1. Packages
  2. AWS Classic
  3. API Docs
  4. waf
  5. WebAcl

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.30.0 published on Thursday, Apr 11, 2024 by Pulumi

aws.waf.WebAcl

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.30.0 published on Thursday, Apr 11, 2024 by Pulumi

    Provides a WAF Web ACL Resource

    Example Usage

    This example blocks requests coming from 192.0.7.0/24 and allows everything else.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const ipset = new aws.waf.IpSet("ipset", {
        name: "tfIPSet",
        ipSetDescriptors: [{
            type: "IPV4",
            value: "192.0.7.0/24",
        }],
    });
    const wafrule = new aws.waf.Rule("wafrule", {
        name: "tfWAFRule",
        metricName: "tfWAFRule",
        predicates: [{
            dataId: ipset.id,
            negated: false,
            type: "IPMatch",
        }],
    }, {
        dependsOn: [ipset],
    });
    const wafAcl = new aws.waf.WebAcl("waf_acl", {
        name: "tfWebACL",
        metricName: "tfWebACL",
        defaultAction: {
            type: "ALLOW",
        },
        rules: [{
            action: {
                type: "BLOCK",
            },
            priority: 1,
            ruleId: wafrule.id,
            type: "REGULAR",
        }],
    }, {
        dependsOn: [
            ipset,
            wafrule,
        ],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    ipset = aws.waf.IpSet("ipset",
        name="tfIPSet",
        ip_set_descriptors=[aws.waf.IpSetIpSetDescriptorArgs(
            type="IPV4",
            value="192.0.7.0/24",
        )])
    wafrule = aws.waf.Rule("wafrule",
        name="tfWAFRule",
        metric_name="tfWAFRule",
        predicates=[aws.waf.RulePredicateArgs(
            data_id=ipset.id,
            negated=False,
            type="IPMatch",
        )],
        opts=pulumi.ResourceOptions(depends_on=[ipset]))
    waf_acl = aws.waf.WebAcl("waf_acl",
        name="tfWebACL",
        metric_name="tfWebACL",
        default_action=aws.waf.WebAclDefaultActionArgs(
            type="ALLOW",
        ),
        rules=[aws.waf.WebAclRuleArgs(
            action=aws.waf.WebAclRuleActionArgs(
                type="BLOCK",
            ),
            priority=1,
            rule_id=wafrule.id,
            type="REGULAR",
        )],
        opts=pulumi.ResourceOptions(depends_on=[
                ipset,
                wafrule,
            ]))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/waf"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		ipset, err := waf.NewIpSet(ctx, "ipset", &waf.IpSetArgs{
    			Name: pulumi.String("tfIPSet"),
    			IpSetDescriptors: waf.IpSetIpSetDescriptorArray{
    				&waf.IpSetIpSetDescriptorArgs{
    					Type:  pulumi.String("IPV4"),
    					Value: pulumi.String("192.0.7.0/24"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		wafrule, err := waf.NewRule(ctx, "wafrule", &waf.RuleArgs{
    			Name:       pulumi.String("tfWAFRule"),
    			MetricName: pulumi.String("tfWAFRule"),
    			Predicates: waf.RulePredicateArray{
    				&waf.RulePredicateArgs{
    					DataId:  ipset.ID(),
    					Negated: pulumi.Bool(false),
    					Type:    pulumi.String("IPMatch"),
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			ipset,
    		}))
    		if err != nil {
    			return err
    		}
    		_, err = waf.NewWebAcl(ctx, "waf_acl", &waf.WebAclArgs{
    			Name:       pulumi.String("tfWebACL"),
    			MetricName: pulumi.String("tfWebACL"),
    			DefaultAction: &waf.WebAclDefaultActionArgs{
    				Type: pulumi.String("ALLOW"),
    			},
    			Rules: waf.WebAclRuleArray{
    				&waf.WebAclRuleArgs{
    					Action: &waf.WebAclRuleActionArgs{
    						Type: pulumi.String("BLOCK"),
    					},
    					Priority: pulumi.Int(1),
    					RuleId:   wafrule.ID(),
    					Type:     pulumi.String("REGULAR"),
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			ipset,
    			wafrule,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var ipset = new Aws.Waf.IpSet("ipset", new()
        {
            Name = "tfIPSet",
            IpSetDescriptors = new[]
            {
                new Aws.Waf.Inputs.IpSetIpSetDescriptorArgs
                {
                    Type = "IPV4",
                    Value = "192.0.7.0/24",
                },
            },
        });
    
