Try AWS Native preview for resources not in the classic version.
aws.waf.WebAcl
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Provides a WAF Web ACL Resource
Example Usage
This example blocks requests coming from
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var ipset = new Aws.Waf.IpSet("ipset", new()
{
IpSetDescriptors = new[]
{
new Aws.Waf.Inputs.IpSetIpSetDescriptorArgs
{
Type = "IPV4",
Value = "192.0.7.0/24",
},
},
});
var wafrule = new Aws.Waf.Rule("wafrule", new()
{
MetricName = "tfWAFRule",
Predicates = new[]
{
new Aws.Waf.Inputs.RulePredicateArgs
{
DataId = ipset.Id,
Negated = false,
Type = "IPMatch",
},
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
ipset,
},
});
var wafAcl = new Aws.Waf.WebAcl("wafAcl", new()
{
MetricName = "tfWebACL",
DefaultAction = new Aws.Waf.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
Rules = new[]
{
new Aws.Waf.Inputs.WebAclRuleArgs
{
Action = new Aws.Waf.Inputs.WebAclRuleActionArgs
{
Type = "BLOCK",
},
Priority = 1,
RuleId = wafrule.Id,
Type = "REGULAR",
},
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
ipset,
wafrule,
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/waf"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ipset, err := waf.NewIpSet(ctx, "ipset", &waf.IpSetArgs{
IpSetDescriptors: waf.IpSetIpSetDescriptorArray{
&waf.IpSetIpSetDescriptorArgs{
Type: pulumi.String("IPV4"),
Value: pulumi.String("192.0.7.0/24"),
},
},
})
if err != nil {
return err
}
wafrule, err := waf.NewRule(ctx, "wafrule", &waf.RuleArgs{
MetricName: pulumi.String("tfWAFRule"),
Predicates: waf.RulePredicateArray{
&waf.RulePredicateArgs{
DataId: ipset.ID(),
Negated: pulumi.Bool(false),
Type: pulumi.String("IPMatch"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
ipset,
}))
if err != nil {
return err
}
_, err = waf.NewWebAcl(ctx, "wafAcl", &waf.WebAclArgs{
MetricName: pulumi.String("tfWebACL"),
DefaultAction: &waf.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
Rules: waf.WebAclRuleArray{
&waf.WebAclRuleArgs{
Action: &waf.WebAclRuleActionArgs{
Type: pulumi.String("BLOCK"),
},
Priority: pulumi.Int(1),
RuleId: wafrule.ID(),
Type: pulumi.String("REGULAR"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
ipset,
wafrule,
}))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.waf.IpSet;
import com.pulumi.aws.waf.IpSetArgs;
import com.pulumi.aws.waf.inputs.IpSetIpSetDescriptorArgs;
import com.pulumi.aws.waf.Rule;
import com.pulumi.aws.waf.RuleArgs;
import com.pulumi.aws.waf.inputs.RulePredicateArgs;
import com.pulumi.aws.waf.WebAcl;
import com.pulumi.aws.waf.WebAclArgs;
import com.pulumi.aws.waf.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.waf.inputs.WebAclRuleArgs;
import com.pulumi.aws.waf.inputs.WebAclRuleActionArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var ipset = new IpSet("ipset", IpSetArgs.builder()
.ipSetDescriptors(IpSetIpSetDescriptorArgs.builder()
.type("IPV4")
.value("192.0.7.0/24")
.build())
.build());
var wafrule = new Rule("wafrule", RuleArgs.builder()
.metricName("tfWAFRule")
.predicates(RulePredicateArgs.builder()
.dataId(ipset.id())
.negated(false)
.type("IPMatch")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(ipset)
.build());
var wafAcl = new WebAcl("wafAcl", WebAclArgs.builder()
.metricName("tfWebACL")
.defaultAction(WebAclDefaultActionArgs.builder()
.type("ALLOW")
.build())
.rules(WebAclRuleArgs.builder()
.action(WebAclRuleActionArgs.builder()
.type("BLOCK")
.build())
.priority(1)
.ruleId(wafrule.id())
.type("REGULAR")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
ipset,
wafrule)
.build());
}
}
import pulumi
import pulumi_aws as aws
ipset = aws.waf.IpSet("ipset", ip_set_descriptors=[aws.waf.IpSetIpSetDescriptorArgs(
type="IPV4",
value="192.0.7.0/24",
)])
wafrule = aws.waf.Rule("wafrule",
metric_name="tfWAFRule",
predicates=[aws.waf.RulePredicateArgs(
data_id=ipset.id,
negated=False,
type="IPMatch",
)],
opts=pulumi.ResourceOptions(depends_on=[ipset]))
waf_acl = aws.waf.WebAcl("wafAcl",
metric_name="tfWebACL",
default_action=aws.waf.WebAclDefaultActionArgs(
type="ALLOW",
),
rules=[aws.waf.WebAclRuleArgs(
action=aws.waf.WebAclRuleActionArgs(
type="BLOCK",
),
priority=1,
rule_id=wafrule.id,
type="REGULAR",
)],
opts=pulumi.ResourceOptions(depends_on=[
ipset,
wafrule,
]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ipset = new aws.waf.IpSet("ipset", {ipSetDescriptors: [{
type: "IPV4",
value: "192.0.7.0/24",
}]});
const wafrule = new aws.waf.Rule("wafrule", {
metricName: "tfWAFRule",
predicates: [{
dataId: ipset.id,
negated: false,
type: "IPMatch",
}],
}, {
dependsOn: [ipset],
});
const wafAcl = new aws.waf.WebAcl("wafAcl", {
metricName: "tfWebACL",
defaultAction: {
type: "ALLOW",
},
rules: [{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: wafrule.id,
type: "REGULAR",
}],
}, {
