Resource: awsWafv2RuleGroup

Creates a WAFv2 Rule Group resource.

Example Usage

Simple

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafv2RuleGroup.Wafv2RuleGroup(this, "example", {
  capacity: 2,
  name: "example-rule",
  rule: [
    {
      action: {
        allow: {},
      },
      name: "rule-1",
      priority: 1,
      statement: {
        geoMatchStatement: {
          countryCodes: ["US", "NL"],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: false,
        metricName: "friendly-rule-metric-name",
        sampledRequestsEnabled: false,
      },
    },
  ],
  scope: "REGIONAL",
  visibilityConfig: {
    cloudwatchMetricsEnabled: false,
    metricName: "friendly-metric-name",
    sampledRequestsEnabled: false,
  },
});

Complex

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsWafv2IpSetTest = new aws.wafv2IpSet.Wafv2IpSet(this, "test", {
  addresses: ["1.1.1.1/32", "2.2.2.2/32"],
  ipAddressVersion: "IPV4",
  name: "test",
  scope: "REGIONAL",
});
const awsWafv2RegexPatternSetTest =
  new aws.wafv2RegexPatternSet.Wafv2RegexPatternSet(this, "test_1", {
    name: "test",
    regularExpression: [
      {
        regexString: "one",
      },
    ],
    scope: "REGIONAL",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2RegexPatternSetTest.overrideLogicalId("test");
new aws.wafv2RuleGroup.Wafv2RuleGroup(this, "example", {
  capacity: 500,
  description: "An rule group containing all statements",
  name: "complex-example",
  rule: [
    {
      action: {
        block: {},
      },
      name: "rule-1",
      priority: 1,
      statement: {
        notStatement: {
          statement: [
            {
              andStatement: {
                statement: [
                  {
                    geoMatchStatement: {
                      countryCodes: ["US"],
                    },
                  },
                  {
                    byteMatchStatement: {
                      fieldToMatch: {
                        allQueryArguments: {},
                      },
                      positionalConstraint: "CONTAINS",
                      searchString: "word",
                      textTransformation: [
                        {
                          priority: 5,
                          type: "CMD_LINE",
                        },
                        {
                          priority: 2,
                          type: "LOWERCASE",
                        },
                      ],
                    },
                  },
                ],
              },
            },
          ],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: false,
        metricName: "rule-1",
        sampledRequestsEnabled: false,
      },
    },
    {
      action: {
        count: {},
      },
      name: "rule-2",
      priority: 2,
      statement: {
        orStatement: {
          statement: [
            {
              regexMatchStatement: {
                fieldToMatch: {
                  singleHeader: {
                    name: "user-agent",
                  },
                },
                regexString: "[a-z]([a-z0-9_-]*[a-z0-9])?",
                textTransformation: [
                  {
                    priority: 6,
                    type: "NONE",
                  },
                ],
              },
            },
            {
              sqliMatchStatement: {
                fieldToMatch: {
                  body: {},
                },
                textTransformation: [
                  {
                    priority: 5,
                    type: "URL_DECODE",
                  },
                  {
                    priority: 4,
                    type: "HTML_ENTITY_DECODE",
                  },
                  {
                    priority: 3,
                    type: "COMPRESS_WHITE_SPACE",
                  },
                ],
              },
            },
            {
              xssMatchStatement: {
                fieldToMatch: {
                  method: {},
                },
                textTransformation: [
                  {
                    priority: 2,
                    type: "NONE",
                  },
                ],
              },
            },
          ],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: false,
        metricName: "rule-2",
        sampledRequestsEnabled: false,
      },
    },
    {
      action: {
        block: {},
      },
      name: "rule-3",
      priority: 3,
      statement: {
        sizeConstraintStatement: {
          comparisonOperator: "GT",
          fieldToMatch: {
            singleQueryArgument: {
              name: "username",
            },
          },
          size: 100,
          textTransformation: [
            {
              priority: 5,
              type: "NONE",
            },
          ],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: false,
        metricName: "rule-3",
        sampledRequestsEnabled: false,
      },
    },
    {
      action: {
        block: {},
      },
      name: "rule-4",
      priority: 4,
      statement: {
        orStatement: {
          statement: [
            {
              ipSetReferenceStatement: {
                arn: awsWafv2IpSetTest.arn,
              },
            },
            {
              regexPatternSetReferenceStatement: {
                arn: awsWafv2RegexPatternSetTest.arn,
                fieldToMatch: {
                  singleHeader: {
                    name: "referer",
                  },
                },
                textTransformation: [
                  {
                    priority: 2,
                    type: "NONE",
                  },
                ],
              },
            },
          ],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: false,
        metricName: "rule-4",
        sampledRequestsEnabled: false,
      },
    },
  ],
  scope: "REGIONAL",
  tags: {
    Code: "123456",
    Name: "example-and-statement",
  },
  visibilityConfig: {
    cloudwatchMetricsEnabled: false,
    metricName: "friendly-metric-name",
    sampledRequestsEnabled: false,
  },
});

