@pulumi/fastly
Version:
A Pulumi package for creating and managing fastly cloud resources.. Based on terraform-provider-fastly: version v4
477 lines (476 loc) • 15.4 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* Provides a Fastly Next-Gen WAF Workspace Rule, scoped to a specific NGWAF workspace.\
* These rules define conditions and actions that trigger WAF enforcement at the workspace level.
*
* ## Example Usage
*
* Basic usage:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const exampleNgwafWorkspaceRule = new fastly.NgwafWorkspaceRule("example", {
* workspaceId: example.id,
* type: "request",
* description: "Block requests from specific IP to login path",
* enabled: true,
* requestLogging: "sampled",
* groupOperator: "all",
* actions: [{
* type: "block",
* }],
* conditions: [
* {
* field: "ip",
* operator: "equals",
* value: "192.0.2.1",
* },
* {
* field: "path",
* operator: "equals",
* value: "/login",
* },
* ],
* });
* ```
*
* Using templated signals:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const exampleNgwafWorkspaceRule = new fastly.NgwafWorkspaceRule("example", {
* workspaceId: example.id,
* type: "request",
* description: "",
* enabled: true,
* groupOperator: "all",
* conditions: [
* {
* field: "method",
* operator: "equals",
* value: "POST",
* },
* {
* field: "path",
* operator: "equals",
* value: "/login",
* },
* ],
* actions: [{
* type: "templated_signal",
* signal: "LOGINATTEMPT",
* }],
* });
* ```
*
* Using group conditions:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const exampleNgwafWorkspaceRule = new fastly.NgwafWorkspaceRule("example", {
* workspaceId: example.id,
* type: "request",
* description: "Block requests with grouped conditions",
* enabled: true,
* requestLogging: "sampled",
* groupOperator: "all",
* actions: [{
* type: "block",
* }],
* groupConditions: [
* {
* groupOperator: "any",
* conditions: [
* {
* field: "protocol_version",
* operator: "equals",
* value: "HTTP/1.0",
* },
* {
* field: "method",
* operator: "equals",
* value: "HEAD",
* },
* {
* field: "domain",
* operator: "equals",
* value: "example.com",
* },
* ],
* },
* {
* groupOperator: "all",
* conditions: [
* {
* field: "country",
* operator: "equals",
* value: "AD",
* },
* {
* field: "method",
* operator: "equals",
* value: "POST",
* },
* ],
* },
* ],
* });
* ```
*
* Using multival conditions:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const exampleNgwafWorkspaceRule = new fastly.NgwafWorkspaceRule("example", {
* workspaceId: example.id,
* type: "request",
* description: "Block requests with specific header patterns",
* enabled: true,
* requestLogging: "sampled",
* groupOperator: "all",
* actions: [{
* type: "block",
* }],
* multivalConditions: [{
* field: "request_header",
* operator: "exists",
* groupOperator: "any",
* conditions: [
* {
* field: "name",
* operator: "does_not_equal",
* value: "Header-Sample",
* },
* {
* field: "name",
* operator: "contains",
* value: "X-API-Key",
* },
* {
* field: "value_string",
* operator: "equals",
* value: "application/json",
* },
* ],
* }],
* });
* ```
*
* Using rate limits:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const demoSignal = new fastly.NgwafWorkspaceSignal("demo_signal", {
* workspaceId: example.id,
* name: "demo",
* description: "A description of my signal.",
* });
* const ipLimit = new fastly.NgwafWorkspaceRule("ip_limit", {
* workspaceId: example.id,
* type: "rate_limit",
* description: "Rate limit demo rule-updated",
* enabled: true,
* conditions: [{
* field: "ip",
* operator: "equals",
* value: "1.2.3.4",
* }],
* rateLimit: {
* signal: "site.demo",
* threshold: 100,
* interval: 60,
* duration: 300,
* clientIdentifiers: [{
* type: "ip",
* }],
* },
* actions: [{
* signal: "SUSPECTED-BOT",
* type: "block_signal",
* }],
* });
* ```
*
* Using signal exclusions:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fastly from "@pulumi/fastly";
*
* const example = new fastly.NgwafWorkspace("example", {
* name: "example",
* description: "Test NGWAF Workspace",
* mode: "block",
* ipAnonymization: "hashed",
* clientIpHeaders: [
* "X-Forwarded-For",
* "X-Real-IP",
* ],
* defaultBlockingResponseCode: 429,
* attackSignalThresholds: {},
* });
* const excludeXssSignal = new fastly.NgwafWorkspaceRule("exclude_xss_signal", {
* workspaceId: example.id,
* type: "signal",
* description: "Exclude XSS signal to address a false positive",
* enabled: true,
* groupOperator: "all",
* conditions: [{
* field: "path",
* operator: "like",
* value: "/contact-form",
* }],
* actions: [{
* type: "exclude_signal",
* signal: "XSS",
* }],
* });
* ```
*
* ## Import
*
* Fastly Next-Gen WAF workspace rules can be imported using the format `<workspaceID>/<ruleID>`, e.g.:
*
* ```sh
* $ pulumi import fastly:index/ngwafWorkspaceRule:NgwafWorkspaceRule demo <workspaceID>/<ruleID>
* ```
*/
export declare class NgwafWorkspaceRule extends pulumi.CustomResource {
/**
* Get an existing NgwafWorkspaceRule resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NgwafWorkspaceRuleState, opts?: pulumi.CustomResourceOptions): NgwafWorkspaceRule;
/**
* Returns true if the given object is an instance of NgwafWorkspaceRule. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is NgwafWorkspaceRule;
/**
* List of actions to perform when the rule matches.
*/
readonly actions: pulumi.Output<outputs.NgwafWorkspaceRuleAction[]>;
/**
* Flat list of individual conditions. Each must include `field`, `operator`, and `value`.
*/
readonly conditions: pulumi.Output<outputs.NgwafWorkspaceRuleCondition[] | undefined>;
/**
* The description of the rule.
*/
readonly description: pulumi.Output<string>;
/**
* Whether the rule is currently enabled.
*/
readonly enabled: pulumi.Output<boolean>;
/**
* List of grouped conditions with nested logic. Each group must define a `groupOperator` and at least one condition.
*/
readonly groupConditions: pulumi.Output<outputs.NgwafWorkspaceRuleGroupCondition[] | undefined>;
/**
* Logical operator to apply to group conditions. Accepted values are `any` and `all`.
*/
readonly groupOperator: pulumi.Output<string | undefined>;
/**
* List of multival conditions with nested logic. Each multival list must define a `field, operator, groupOperator` and at least one condition.
*/
readonly multivalConditions: pulumi.Output<outputs.NgwafWorkspaceRuleMultivalCondition[] | undefined>;
/**
* Block specifically for rate*limit rules.
*/
readonly rateLimit: pulumi.Output<outputs.NgwafWorkspaceRuleRateLimit | undefined>;
/**
* Logging behavior for matching requests. Accepted values are `sampled` and `none`.
*/
readonly requestLogging: pulumi.Output<string | undefined>;
/**
* The type of the rule. Accepted values are `request`, `signal`, `rateLimit`, and `templatedSignal`.
*/
readonly type: pulumi.Output<string>;
/**
* The ID of the workspace.
*/
readonly workspaceId: pulumi.Output<string>;
/**
* Create a NgwafWorkspaceRule resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: NgwafWorkspaceRuleArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering NgwafWorkspaceRule resources.
*/
export interface NgwafWorkspaceRuleState {
/**
* List of actions to perform when the rule matches.
*/
actions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleAction>[]>;
/**
* Flat list of individual conditions. Each must include `field`, `operator`, and `value`.
*/
conditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleCondition>[]>;
/**
* The description of the rule.
*/
description?: pulumi.Input<string>;
/**
* Whether the rule is currently enabled.
*/
enabled?: pulumi.Input<boolean>;
/**
* List of grouped conditions with nested logic. Each group must define a `groupOperator` and at least one condition.
*/
groupConditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleGroupCondition>[]>;
/**
* Logical operator to apply to group conditions. Accepted values are `any` and `all`.
*/
groupOperator?: pulumi.Input<string>;
/**
* List of multival conditions with nested logic. Each multival list must define a `field, operator, groupOperator` and at least one condition.
*/
multivalConditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleMultivalCondition>[]>;
/**
* Block specifically for rate*limit rules.
*/
rateLimit?: pulumi.Input<inputs.NgwafWorkspaceRuleRateLimit>;
/**
* Logging behavior for matching requests. Accepted values are `sampled` and `none`.
*/
requestLogging?: pulumi.Input<string>;
/**
* The type of the rule. Accepted values are `request`, `signal`, `rateLimit`, and `templatedSignal`.
*/
type?: pulumi.Input<string>;
/**
* The ID of the workspace.
*/
workspaceId?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a NgwafWorkspaceRule resource.
*/
export interface NgwafWorkspaceRuleArgs {
/**
* List of actions to perform when the rule matches.
*/
actions: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleAction>[]>;
/**
* Flat list of individual conditions. Each must include `field`, `operator`, and `value`.
*/
conditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleCondition>[]>;
/**
* The description of the rule.
*/
description: pulumi.Input<string>;
/**
* Whether the rule is currently enabled.
*/
enabled: pulumi.Input<boolean>;
/**
* List of grouped conditions with nested logic. Each group must define a `groupOperator` and at least one condition.
*/
groupConditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleGroupCondition>[]>;
/**
* Logical operator to apply to group conditions. Accepted values are `any` and `all`.
*/
groupOperator?: pulumi.Input<string>;
/**
* List of multival conditions with nested logic. Each multival list must define a `field, operator, groupOperator` and at least one condition.
*/
multivalConditions?: pulumi.Input<pulumi.Input<inputs.NgwafWorkspaceRuleMultivalCondition>[]>;
/**
* Block specifically for rate*limit rules.
*/
rateLimit?: pulumi.Input<inputs.NgwafWorkspaceRuleRateLimit>;
/**
* Logging behavior for matching requests. Accepted values are `sampled` and `none`.
*/
requestLogging?: pulumi.Input<string>;
/**
* The type of the rule. Accepted values are `request`, `signal`, `rateLimit`, and `templatedSignal`.
*/
type: pulumi.Input<string>;
/**
* The ID of the workspace.
*/
workspaceId: pulumi.Input<string>;
}