dependsOn: [
ipset,
wafrule,
],
});
resources:
ipset:
type: aws:waf:IpSet
properties:
ipSetDescriptors:
- type: IPV4
value: 192.0.7.0/24
wafrule:
type: aws:waf:Rule
properties:
metricName: tfWAFRule
predicates:
- dataId: ${ipset.id}
negated: false
type: IPMatch
options:
dependson:
- ${ipset}
wafAcl:
type: aws:waf:WebAcl
properties:
metricName: tfWebACL
defaultAction:
type: ALLOW
rules:
- action:
type: BLOCK
priority: 1
ruleId: ${wafrule.id}
type: REGULAR
options:
dependson:
- ${ipset}
- ${wafrule}
Logging
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Waf.WebAcl("example", new()
{
LoggingConfiguration = new Aws.Waf.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = aws_kinesis_firehose_delivery_stream.Example.Arn,
RedactedFields = new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatches = new[]
{
new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Type = "URI",
},
new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Data = "referer",
Type = "HEADER",
},
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/waf"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := waf.NewWebAcl(ctx, "example", &waf.WebAclArgs{
LoggingConfiguration: &waf.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.Any(aws_kinesis_firehose_delivery_stream.Example.Arn),
RedactedFields: &waf.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatches: waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Type: pulumi.String("URI"),
},
&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Data: pulumi.String("referer"),
Type: pulumi.String("HEADER"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.waf.WebAcl;
import com.pulumi.aws.waf.WebAclArgs;
import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationRedactedFieldsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
.logDestination(aws_kinesis_firehose_delivery_stream.example().arn())
.redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
.fieldToMatches(
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.type("URI")
.build(),
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.data("referer")
.type("HEADER")
.build())
.build())
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example = aws.waf.WebAcl("example", logging_configuration=aws.waf.WebAclLoggingConfigurationArgs(
log_destination=aws_kinesis_firehose_delivery_stream["example"]["arn"],
redacted_fields=aws.waf.WebAclLoggingConfigurationRedactedFieldsArgs(
field_to_matches=[
aws.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs(
type="URI",
),
aws.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs(
data="referer",
type="HEADER",
),
],
),
))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.waf.WebAcl("example", {loggingConfiguration: {
logDestination: aws_kinesis_firehose_delivery_stream.example.arn,
redactedFields: {
fieldToMatches: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
}});
resources:
example:
type: aws:waf:WebAcl
properties:
loggingConfiguration:
logDestination: ${aws_kinesis_firehose_delivery_stream.example.arn}
redactedFields:
fieldToMatches:
- type: URI
- data: referer
type: HEADER
Create WebAcl Resource
new WebAcl(name: string, args: WebAclArgs, opts?: CustomResourceOptions);
@overload
def WebAcl(resource_name: str,
opts: Optional[ResourceOptions] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
metric_name: Optional[str] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None)
@overload
def WebAcl(resource_name: str,
args: WebAclArgs,
opts: Optional[ResourceOptions] = None)
func NewWebAcl(ctx *Context, name string, args WebAclArgs, opts ...ResourceOption) (*WebAcl, error)
public WebAcl(string name, WebAclArgs args, CustomResourceOptions? opts = null)
public WebAcl(String name, WebAclArgs args)
public WebAcl(String name, WebAclArgs args, CustomResourceOptions options)
type: aws:waf:WebAcl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
WebAcl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The WebAcl resource accepts the following input properties:
- Default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Name string
The name or description of the web ACL.
- Rules
List<Web
Acl Rule Args> Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Dictionary<string, string>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- Default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Name string
The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- map[string]string
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name String The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- name String
The name or description of the web ACL.
- rules
List<Web
Acl Rule Args> Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String,String>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- name string
The name or description of the web ACL.
