleWafrule.fqn}}`],
metricName: "tfWebACL",
name: "tfWebACL",
rules: [
{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: awsWafRuleWafrule.id,
type: "REGULAR",
},
],
});
Logging
\~> NOTE: The Kinesis Firehose Delivery Stream name must begin with awsWafLogs
and be located in usEast1
region. See the AWS WAF Developer Guide for more information about enabling WAF logging.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafWebAcl.WafWebAcl(this, "example", {
loggingConfiguration: {
logDestination: "${aws_kinesis_firehose_delivery_stream.example.arn}",
redactedFields: {
fieldToMatch: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
},
});
Argument Reference
The following arguments are supported:
defaultAction
- (Required) Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.metricName
- (Required) The name or description for the Amazon CloudWatch metric of this web ACL.name
- (Required) The name or description of the web ACL.rules
- (Optional) Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.loggingConfiguration
- (Optional) Configuration block to enable WAF logging. Detailed below.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
defaultAction
Configuration Block
type
- (Required) Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of therules
. e.g.,allow
orblock
loggingConfiguration
Configuration Block
logDestination
- (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery StreamredactedFields
- (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
redactedFields
Configuration Block
fieldToMatch
- (Required) Set of configuration blocks for fields to redact. Detailed below.
fieldToMatch
Configuration Block
-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.
data
- (Optional) When the value oftype
isheader
, enter the name of the header that you want the WAF to search, for example,userAgent
orreferer
. If the value oftype
is any other value, omitdata
.type
- (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g.,header
ormethod
rules
Configuration Block
See docs for all details and supported values.
action
- (Optional) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used iftype
isgroup
.type
- (Required) valid values are:block
,allow
, orcount
overrideAction
- (Optional) Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used iftype
isgroup
.type
- (Required) valid values are:none
orcount
priority
- (Required) Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.ruleId
- (Required) ID of the associated WAF (Global) rule (e.g.,awsWafRule
). WAF (Regional) rules cannot be used.type
- (Optional) The rule type, eitherregular
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orgroup
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asgroup
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The ID of the WAF WebACL.arn
- The ARN of the WAF WebACL.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
WAF Web ACL can be imported using the id
, e.g.,