Argument Reference

The following arguments are supported:

capacity - (Required, Forces new resource) The web ACL capacity units (WCUs) required for this rule group. See here for general information and here for capacity specific information.
customResponseBody - (Optional) Defines custom response bodies that can be referenced by customResponse actions. See Custom Response Body below for details.
description - (Optional) A friendly description of the rule group.
name - (Required, Forces new resource) A friendly name of the rule group.
rule - (Optional) The rule blocks used to identify the web requests that you want to allow, block, or count. See Rules below for details.
scope - (Required, Forces new resource) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are cloudfront or regional. To work with CloudFront, you must also specify the region usEast1 (N. Virginia) on the AWS provider.
tags - (Optional) An array of key:value pairs to associate with the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
visibilityConfig - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.

Custom Response Body

Each customResponseBody block supports the following arguments:

key - (Required) A unique key identifying the custom response body. This is referenced by the customResponseBodyKey argument in the Custom Response block.
content - (Required) The payload of the custom response.
contentType - (Required) The type of content in the payload that you are defining in the content argument. Valid values are TEXT_PLAIN, TEXT_HTML, or APPLICATION_JSON.

Rules

Each rule supports the following arguments:

action - (Required) The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the awsWafv2WebAcl level can override the rule action setting. See Action below for details.
name - (Required, Forces new resource) A friendly name of the rule.
priority - (Required) If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the rules in order based on the value of priority. AWS WAF processes rules with lower priority first.
ruleLabel - (Optional) Labels to apply to web requests that match the rule match statement. See Rule Label below for details.
statement - (Required) The AWS WAF processing statement for the rule, for example byteMatchStatement or geoMatchStatement. See Statement below for details.
visibilityConfig - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.

Action

The action block supports the following arguments:

\~> NOTE: One of allow, block, or count, is required when specifying an action.

allow - (Optional) Instructs AWS WAF to allow the web request. See Allow below for details.
block - (Optional) Instructs AWS WAF to block the web request. See Block below for details.
captcha - (Optional) Instructs AWS WAF to run a captcha check against the web request. See Captcha below for details.
count - (Optional) Instructs AWS WAF to count the web request and allow it. See Count below for details.

Allow

The allow block supports the following arguments:

customRequestHandling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Block

The block block supports the following arguments:

customResponse - (Optional) Defines a custom response for the web request. See Custom Response below for details.

Captcha

The captcha block supports the following arguments:

customRequestHandling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Count

The count block supports the following arguments:

customRequestHandling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Custom Request Handling

The customRequestHandling block supports the following arguments:

insertHeader - (Required) The insertHeader blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.

Custom Response

The customResponse block supports the following arguments:

customResponseBodyKey - (Optional) References the response body that you want AWS WAF to return to the web request client. This must reference a key defined in a customResponseBody block of this resource.
responseCode - (Required) The HTTP status code to return to the client.
responseHeader - (Optional) The responseHeader blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details.

Custom HTTP Header

Each block supports the following arguments. Duplicate header names are not allowed:

name - The name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name xAmznWaf, to avoid confusion with the headers that are already in the request. For example, for the header name sample, AWS WAF inserts the header xAmznWafSample.
value - The value of the custom header.

Rule Label

Each block supports the following arguments:

name - The label string.

Statement

The processing guidance for a Rule, used by AWS WAF to determine whether a web request matches the rule. See the documentation for more information.

-> NOTE: Although the statement block is recursive, currently only 3 levels are supported.