- rules
Web
Acl Rule Args[] Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- {[key: string]: string}
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- default_
action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric_
name str The name or description for the Amazon CloudWatch metric of this web ACL.
- logging_
configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- name str
The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Mapping[str, str]
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action Property Map Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name String The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration Property Map Configuration block to enable WAF logging. Detailed below.
- name String
The name or description of the web ACL.
- rules List<Property Map>
Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the WebAcl resource produces the following output properties:
Look up Existing WebAcl Resource
Get an existing WebAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WebAclState, opts?: CustomResourceOptions): WebAcl
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
metric_name: Optional[str] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> WebAcl
func GetWebAcl(ctx *Context, name string, id IDInput, state *WebAclState, opts ...ResourceOption) (*WebAcl, error)
public static WebAcl Get(string name, Input<string> id, WebAclState? state, CustomResourceOptions? opts = null)
public static WebAcl get(String name, Output<String> id, WebAclState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
The ARN of the WAF WebACL.
- Default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
The name or description of the web ACL.
- Rules
List<Web
Acl Rule Args> Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Dictionary<string, string>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- Arn string
The ARN of the WAF WebACL.
- Default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- Metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- map[string]string
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- map[string]string
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
The ARN of the WAF WebACL.
- default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- metric
Name String The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
The name or description of the web ACL.
- rules
List<Web
Acl Rule Args> Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String,String>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String,String>
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn string
The ARN of the WAF WebACL.
- default
Action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- metric
Name string The name or description for the Amazon CloudWatch metric of this web ACL.
- name string
The name or description of the web ACL.
- rules
Web
Acl Rule Args[] Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- {[key: string]: string}
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn str
The ARN of the WAF WebACL.
- default_
action WebAcl Default Action Args Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging_
configuration WebAcl Logging Configuration Args Configuration block to enable WAF logging. Detailed below.
- metric_
name str The name or description for the Amazon CloudWatch metric of this web ACL.
- name str
The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Mapping[str, str]
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
The ARN of the WAF WebACL.
- default
Action Property Map Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration Property Map Configuration block to enable WAF logging. Detailed below.
- metric
Name String The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
The name or description of the web ACL.
- rules List<Property Map>
Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String>
Key-value map of resource tags. .If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String>
A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
Supporting Types
WebAclDefaultAction
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type str
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
WebAclLoggingConfiguration
- Log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- Log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination string Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log_
destination str Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted_
fields WebAcl Logging Configuration Redacted Fields Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields Property Map Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
WebAclLoggingConfigurationRedactedFields
- Field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> Set of configuration blocks for fields to redact. Detailed below.
- Field
To []WebMatches Acl Logging Configuration Redacted Fields Field To Match Set of configuration blocks for fields to redact. Detailed below.
- field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> Set of configuration blocks for fields to redact. Detailed below.
- field
To WebMatches Acl Logging Configuration Redacted Fields Field To Match[] Set of configuration blocks for fields to redact. Detailed below.
- field_
to_ Sequence[Webmatches Acl Logging Configuration Redacted Fields Field To Match] Set of configuration blocks for fields to redact. Detailed below.
- field
To List<Property Map>Matches Set of configuration blocks for fields to redact. Detailed below.
WebAclLoggingConfigurationRedactedFieldsFieldToMatch
- Type string
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- Data string
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
- Type string
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- Data string
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
- type String
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- data String
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
- type string
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- data string
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
- type str
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- data str
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
- type String
The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADER
orMETHOD
- data String
When the value of
type
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.
WebAclRule
- Priority int
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- Action
Web
Acl Rule Action The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- Override
Action WebAcl Rule Override Action Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- Type string
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
- Priority int
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- Action
Web
Acl Rule Action The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- Override
Action WebAcl Rule Override Action Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- Type string
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
- priority Integer
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- action
Web
Acl Rule Action The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- override
Action WebAcl Rule Override Action Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- type String
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
- priority number
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id string ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- action
Web
Acl Rule Action The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- override
Action WebAcl Rule Override Action Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- type string
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
- priority int
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule_
id str ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- action
Web
Acl Rule Action The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- override_
action WebAcl Rule Override Action Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- type str
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
- priority Number
Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule
). WAF (Regional) rules cannot be used.- action Property Map
The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
type
isGROUP
.- override
Action Property Map Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
type
isGROUP
.- type String
The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
WebAclRuleAction
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type str
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
WebAclRuleOverrideAction
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- Type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type string
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type str
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
- type String
Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules
. e.g.,ALLOW
orBLOCK
Import
WAF Web ACL can be imported using the id
, e.g.,
$ pulumi import aws:waf/webAcl:WebAcl main 0c8e583e-18f3-4c13-9e2a-67c4805d2f94
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
aws
Terraform Provider.
Try AWS Native preview for resources not in the classic version.