Resource: awsWafregionalWebAcl
Provides a WAF Regional Web ACL Resource for use with Application Load Balancer.
Example Usage
Regular Rule
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsWafregionalIpsetIpset = new aws.wafregionalIpset.WafregionalIpset(
this,
"ipset",
{
ipSetDescriptor: [
{
type: "IPV4",
value: "192.0.7.0/24",
},
],
name: "tfIPSet",
}
);
const awsWafregionalRuleWafrule = new aws.wafregionalRule.WafregionalRule(
this,
"wafrule",
{
metricName: "tfWAFRule",
name: "tfWAFRule",
predicate: [
{
dataId: awsWafregionalIpsetIpset.id,
negated: false,
type: "IPMatch",
},
],
}
);
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "wafacl", {
defaultAction: {
type: "ALLOW",
},
metricName: "tfWebACL",
name: "tfWebACL",
rule: [
{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: awsWafregionalRuleWafrule.id,
type: "REGULAR",
},
],
});
Group Rule
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "example", {
defaultAction: {
type: "ALLOW",
},
metricName: "example",
name: "example",
rule: [
{
overrideAction: {
type: "NONE",
},
priority: 1,
ruleId: "${aws_wafregional_rule_group.example.id}",
type: "GROUP",
},
],
});
Logging
\~> NOTE: The Kinesis Firehose Delivery Stream name must begin with awsWafLogs
. See the AWS WAF Developer Guide for more information about enabling WAF logging.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "example", {
loggingConfiguration: {
logDestination: "${aws_kinesis_firehose_delivery_stream.example.arn}",
redactedFields: {
fieldToMatch: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
},
});
Argument Reference
The following arguments are supported:
defaultAction
- (Required) The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.metricName
- (Required) The name or description for the Amazon CloudWatch metric of this web ACL.name
- (Required) The name or description of the web ACL.loggingConfiguration
- (Optional) Configuration block to enable WAF logging. Detailed below.rule
- (Optional) Set of configuration blocks containing rules for the web ACL. Detailed below.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
defaultAction
Configuration Block
type
- (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,allow
,block
orcount
loggingConfiguration
Configuration Block
logDestination
- (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery StreamredactedFields
- (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
redactedFields
Configuration Block
fieldToMatch
- (Required) Set of configuration blocks for fields to redact. Detailed below.
fieldToMatch
Configuration Block
-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.
data
- (Optional) When the value oftype
isheader
, enter the name of the header that you want the WAF to search, for example,userAgent
orreferer
. If the value oftype
is any other value, omitdata
.type
- (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g.,header
ormethod
rule
Configuration Block
-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.
priority
- (Required) Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.ruleId
- (Required) ID of the associated WAF (Regional) rule (e.g.,awsWafregionalRule
). WAF (Global) rules cannot be used.action
- (Optional) Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used iftype
isgroup
. Detailed below.overrideAction
- (Optional) Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used iftype
isgroup
. Detailed below.type
- (Optional) The rule type, eitherregular
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orgroup
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asgroup
.
action
/ overrideAction
Configuration Block
type
- (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values foraction
areallow
,block
orcount
. Valid values foroverrideAction
arecount
andnone
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- Amazon Resource Name (ARN) of the WAF Regional WebACL.id
- The ID of the WAF Regional WebACL.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
WAF Regional Web ACL can be imported using the id, e.g.,