The statement block supports the following arguments:

andStatement - (Optional) A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details.
byteMatchStatement - (Optional) A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details.
geoMatchStatement - (Optional) A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details.
labelMatchStatement - (Optional) A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details.
ipSetReferenceStatement - (Optional) A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details.
notStatement - (Optional) A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details.
orStatement - (Optional) A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details.
rateBasedStatement - (Optional) A rate-based rule tracks the rate of requests for each originating ipAddress, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5Minute time span. This statement can not be nested. See Rate Based Statement below for details.
regexMatchStatement - (Optional) A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details.
regexPatternSetReferenceStatement - (Optional) A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details.
sizeConstraintStatement - (Optional) A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See Size Constraint Statement below for more details.
sqliMatchStatement - (Optional) An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details.
xssMatchStatement - (Optional) A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details.

AND Statement

A logical rule statement used to combine other rule statements with and logic. You provide more than one statement within the andStatement.

The andStatement block supports the following arguments:

statement - (Required) The statements to combine with and logic. You can use any statements that can be nested. See Statement above for details.

Byte Match Statement

The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters.

The byteMatchStatement block supports the following arguments:

fieldToMatch - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
positionalConstraint - (Required) The area within the portion of a web request that you want AWS WAF to search for searchString. Valid values include the following: exactly, STARTS_WITH, ENDS_WITH, contains, CONTAINS_WORD. See the AWS documentation for more information.
searchString - (Required) A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in fieldToMatch. The maximum length of the value is 50 bytes.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

GEO Match Statement

The geoMatchStatement block supports the following arguments:

countryCodes - (Required) An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the iso3166 international standard. See the documentation for valid values.
forwardedIpConfig - (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.

Label Match Statement

The labelMatchStatement block supports the following arguments:

scope - (Required) Specify whether you want to match using the label name or just the namespace. Valid values are label or namespace.
key - (Required) The string to match against.

IP Set Reference Statement

A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an awsWafv2IpSet that specifies the addresses you want to detect, then use the arn of that set in this statement.

The ipSetReferenceStatement block supports the following arguments:

arn - (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references.
ipSetForwardedIpConfig - (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.

NOT Statement

A logical rule statement used to negate the results of another rule statement. You provide one statement within the notStatement.

The notStatement block supports the following arguments:

statement - (Required) The statement to negate. You can use any statement that can be nested. See Statement above for details.

OR Statement

A logical rule statement used to combine other rule statements with or logic. You provide more than one statement within the orStatement.

The orStatement block supports the following arguments:

statement - (Required) The statements to combine with or logic. You can use any statements that can be nested. See Statement above for details.

Rate Based Statement

A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests. See the documentation for more information.

You can't nest a rateBasedStatement, for example for use inside a notStatement or orStatement. It can only be referenced as a topLevel statement within a rule.

The rateBasedStatement block supports the following arguments:

aggregateKeyType - (Optional) Setting that indicates how to aggregate the request counts. Valid values include: FORWARDED_IP or ip. Default: ip.
forwardedIpConfig - (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If aggregateKeyType is set to FORWARDED_IP, this block is required. See Forwarded IP Config below for details.
limit - (Required) The limit on requests per 5-minute period for a single originating IP address.
scopeDownStatement - (Optional) An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details.

Regex Match Statement

A rule statement used to search web request components for a match against a single regular expression.

The regexMatchStatement block supports the following arguments:

regexString - (Required) The string representing the regular expression. Minimum of 1 and maximum of 512 characters.
fieldToMatch - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Regex Pattern Set Reference Statement

A rule statement used to search web request components for matches with regular expressions. To use this, create a awsWafv2RegexPatternSet that specifies the expressions that you want to detect, then use the arn of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.

The regexPatternSetReferenceStatement block supports the following arguments:

arn - (Required) The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
fieldToMatch - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Size Constraint Statement

A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component. AWS WAFv2 inspects up to the first 8192 bytes (8 KB) of a request body, and when inspecting the request URI Path, the slash / in the URI counts as one character.

The sizeConstraintStatement block supports the following arguments:

comparisonOperator - (Required) The operator to use to compare the request part to the size setting. Valid values include: eq, ne, le, lt, ge, or gt.
fieldToMatch - (Optional) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
size - (Required) The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

SQL Injection Match Statement

An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code.

The sqliMatchStatement block supports the following arguments:

fieldToMatch - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

XSS Match Statement

The XSS match statement provides the location in requests that you want AWS WAF to search and text transformations to use on the search area before AWS WAF searches for character sequences that are likely to be malicious strings.

The xssMatchStatement block supports the following arguments:

fieldToMatch - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
textTransformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Field to Match

The part of a web request that you want AWS WAF to inspect. Include the single fieldToMatch type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in fieldToMatch for each rule statement that requires it. To inspect more than one component of a web request, create a separate rule statement for each component. See the documentation for more details.

