@pulumi/aws
Version:
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.
423 lines • 15.5 kB
JavaScript
"use strict";
// *** WARNING: this file was generated by pulumi-language-nodejs. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
Object.defineProperty(exports, "__esModule", { value: true });
exports.WebAclRuleGroupAssociation = void 0;
const pulumi = require("@pulumi/pulumi");
const utilities = require("../utilities");
/**
* Associates a WAFv2 Rule Group (custom or managed) with a Web ACL by adding a rule that references the Rule Group. Use this resource to apply the rules defined in a Rule Group to a Web ACL without duplicating rule definitions.
*
* This resource supports both:
*
* - **Custom Rule Groups**: User-created rule groups that you manage within your AWS account
* - **Managed Rule Groups**: Pre-configured rule groups provided by AWS or third-party vendors
*
* !> **Warning:** Verify the rule names in your `ruleActionOverride`s carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.
*
* !> **Warning:** Using this resource will cause the associated Web ACL resource to show configuration drift in the `rule` argument unless you add `lifecycle { ignoreChanges = [rule] }` to the Web ACL resource configuration. This is because this resource modifies the Web ACL's rules outside of the Web ACL resource's direct management.
*
* > **Note:** This resource creates a rule within the Web ACL that references the entire Rule Group. The rule group's individual rules are evaluated as a unit when requests are processed by the Web ACL.
*
* ## Example Usage
*
* ### Custom Rule Group - Basic Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.wafv2.RuleGroup("example", {
* name: "example-rule-group",
* scope: "REGIONAL",
* capacity: 10,
* rules: [{
* name: "block-suspicious-requests",
* priority: 1,
* action: {
* block: {},
* },
* statement: {
* geoMatchStatement: {
* countryCodes: [
* "CN",
* "RU",
* ],
* },
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "block-suspicious-requests",
* sampledRequestsEnabled: true,
* },
* }],
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "example-rule-group",
* sampledRequestsEnabled: true,
* },
* });
* const exampleWebAcl = new aws.wafv2.WebAcl("example", {
* name: "example-web-acl",
* scope: "REGIONAL",
* defaultAction: {
* allow: {},
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "example-web-acl",
* sampledRequestsEnabled: true,
* },
* });
* const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", {
* ruleName: "example-rule-group-rule",
* priority: 100,
* webAclArn: exampleWebAcl.arn,
* ruleGroupReference: {
* arn: example.arn,
* },
* });
* ```
*
* ### Managed Rule Group - Basic Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.wafv2.WebAcl("example", {
* name: "example-web-acl",
* scope: "REGIONAL",
* defaultAction: {
* allow: {},
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "example-web-acl",
* sampledRequestsEnabled: true,
* },
* });
* const managedExample = new aws.wafv2.WebAclRuleGroupAssociation("managed_example", {
* ruleName: "aws-common-rule-set",
* priority: 50,
* webAclArn: example.arn,
* managedRuleGroup: {
* name: "AWSManagedRulesCommonRuleSet",
* vendorName: "AWS",
* },
* });
* ```
*
* ### Managed Rule Group - With Version
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const managedVersioned = new aws.wafv2.WebAclRuleGroupAssociation("managed_versioned", {
* ruleName: "aws-common-rule-set-versioned",
* priority: 60,
* webAclArn: example.arn,
* managedRuleGroup: {
* name: "AWSManagedRulesCommonRuleSet",
* vendorName: "AWS",
* version: "Version_1.0",
* },
* });
* ```
*
* ### Managed Rule Group - With Rule Action Overrides
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const managedWithOverrides = new aws.wafv2.WebAclRuleGroupAssociation("managed_with_overrides", {
* ruleName: "aws-common-rule-set-with-overrides",
* priority: 70,
* webAclArn: example.arn,
* managedRuleGroup: {
* name: "AWSManagedRulesCommonRuleSet",
* vendorName: "AWS",
* ruleActionOverrides: [
* {
* name: "GenericRFI_BODY",
* actionToUse: {
* count: {
* customRequestHandling: {
* insertHeaders: [{
* name: "X-RFI-Override",
* value: "counted",
* }],
* },
* },
* },
* },
* {
* name: "SizeRestrictions_BODY",
* actionToUse: {
* captcha: {},
* },
* },
* ],
* },
* });
* ```
*
* ### Custom Rule Group - With Override Action
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.wafv2.WebAclRuleGroupAssociation("example", {
* ruleName: "example-rule-group-rule",
* priority: 100,
* webAclArn: exampleAwsWafv2WebAcl.arn,
* overrideAction: "count",
* ruleGroupReference: {
* arn: exampleAwsWafv2RuleGroup.arn,
* },
* });
* ```
*
* ### Custom Rule Group - With Rule Action Overrides
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.wafv2.RuleGroup("example", {
* name: "example-rule-group",
* scope: "REGIONAL",
* capacity: 10,
* rules: [
* {
* name: "geo-block-rule",
* priority: 1,
* action: {
* block: {},
* },
* statement: {
* geoMatchStatement: {
* countryCodes: [
* "CN",
* "RU",
* ],
* },
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "geo-block-rule",
* sampledRequestsEnabled: true,
* },
* },
* {
* name: "rate-limit-rule",
* priority: 2,
* action: {
* block: {},
* },
* statement: {
* rateBasedStatement: {