        var wafrule = new Aws.Waf.Rule("wafrule", new()
        {
            Name = "tfWAFRule",
            MetricName = "tfWAFRule",
            Predicates = new[]
            {
                new Aws.Waf.Inputs.RulePredicateArgs
                {
                    DataId = ipset.Id,
                    Negated = false,
                    Type = "IPMatch",
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                ipset, 
            },
        });
    
        var wafAcl = new Aws.Waf.WebAcl("waf_acl", new()
        {
            Name = "tfWebACL",
            MetricName = "tfWebACL",
            DefaultAction = new Aws.Waf.Inputs.WebAclDefaultActionArgs
            {
                Type = "ALLOW",
            },
            Rules = new[]
            {
                new Aws.Waf.Inputs.WebAclRuleArgs
                {
                    Action = new Aws.Waf.Inputs.WebAclRuleActionArgs
                    {
                        Type = "BLOCK",
                    },
                    Priority = 1,
                    RuleId = wafrule.Id,
                    Type = "REGULAR",
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                ipset, 
                wafrule, 
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.waf.IpSet;
    import com.pulumi.aws.waf.IpSetArgs;
    import com.pulumi.aws.waf.inputs.IpSetIpSetDescriptorArgs;
    import com.pulumi.aws.waf.Rule;
    import com.pulumi.aws.waf.RuleArgs;
    import com.pulumi.aws.waf.inputs.RulePredicateArgs;
    import com.pulumi.aws.waf.WebAcl;
    import com.pulumi.aws.waf.WebAclArgs;
    import com.pulumi.aws.waf.inputs.WebAclDefaultActionArgs;
    import com.pulumi.aws.waf.inputs.WebAclRuleArgs;
    import com.pulumi.aws.waf.inputs.WebAclRuleActionArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var ipset = new IpSet("ipset", IpSetArgs.builder()        
                .name("tfIPSet")
                .ipSetDescriptors(IpSetIpSetDescriptorArgs.builder()
                    .type("IPV4")
                    .value("192.0.7.0/24")
                    .build())
                .build());
    
            var wafrule = new Rule("wafrule", RuleArgs.builder()        
                .name("tfWAFRule")
                .metricName("tfWAFRule")
                .predicates(RulePredicateArgs.builder()
                    .dataId(ipset.id())
                    .negated(false)
                    .type("IPMatch")
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(ipset)
                    .build());
    
            var wafAcl = new WebAcl("wafAcl", WebAclArgs.builder()        
                .name("tfWebACL")
                .metricName("tfWebACL")
                .defaultAction(WebAclDefaultActionArgs.builder()
                    .type("ALLOW")
                    .build())
                .rules(WebAclRuleArgs.builder()
                    .action(WebAclRuleActionArgs.builder()
                        .type("BLOCK")
                        .build())
                    .priority(1)
                    .ruleId(wafrule.id())
                    .type("REGULAR")
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(                
                        ipset,
                        wafrule)
                    .build());
    
        }
    }
    
    resources:
      ipset:
        type: aws:waf:IpSet
        properties:
          name: tfIPSet
          ipSetDescriptors:
            - type: IPV4
              value: 192.0.7.0/24
      wafrule:
        type: aws:waf:Rule
        properties:
          name: tfWAFRule
          metricName: tfWAFRule
          predicates:
            - dataId: ${ipset.id}
              negated: false
              type: IPMatch
        options:
          dependson:
            - ${ipset}
      wafAcl:
        type: aws:waf:WebAcl
        name: waf_acl
        properties:
          name: tfWebACL
          metricName: tfWebACL
          defaultAction:
            type: ALLOW
          rules:
            - action:
                type: BLOCK
              priority: 1
              ruleId: ${wafrule.id}
              type: REGULAR
        options:
          dependson:
            - ${ipset}
            - ${wafrule}
    

    Logging

    NOTE: The Kinesis Firehose Delivery Stream name must begin with aws-waf-logs- and be located in us-east-1 region. See the AWS WAF Developer Guide for more information about enabling WAF logging.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.waf.WebAcl("example", {loggingConfiguration: {
        logDestination: exampleAwsKinesisFirehoseDeliveryStream.arn,
        redactedFields: {
            fieldToMatches: [
                {
                    type: "URI",
                },
                {
                    data: "referer",
                    type: "HEADER",
                },
            ],
        },
    }});
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.waf.WebAcl("example", logging_configuration=aws.waf.WebAclLoggingConfigurationArgs(
        log_destination=example_aws_kinesis_firehose_delivery_stream["arn"],
        redacted_fields=aws.waf.WebAclLoggingConfigurationRedactedFieldsArgs(
            field_to_matches=[
                aws.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs(
                    type="URI",
                ),
                aws.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs(
                    data="referer",
                    type="HEADER",
                ),
            ],
        ),
    ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/waf"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := waf.NewWebAcl(ctx, "example", &waf.WebAclArgs{
    			LoggingConfiguration: &waf.WebAclLoggingConfigurationArgs{
    				LogDestination: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Arn),
    				RedactedFields: &waf.WebAclLoggingConfigurationRedactedFieldsArgs{
    					FieldToMatches: waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
    						&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
    							Type: pulumi.String("URI"),
    						},
    						&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
    							Data: pulumi.String("referer"),
    							Type: pulumi.String("HEADER"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Waf.WebAcl("example", new()
        {
            LoggingConfiguration = new Aws.Waf.Inputs.WebAclLoggingConfigurationArgs
            {
                LogDestination = exampleAwsKinesisFirehoseDeliveryStream.Arn,
                RedactedFields = new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
                {
                    FieldToMatches = new[]
                    {
                        new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
                        {
                            Type = "URI",
                        },
                        new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
                        {
                            Data = "referer",
                            Type = "HEADER",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.waf.WebAcl;
    import com.pulumi.aws.waf.WebAclArgs;
    import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationArgs;
    import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationRedactedFieldsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WebAcl("example", WebAclArgs.builder()        
                .loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
                    .logDestination(exampleAwsKinesisFirehoseDeliveryStream.arn())
                    .redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
                        .fieldToMatches(                    
                            WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
                                .type("URI")
                                .build(),
                            WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
                                .data("referer")
                                .type("HEADER")
                                .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:waf:WebAcl
        properties:
          loggingConfiguration:
            logDestination: ${exampleAwsKinesisFirehoseDeliveryStream.arn}
            redactedFields:
              fieldToMatches:
                - type: URI
                - data: referer
                  type: HEADER
    

    Create WebAcl Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new WebAcl(name: string, args: WebAclArgs, opts?: CustomResourceOptions);
    @overload
    def WebAcl(resource_name: str,
               args: WebAclArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def WebAcl(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               default_action: Optional[WebAclDefaultActionArgs] = None,
               metric_name: Optional[str] = None,
               logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
               name: Optional[str] = None,
               rules: Optional[Sequence[WebAclRuleArgs]] = None,
               tags: Optional[Mapping[str, str]] = None)
    func NewWebAcl(ctx *Context, name string, args WebAclArgs, opts ...ResourceOption) (*WebAcl, error)
    public WebAcl(string name, WebAclArgs args, CustomResourceOptions? opts = null)
    public WebAcl(String name, WebAclArgs args)
    public WebAcl(String name, WebAclArgs args, CustomResourceOptions options)
    
    type: aws:waf:WebAcl
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args WebAclArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args WebAclArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args WebAclArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args WebAclArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args WebAclArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var webAclResource = new Aws.Waf.WebAcl("webAclResource", new()
    {
        DefaultAction = new Aws.Waf.Inputs.WebAclDefaultActionArgs
        {
            Type = "string",
        },
        MetricName = "string",
        LoggingConfiguration = new Aws.Waf.Inputs.WebAclLoggingConfigurationArgs
        {
            LogDestination = "string",
            RedactedFields = new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
            {
                FieldToMatches = new[]
                {
                    new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
                    {
                        Type = "string",
                        Data = "string",
                    },
                },
            },
        },
        Name = "string",
        Rules = new[]
        {
            new Aws.Waf.Inputs.WebAclRuleArgs
            {
                Priority = 0,
                RuleId = "string",
                Action = new Aws.Waf.Inputs.WebAclRuleActionArgs
                {
                    Type = "string",
                },
                OverrideAction = new Aws.Waf.Inputs.WebAclRuleOverrideActionArgs
                {
                    Type = "string",
                },
                Type = "string",
            },
        },
        Tags = 
        {
            { "string", "string" },
        },
    });
    