The fieldToMatch block supports the following arguments:

\~> NOTE: Only one of allQueryArguments, body, cookies, headers, jsonBody, method, queryString, singleHeader, singleQueryArgument, or uriPath can be specified. An empty configuration block {} should be used when specifying allQueryArguments, body, method, or queryString attributes.

allQueryArguments - (Optional) Inspect all query arguments.
body - (Optional) Inspect the request body, which immediately follows the request headers.
cookies - (Optional) Inspect the cookies in the web request. See Cookies below for details.
headers - (Optional) Inspect the request headers. See Headers below for details.
jsonBody - (Optional) Inspect the request body as JSON. See JSON Body for details.
method - (Optional) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
queryString - (Optional) Inspect the query string. This is the part of a URL that appears after a ? character, if any.
singleHeader - (Optional) Inspect a single header. See Single Header below for details.
singleQueryArgument - (Optional) Inspect a single query argument. See Single Query Argument below for details.
uriPath - (Optional) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/dailyAdJpg.

Forwarded IP Config

The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. If the specified header isn't present in the request, AWS WAFv2 doesn't apply the rule to the web request at all. AWS WAFv2 only evaluates the first IP address found in the specified HTTP header.

The forwardedIpConfig block supports the following arguments:

fallbackBehavior - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: match or NO_MATCH.
headerName - (Required) - The name of the HTTP header to use for the IP address.

IPSet Forwarded IP Config

The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.

The ipSetForwardedIpConfig block supports the following arguments:

fallbackBehavior - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: match or NO_MATCH.
headerName - (Required) - The name of the HTTP header to use for the IP address.
position - (Required) - The position in the header to search for the IP address. Valid values include: first, last, or any. If any is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.

Headers

Inspect the request headers.

The headers block supports the following arguments:

matchPattern - (Required) The filter to use to identify the subset of headers to inspect in a web request. The matchPattern block supports only one of the following arguments:
all - An empty configuration block that is used for inspecting all headers.
includedHeaders - An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.
excludedHeaders - An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.
matchScope - (Required) The parts of the headers to inspect with the rule inspection criteria. If you specify all, AWS WAF inspects both keys and values. Valid values include the following: all, key, value.
oversizeHandling - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: continue, match, NO_MATCH. See the AWS documentation for more information.

JSON Body

The jsonBody block supports the following arguments:

invalidFallbackBehavior - (Optional) What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are EVALUATE_AS_STRING, match and NO_MATCH.
matchPattern - (Required) The patterns to look for in the JSON body. You must specify exactly one setting: either all or includedPaths. See JsonMatchPattern for details.
matchScope - (Required) The parts of the JSON to match against using the matchPattern. Valid values are all, key and value.
oversizeHandling - (Optional) What to do if the body is larger than can be inspected. Valid values are continue (default), match and NO_MATCH.

Single Header

Inspect a single header. Provide the name of the header to inspect, for example, userAgent or referer (provided as lowercase strings).

The singleHeader block supports the following arguments:

name - (Optional) The name of the query header to inspect. This setting must be provided as lower case characters.

Single Query Argument

Inspect a single query argument. Provide the name of the query argument to inspect, such as userName or salesRegion (provided as lowercase strings).

The singleQueryArgument block supports the following arguments:

name - (Optional) The name of the query header to inspect. This setting must be provided as lower case characters.

Cookies

Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the FieldToMatch specification.

The cookies block supports the following arguments:

matchPattern - (Required) The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either all, includedCookies or excludedCookies. More details: CookieMatchPattern
matchScope - (Required) The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: all, key, value
oversizeHandling - (Required) What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: continue, match, NO_MATCH

Text Transformation

The textTransformation block supports the following arguments:

priority - (Required) The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.
type - (Required) The transformation to apply, please refer to the Text Transformation documentation for more details.

Visibility Configuration

The visibilityConfig block supports the following arguments:

cloudwatchMetricsEnabled - (Required) A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see AWS WAF Metrics.
metricName - (Required, Forces new resource) A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example all and defaultAction.
sampledRequestsEnabled - (Required) A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF rule group.
arn - The ARN of the WAF rule group.
tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

WAFv2 Rule Group can be imported using id/name/scope e.g.,

$ terraform import aws_wafv2_rule_group.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL