@pulumi/aws

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Associates a WAFv2 Rule Group (custom or managed) with a Web ACL by adding a rule that references the Rule Group. Use this resource to apply the rules defined in a Rule Group to a Web ACL without duplicating rule definitions. * * This resource supports both: * * - **Custom Rule Groups**: User-created rule groups that you manage within your AWS account * - **Managed Rule Groups**: Pre-configured rule groups provided by AWS or third-party vendors * * !> **Warning:** Verify the rule names in your `ruleActionOverride`s carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. * * !> **Warning:** Using this resource will cause the associated Web ACL resource to show configuration drift in the `rule` argument unless you add `lifecycle { ignoreChanges = [rule] }` to the Web ACL resource configuration. This is because this resource modifies the Web ACL's rules outside of the Web ACL resource's direct management. * * > **Note:** This resource creates a rule within the Web ACL that references the entire Rule Group. The rule group's individual rules are evaluated as a unit when requests are processed by the Web ACL. * * ## Example Usage * * ### Custom Rule Group - Basic Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.wafv2.RuleGroup("example", { * name: "example-rule-group", * scope: "REGIONAL", * capacity: 10, * rules: [{ * name: "block-suspicious-requests", * priority: 1, * action: { * block: {}, * }, * statement: { * geoMatchStatement: { * countryCodes: [ * "CN", * "RU", * ], * }, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "block-suspicious-requests", * sampledRequestsEnabled: true, * }, * }], * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "example-rule-group", * sampledRequestsEnabled: true, * }, * }); * const exampleWebAcl = new aws.wafv2.WebAcl("example", { * name: "example-web-acl", * scope: "REGIONAL", * defaultAction: { * allow: {}, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "example-web-acl", * sampledRequestsEnabled: true, * }, * }); * const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", { * ruleName: "example-rule-group-rule", * priority: 100, * webAclArn: exampleWebAcl.arn, * ruleGroupReference: { * arn: example.arn, * }, * }); * ``` * * ### Managed Rule Group - Basic Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.wafv2.WebAcl("example", { * name: "example-web-acl", * scope: "REGIONAL", * defaultAction: { * allow: {}, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "example-web-acl", * sampledRequestsEnabled: true, * }, * }); * const managedExample = new aws.wafv2.WebAclRuleGroupAssociation("managed_example", { * ruleName: "aws-common-rule-set", * priority: 50, * webAclArn: example.arn, * managedRuleGroup: { * name: "AWSManagedRulesCommonRuleSet", * vendorName: "AWS", * }, * }); * ``` * * ### Managed Rule Group - With Version * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const managedVersioned = new aws.wafv2.WebAclRuleGroupAssociation("managed_versioned", { * ruleName: "aws-common-rule-set-versioned", * priority: 60, * webAclArn: example.arn, * managedRuleGroup: { * name: "AWSManagedRulesCommonRuleSet", * vendorName: "AWS", * version: "Version_1.0", * }, * }); * ``` * * ### Managed Rule Group - With Rule Action Overrides * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const managedWithOverrides = new aws.wafv2.WebAclRuleGroupAssociation("managed_with_overrides", { * ruleName: "aws-common-rule-set-with-overrides", * priority: 70, * webAclArn: example.arn, * managedRuleGroup: { * name: "AWSManagedRulesCommonRuleSet", * vendorName: "AWS", * ruleActionOverrides: [ * { * name: "GenericRFI_BODY", * actionToUse: { * count: { * customRequestHandling: { * insertHeaders: [{ * name: "X-RFI-Override", * value: "counted", * }], * }, * }, * }, * }, * { * name: "SizeRestrictions_BODY", * actionToUse: { * captcha: {}, * }, * }, * ], * }, * }); * ``` * * ### Custom Rule Group - With Override Action * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.wafv2.WebAclRuleGroupAssociation("example", { * ruleName: "example-rule-group-rule", * priority: 100, * webAclArn: exampleAwsWafv2WebAcl.arn, * overrideAction: "count", * ruleGroupReference: { * arn: exampleAwsWafv2RuleGroup.arn, * }, * }); * ``` * * ### Custom Rule Group - With Rule Action Overrides * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.wafv2.RuleGroup("example", { * name: "example-rule-group", * scope: "REGIONAL", * capacity: 10, * rules: [ * { * name: "geo-block-rule", * priority: 1, * action: { * block: {}, * }, * statement: { * geoMatchStatement: { * countryCodes: [ * "CN", * "RU", * ], * }, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "geo-block-rule", * sampledRequestsEnabled: true, * }, * }, * { * name: "rate-limit-rule", * priority: 2, * action: { * block: {}, * }, * statement: { * rateBasedStatement: { * limit: 1000, * aggregateKeyType: "IP", * }, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "rate-limit-rule", * sampledRequestsEnabled: true, * }, * }, * ], * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "example-rule-group", * sampledRequestsEnabled: true, * }, * }); * const exampleWebAcl = new aws.wafv2.WebAcl("example", { * name: "example-web-acl", * scope: "REGIONAL", * defaultAction: { * allow: {}, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "example-web-acl", * sampledRequestsEnabled: true, * }, * }); * const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", { * ruleName: "example-rule-group-rule", * priority: 100, * webAclArn: exampleWebAcl.arn, * ruleGroupReference: { * arn: example.arn, * ruleActionOverrides: [ * { * name: "geo-block-rule", * actionToUse: { * count: { * customRequestHandling: { * insertHeaders: [{ * name: "X-Geo-Block-Override", * value: "counted", * }], * }, * }, * }, * }, * { * name: "rate-limit-rule", * actionToUse: { * captcha: { * customRequestHandling: { * insertHeaders: [{ * name: "X-Rate-Limit-Override", * value: "captcha-required", * }], * }, * }, * }, * }, * ], * }, * }); * ``` * * ### Custom Rule Group - CloudFront Web ACL * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const cloudfrontExample = new aws.wafv2.RuleGroup("cloudfront_example", { * name: "cloudfront-rule-group", * scope: "CLOUDFRONT", * capacity: 10, * rules: [{ * name: "rate-limit", * priority: 1, * action: { * block: {}, * }, * statement: { * rateBasedStatement: { * limit: 2000, * aggregateKeyType: "IP", * }, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "rate-limit", * sampledRequestsEnabled: true, * }, * }], * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "cloudfront-rule-group", * sampledRequestsEnabled: true, * }, * }); * const cloudfrontExampleWebAcl = new aws.wafv2.WebAcl("cloudfront_example", { * name: "cloudfront-web-acl", * scope: "CLOUDFRONT", * defaultAction: { * allow: {}, * }, * visibilityConfig: { * cloudwatchMetricsEnabled: true, * metricName: "cloudfront-web-acl", * sampledRequestsEnabled: true, * }, * }); * const cloudfrontExampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("cloudfront_example", { * ruleName: "cloudfront-rule-group-rule", * priority: 50, * webAclArn: cloudfrontExampleWebAcl.arn, * ruleGroupReference: { * arn: cloudfrontExample.arn, * }, * }); * ``` * * ## Import * * Using `pulumi import`, import WAFv2 web ACL custom rule group associations using `WebACLARN,RuleGroupARN,RuleName`. For example: * * ```sh * $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/example-rule-group/87654321-4321-4321-4321-210987654321,example-rule-group-rule" * ``` * Using `pulumi import`, import WAFv2 web ACL managed rule group associations using `WebACLARN,VendorName:RuleGroupName[:Version],RuleName`. For example: * * ```sh * $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation managed_example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,AWS:AWSManagedRulesCommonRuleSet,aws-common-rule-set" * ``` */ export declare class WebAclRuleGroupAssociation extends pulumi.CustomResource { /** * Get an existing WebAclRuleGroupAssociation resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WebAclRuleGroupAssociationState, opts?: pulumi.CustomResourceOptions): WebAclRuleGroupAssociation; /** * Returns true if the given object is an instance of WebAclRuleGroupAssociation. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WebAclRuleGroupAssociation; /** * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below. */ readonly managedRuleGroup: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup | undefined>; /** * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests. */ readonly overrideAction: pulumi.Output<string>; /** * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first. */ readonly priority: pulumi.Output<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; /** * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below. */ readonly ruleGroupReference: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference | undefined>; /** * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters. */ readonly ruleName: pulumi.Output<string>; readonly timeouts: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationTimeouts | undefined>; /** * ARN of the Web ACL to associate the Rule Group with. * * The following arguments are optional: */ readonly webAclArn: pulumi.Output<string>; /** * Create a WebAclRuleGroupAssociation resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WebAclRuleGroupAssociationArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WebAclRuleGroupAssociation resources. */ export interface WebAclRuleGroupAssociationState { /** * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below. */ managedRuleGroup?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup>; /** * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests. */ overrideAction?: pulumi.Input<string>; /** * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first. */ priority?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below. */ ruleGroupReference?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference>; /** * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters. */ ruleName?: pulumi.Input<string>; timeouts?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationTimeouts>; /** * ARN of the Web ACL to associate the Rule Group with. * * The following arguments are optional: */ webAclArn?: pulumi.Input<string>; } /** * The set of arguments for constructing a WebAclRuleGroupAssociation resource. */ export interface WebAclRuleGroupAssociationArgs { /** * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below. */ managedRuleGroup?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup>; /** * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests. */ overrideAction?: pulumi.Input<string>; /** * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first. */ priority: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below. */ ruleGroupReference?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference>; /** * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters. */ ruleName: pulumi.Input<string>; timeouts?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationTimeouts>; /** * ARN of the Web ACL to associate the Rule Group with. * * The following arguments are optional: */ webAclArn: pulumi.Input<string>; }