    example, err := waf.NewWebAcl(ctx, "webAclResource", &waf.WebAclArgs{
    	DefaultAction: &waf.WebAclDefaultActionArgs{
    		Type: pulumi.String("string"),
    	},
    	MetricName: pulumi.String("string"),
    	LoggingConfiguration: &waf.WebAclLoggingConfigurationArgs{
    		LogDestination: pulumi.String("string"),
    		RedactedFields: &waf.WebAclLoggingConfigurationRedactedFieldsArgs{
    			FieldToMatches: waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
    				&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
    					Type: pulumi.String("string"),
    					Data: pulumi.String("string"),
    				},
    			},
    		},
    	},
    	Name: pulumi.String("string"),
    	Rules: waf.WebAclRuleArray{
    		&waf.WebAclRuleArgs{
    			Priority: pulumi.Int(0),
    			RuleId:   pulumi.String("string"),
    			Action: &waf.WebAclRuleActionArgs{
    				Type: pulumi.String("string"),
    			},
    			OverrideAction: &waf.WebAclRuleOverrideActionArgs{
    				Type: pulumi.String("string"),
    			},
    			Type: pulumi.String("string"),
    		},
    	},
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    })
    
    var webAclResource = new WebAcl("webAclResource", WebAclArgs.builder()        
        .defaultAction(WebAclDefaultActionArgs.builder()
            .type("string")
            .build())
        .metricName("string")
        .loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
            .logDestination("string")
            .redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
                .fieldToMatches(WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
                    .type("string")
                    .data("string")
                    .build())
                .build())
            .build())
        .name("string")
        .rules(WebAclRuleArgs.builder()
            .priority(0)
            .ruleId("string")
            .action(WebAclRuleActionArgs.builder()
                .type("string")
                .build())
            .overrideAction(WebAclRuleOverrideActionArgs.builder()
                .type("string")
                .build())
            .type("string")
            .build())
        .tags(Map.of("string", "string"))
        .build());
    
    web_acl_resource = aws.waf.WebAcl("webAclResource",
        default_action=aws.waf.WebAclDefaultActionArgs(
            type="string",
        ),
        metric_name="string",
        logging_configuration=aws.waf.WebAclLoggingConfigurationArgs(
            log_destination="string",
            redacted_fields=aws.waf.WebAclLoggingConfigurationRedactedFieldsArgs(
                field_to_matches=[aws.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs(
                    type="string",
                    data="string",
                )],
            ),
        ),
        name="string",
        rules=[aws.waf.WebAclRuleArgs(
            priority=0,
            rule_id="string",
            action=aws.waf.WebAclRuleActionArgs(
                type="string",
            ),
            override_action=aws.waf.WebAclRuleOverrideActionArgs(
                type="string",
            ),
            type="string",
        )],
        tags={
            "string": "string",
        })
    
    const webAclResource = new aws.waf.WebAcl("webAclResource", {
        defaultAction: {
            type: "string",
        },
        metricName: "string",
        loggingConfiguration: {
            logDestination: "string",
            redactedFields: {
                fieldToMatches: [{
                    type: "string",
                    data: "string",
                }],
            },
        },
        name: "string",
        rules: [{
            priority: 0,
            ruleId: "string",
            action: {
                type: "string",
            },
            overrideAction: {
                type: "string",
            },
            type: "string",
        }],
        tags: {
            string: "string",
        },
    });
    
    type: aws:waf:WebAcl
    properties:
        defaultAction:
            type: string
        loggingConfiguration:
            logDestination: string
            redactedFields:
                fieldToMatches:
                    - data: string
                      type: string
        metricName: string
        name: string
        rules:
            - action:
                type: string
              overrideAction:
                type: string
              priority: 0
              ruleId: string
              type: string
        tags:
            string: string
    

    WebAcl Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The WebAcl resource accepts the following input properties:

    DefaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    MetricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    LoggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    Name string
    The name or description of the web ACL.
    Rules List<WebAclRule>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    Tags Dictionary<string, string>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    DefaultAction WebAclDefaultActionArgs
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    MetricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    LoggingConfiguration WebAclLoggingConfigurationArgs
    Configuration block to enable WAF logging. Detailed below.
    Name string
    The name or description of the web ACL.
    Rules []WebAclRuleArgs
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    Tags map[string]string
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    defaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    metricName String
    The name or description for the Amazon CloudWatch metric of this web ACL.
    loggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    name String
    The name or description of the web ACL.
    rules List<WebAclRule>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Map<String,String>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    defaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    metricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    loggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    name string
    The name or description of the web ACL.
    rules WebAclRule[]
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags {[key: string]: string}
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    default_action WebAclDefaultActionArgs
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    metric_name str
    The name or description for the Amazon CloudWatch metric of this web ACL.
    logging_configuration WebAclLoggingConfigurationArgs
    Configuration block to enable WAF logging. Detailed below.
    name str
    The name or description of the web ACL.
    rules Sequence[WebAclRuleArgs]
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Mapping[str, str]
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    defaultAction Property Map
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    metricName String
    The name or description for the Amazon CloudWatch metric of this web ACL.
    loggingConfiguration Property Map
    Configuration block to enable WAF logging. Detailed below.
    name String
    The name or description of the web ACL.
    rules List<Property Map>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Map<String>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the WebAcl resource produces the following output properties:

    Arn string
    The ARN of the WAF WebACL.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Arn string
    The ARN of the WAF WebACL.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The ARN of the WAF WebACL.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn string
    The ARN of the WAF WebACL.
    id string
    The provider-assigned unique ID for this managed resource.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn str
    The ARN of the WAF WebACL.
    id str
    The provider-assigned unique ID for this managed resource.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The ARN of the WAF WebACL.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Look up Existing WebAcl Resource

    Get an existing WebAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: WebAclState, opts?: CustomResourceOptions): WebAcl
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            default_action: Optional[WebAclDefaultActionArgs] = None,
            logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
            metric_name: Optional[str] = None,
            name: Optional[str] = None,
            rules: Optional[Sequence[WebAclRuleArgs]] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None) -> WebAcl
    func GetWebAcl(ctx *Context, name string, id IDInput, state *WebAclState, opts ...ResourceOption) (*WebAcl, error)
    public static WebAcl Get(string name, Input<string> id, WebAclState? state, CustomResourceOptions? opts = null)
    public static WebAcl get(String name, Output<String> id, WebAclState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The ARN of the WAF WebACL.
    DefaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    LoggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    MetricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    Name string
    The name or description of the web ACL.
    Rules List<WebAclRule>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    Tags Dictionary<string, string>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Arn string
    The ARN of the WAF WebACL.
    DefaultAction WebAclDefaultActionArgs
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    LoggingConfiguration WebAclLoggingConfigurationArgs
    Configuration block to enable WAF logging. Detailed below.
    MetricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    Name string
    The name or description of the web ACL.
    Rules []WebAclRuleArgs
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    Tags map[string]string
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The ARN of the WAF WebACL.
    defaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    loggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    metricName String
    The name or description for the Amazon CloudWatch metric of this web ACL.
    name String
    The name or description of the web ACL.
    rules List<WebAclRule>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Map<String,String>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn string
    The ARN of the WAF WebACL.
    defaultAction WebAclDefaultAction
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    loggingConfiguration WebAclLoggingConfiguration
    Configuration block to enable WAF logging. Detailed below.
    metricName string
    The name or description for the Amazon CloudWatch metric of this web ACL.
    name string
    The name or description of the web ACL.
    rules WebAclRule[]
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags {[key: string]: string}
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn str
    The ARN of the WAF WebACL.
    default_action WebAclDefaultActionArgs
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    logging_configuration WebAclLoggingConfigurationArgs
    Configuration block to enable WAF logging. Detailed below.
    metric_name str
    The name or description for the Amazon CloudWatch metric of this web ACL.
    name str
    The name or description of the web ACL.
    rules Sequence[WebAclRuleArgs]
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Mapping[str, str]
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The ARN of the WAF WebACL.
    defaultAction Property Map
    Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
    loggingConfiguration Property Map
    Configuration block to enable WAF logging. Detailed below.
    metricName String
    The name or description for the Amazon CloudWatch metric of this web ACL.
    name String
    The name or description of the web ACL.
    rules List<Property Map>
    Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
    tags Map<String>
    Key-value map of resource tags. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Supporting Types