* limit: 1000,
* aggregateKeyType: "IP",
* },
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "rate-limit-rule",
* sampledRequestsEnabled: true,
* },
* },
* ],
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "example-rule-group",
* sampledRequestsEnabled: true,
* },
* });
* const exampleWebAcl = new aws.wafv2.WebAcl("example", {
* name: "example-web-acl",
* scope: "REGIONAL",
* defaultAction: {
* allow: {},
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "example-web-acl",
* sampledRequestsEnabled: true,
* },
* });
* const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", {
* ruleName: "example-rule-group-rule",
* priority: 100,
* webAclArn: exampleWebAcl.arn,
* ruleGroupReference: {
* arn: example.arn,
* ruleActionOverrides: [
* {
* name: "geo-block-rule",
* actionToUse: {
* count: {
* customRequestHandling: {
* insertHeaders: [{
* name: "X-Geo-Block-Override",
* value: "counted",
* }],
* },
* },
* },
* },
* {
* name: "rate-limit-rule",
* actionToUse: {
* captcha: {
* customRequestHandling: {
* insertHeaders: [{
* name: "X-Rate-Limit-Override",
* value: "captcha-required",
* }],
* },
* },
* },
* },
* ],
* },
* });
* ```
*
* ### Custom Rule Group - CloudFront Web ACL
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const cloudfrontExample = new aws.wafv2.RuleGroup("cloudfront_example", {
* name: "cloudfront-rule-group",
* scope: "CLOUDFRONT",
* capacity: 10,
* rules: [{
* name: "rate-limit",
* priority: 1,
* action: {
* block: {},
* },
* statement: {
* rateBasedStatement: {
* limit: 2000,
* aggregateKeyType: "IP",
* },
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "rate-limit",
* sampledRequestsEnabled: true,
* },
* }],
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "cloudfront-rule-group",
* sampledRequestsEnabled: true,
* },
* });
* const cloudfrontExampleWebAcl = new aws.wafv2.WebAcl("cloudfront_example", {
* name: "cloudfront-web-acl",
* scope: "CLOUDFRONT",
* defaultAction: {
* allow: {},
* },
* visibilityConfig: {
* cloudwatchMetricsEnabled: true,
* metricName: "cloudfront-web-acl",
* sampledRequestsEnabled: true,
* },
* });
* const cloudfrontExampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("cloudfront_example", {
* ruleName: "cloudfront-rule-group-rule",
* priority: 50,
* webAclArn: cloudfrontExampleWebAcl.arn,
* ruleGroupReference: {
* arn: cloudfrontExample.arn,
* },
* });
* ```
*
* ## Import
*
* Using `pulumi import`, import WAFv2 web ACL custom rule group associations using `WebACLARN,RuleGroupARN,RuleName`. For example:
*
* ```sh
* $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/example-rule-group/87654321-4321-4321-4321-210987654321,example-rule-group-rule"
* ```
* Using `pulumi import`, import WAFv2 web ACL managed rule group associations using `WebACLARN,VendorName:RuleGroupName[:Version],RuleName`. For example:
*
* ```sh
* $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation managed_example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,AWS:AWSManagedRulesCommonRuleSet,aws-common-rule-set"
* ```
*/
class WebAclRuleGroupAssociation extends pulumi.CustomResource {
/**
* Get an existing WebAclRuleGroupAssociation resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name, id, state, opts) {
return new WebAclRuleGroupAssociation(name, state, { ...opts, id: id });
}
/**
* Returns true if the given object is an instance of WebAclRuleGroupAssociation. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj) {
if (obj === undefined || obj === null) {
return false;
}
return obj['__pulumiType'] === WebAclRuleGroupAssociation.__pulumiType;
}
constructor(name, argsOrState, opts) {
let resourceInputs = {};
opts = opts || {};
if (opts.id) {
const state = argsOrState;
resourceInputs["managedRuleGroup"] = state?.managedRuleGroup;
resourceInputs["overrideAction"] = state?.overrideAction;
resourceInputs["priority"] = state?.priority;
resourceInputs["region"] = state?.region;
resourceInputs["ruleGroupReference"] = state?.ruleGroupReference;
resourceInputs["ruleName"] = state?.ruleName;
resourceInputs["timeouts"] = state?.timeouts;
resourceInputs["webAclArn"] = state?.webAclArn;
}
else {
const args = argsOrState;
if (args?.priority === undefined && !opts.urn) {
throw new Error("Missing required property 'priority'");
}
if (args?.ruleName === undefined && !opts.urn) {
throw new Error("Missing required property 'ruleName'");
}
if (args?.webAclArn === undefined && !opts.urn) {
throw new Error("Missing required property 'webAclArn'");
}
resourceInputs["managedRuleGroup"] = args?.managedRuleGroup;
resourceInputs["overrideAction"] = args?.overrideAction;
resourceInputs["priority"] = args?.priority;
resourceInputs["region"] = args?.region;
resourceInputs["ruleGroupReference"] = args?.ruleGroupReference;
resourceInputs["ruleName"] = args?.ruleName;
resourceInputs["timeouts"] = args?.timeouts;
resourceInputs["webAclArn"] = args?.webAclArn;
}
opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
super(WebAclRuleGroupAssociation.__pulumiType, name, resourceInputs, opts);
}
}
exports.WebAclRuleGroupAssociation = WebAclRuleGroupAssociation;
/** @internal */
WebAclRuleGroupAssociation.__pulumiType = 'aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation';
//# sourceMappingURL=webAclRuleGroupAssociation.js.map