    WebAclDefaultAction, WebAclDefaultActionArgs

    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type str
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK

    WebAclLoggingConfiguration, WebAclLoggingConfigurationArgs

    LogDestination string
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    RedactedFields WebAclLoggingConfigurationRedactedFields
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
    LogDestination string
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    RedactedFields WebAclLoggingConfigurationRedactedFields
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
    logDestination String
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    redactedFields WebAclLoggingConfigurationRedactedFields
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
    logDestination string
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    redactedFields WebAclLoggingConfigurationRedactedFields
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
    log_destination str
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    redacted_fields WebAclLoggingConfigurationRedactedFields
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
    logDestination String
    Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
    redactedFields Property Map
    Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

    WebAclLoggingConfigurationRedactedFields, WebAclLoggingConfigurationRedactedFieldsArgs

    FieldToMatches List<WebAclLoggingConfigurationRedactedFieldsFieldToMatch>
    Set of configuration blocks for fields to redact. Detailed below.
    FieldToMatches []WebAclLoggingConfigurationRedactedFieldsFieldToMatch
    Set of configuration blocks for fields to redact. Detailed below.
    fieldToMatches List<WebAclLoggingConfigurationRedactedFieldsFieldToMatch>
    Set of configuration blocks for fields to redact. Detailed below.
    fieldToMatches WebAclLoggingConfigurationRedactedFieldsFieldToMatch[]
    Set of configuration blocks for fields to redact. Detailed below.
    field_to_matches Sequence[WebAclLoggingConfigurationRedactedFieldsFieldToMatch]
    Set of configuration blocks for fields to redact. Detailed below.
    fieldToMatches List<Property Map>
    Set of configuration blocks for fields to redact. Detailed below.

    WebAclLoggingConfigurationRedactedFieldsFieldToMatch, WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs

    Type string
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    Data string
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
    Type string
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    Data string
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
    type String
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    data String
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
    type string
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    data string
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
    type str
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    data str
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
    type String
    The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
    data String
    When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.

    WebAclRule, WebAclRuleArgs

    Priority int
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    RuleId string
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    Action WebAclRuleAction
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    OverrideAction WebAclRuleOverrideAction
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    Type string
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
    Priority int
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    RuleId string
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    Action WebAclRuleAction
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    OverrideAction WebAclRuleOverrideAction
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    Type string
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
    priority Integer
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    ruleId String
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    action WebAclRuleAction
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    overrideAction WebAclRuleOverrideAction
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    type String
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
    priority number
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    ruleId string
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    action WebAclRuleAction
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    overrideAction WebAclRuleOverrideAction
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    type string
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
    priority int
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    rule_id str
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    action WebAclRuleAction
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    override_action WebAclRuleOverrideAction
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    type str
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
    priority Number
    Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
    ruleId String
    ID of the associated WAF (Global) rule (e.g., aws.waf.Rule). WAF (Regional) rules cannot be used.
    action Property Map
    The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
    overrideAction Property Map
    Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
    type String
    The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.

    WebAclRuleAction, WebAclRuleActionArgs

    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type str
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK

    WebAclRuleOverrideAction, WebAclRuleOverrideActionArgs

    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    Type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type string
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type str
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK
    type String
    Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., ALLOW or BLOCK

    Import

    Using pulumi import, import WAF Web ACL using the id. For example:

    $ pulumi import aws:waf/webAcl:WebAcl main 0c8e583e-18f3-4c13-9e2a-67c4805d2f94
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.30.0 published on Thursday, Apr 11, 2024 by Pulumi