aws-cdk-lib

import * as cdk from "../../core"; import * as constructs from "constructs"; import * as cfn_parse from "../../core/lib/helpers-internal"; /** * > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. * * For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . * * Use an `IPSet` to identify web requests that originate from specific IP addresses or ranges of IP addresses. For example, if you're receiving a lot of requests from a ranges of IP addresses, you can configure AWS WAF to block them using an IP set that lists those IP addresses. * * You use an IP set by providing its Amazon Resource Name (ARN) to the rule statement `IPSetReferenceStatement` , when you add a rule to a rule group or web ACL. * * @cloudformationResource AWS::WAFv2::IPSet * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html */ export declare class CfnIPSet extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnIPSet from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnIPSet; /** * The Amazon Resource Name (ARN) of the IP set. * * @cloudformationAttribute Arn */ readonly attrArn: string; /** * The ID of the IP set. * * @cloudformationAttribute Id */ readonly attrId: string; /** * Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. */ addresses: Array<string>; /** * A description of the IP set that helps with identification. */ description?: string; /** * The version of the IP addresses, either `IPV4` or `IPV6` . */ ipAddressVersion: string; /** * The name of the IP set. */ name?: string; /** * Specifies whether this is for an Amazon CloudFront distribution or for a regional application. */ scope: string; /** * Tag Manager which manages the tags for this resource */ readonly tags: cdk.TagManager; /** * Key:value pairs associated with an AWS resource. */ tagsRaw?: Array<cdk.CfnTag>; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnIPSetProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } /** * Properties for defining a `CfnIPSet` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html */ export interface CfnIPSetProps { /** * Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. * * All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` . * * Example address strings: * * - For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` . * - For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` . * - For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` . * - For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` . * * For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) . * * Example JSON `Addresses` specifications: * * - Empty array: `"Addresses": []` * - Array with one address: `"Addresses": ["192.0.2.44/32"]` * - Array with three addresses: `"Addresses": ["192.0.2.44/32", "192.0.2.0/24", "192.0.0.0/16"]` * - INVALID specification: `"Addresses": [""]` INVALID * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-addresses */ readonly addresses: Array<string>; /** * A description of the IP set that helps with identification. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-description */ readonly description?: string; /** * The version of the IP addresses, either `IPV4` or `IPV6` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-ipaddressversion */ readonly ipAddressVersion: string; /** * The name of the IP set. * * You cannot change the name of an `IPSet` after you create it. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-name */ readonly name?: string; /** * Specifies whether this is for an Amazon CloudFront distribution or for a regional application. * * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` . * * > For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-scope */ readonly scope: string; /** * Key:value pairs associated with an AWS resource. * * The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. * * > To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-ipset.html#cfn-wafv2-ipset-tags */ readonly tags?: Array<cdk.CfnTag>; } /** * Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . * * As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records. * * > You can define one logging destination per web ACL. * * You can access information about the traffic that AWS WAF inspects using the following steps: * * - Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose. * * The name that you give the destination must start with `aws-waf-logs-` . Depending on the type of destination, you might need to configure additional settings or permissions. * * For configuration requirements and pricing information for each destination type, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . * - Associate your logging destination to your web ACL using a `PutLoggingConfiguration` request. * * When you successfully enable logging using a `PutLoggingConfiguration` request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role. * * For additional information about web ACL logging, see [Logging web ACL traffic information](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . * * @cloudformationResource AWS::WAFv2::LoggingConfiguration * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html */ export declare class CfnLoggingConfiguration extends cdk.CfnResource implements cdk.IInspectable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnLoggingConfiguration from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnLoggingConfiguration; /** * Indicates whether the logging configuration was created by AWS Firewall Manager , as part of an AWS WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration. * * @cloudformationAttribute ManagedByFirewallManager */ readonly attrManagedByFirewallManager: cdk.IResolvable; /** * The logging destination configuration that you want to associate with the web ACL. */ logDestinationConfigs: Array<string>; /** * Filtering that specifies which web requests are kept in the logs and which are dropped. */ loggingFilter?: any | cdk.IResolvable; /** * The parts of the request that you want to keep out of the logs. */ redactedFields?: Array<CfnLoggingConfiguration.FieldToMatchProperty | cdk.IResolvable> | cdk.IResolvable; /** * The Amazon Resource Name (ARN) of the web ACL that you want to associate with `LogDestinationConfigs` . */ resourceArn: string; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnLoggingConfigurationProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } export declare namespace CfnLoggingConfiguration { /** * The parts of the request that you want to keep out of the logs. * * This is used in the logging configuration `RedactedFields` specification. * * Example JSON for a `QueryString` field to match: * * `"FieldToMatch": { "QueryString": {} }` * * Example JSON for a `Method` field to match specification: * * `"FieldToMatch": { "Method": { "Name": "DELETE" } }` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html */ interface FieldToMatchProperty { /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html#cfn-wafv2-loggingconfiguration-fieldtomatch-jsonbody */ readonly jsonBody?: any | cdk.IResolvable; /** * Redact the indicated HTTP method. * * The method indicates the type of operation that the request is asking the origin to perform. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html#cfn-wafv2-loggingconfiguration-fieldtomatch-method */ readonly method?: any | cdk.IResolvable; /** * Redact the query string. * * This is the part of a URL that appears after a `?` character, if any. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html#cfn-wafv2-loggingconfiguration-fieldtomatch-querystring */ readonly queryString?: any | cdk.IResolvable; /** * Redact a single header. * * Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive. * * Example JSON: `"SingleHeader": { "Name": "haystack" }` * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html#cfn-wafv2-loggingconfiguration-fieldtomatch-singleheader */ readonly singleHeader?: any | cdk.IResolvable; /** * Redact the request URI path. * * This is the part of the web request that identifies a resource, for example, `/images/daily-ad.jpg` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html#cfn-wafv2-loggingconfiguration-fieldtomatch-uripath */ readonly uriPath?: any | cdk.IResolvable; } /** * Filtering that specifies which web requests are kept in the logs and which are dropped, defined for a web ACL's `LoggingConfiguration` . * * You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-loggingfilter.html */ interface LoggingFilterProperty { /** * Default handling for logs that don't match any of the specified filtering conditions. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-loggingfilter.html#cfn-wafv2-loggingconfiguration-loggingfilter-defaultbehavior */ readonly defaultBehavior: string; /** * The filters that you want to apply to the logs. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-loggingfilter.html#cfn-wafv2-loggingconfiguration-loggingfilter-filters */ readonly filters: Array<CfnLoggingConfiguration.FilterProperty | cdk.IResolvable> | cdk.IResolvable; } /** * A single logging filter, used in `LoggingFilter` . * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-filter.html */ interface FilterProperty { /** * How to handle logs that satisfy the filter's conditions and requirement. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-filter.html#cfn-wafv2-loggingconfiguration-filter-behavior */ readonly behavior: string; /** * Match conditions for the filter. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-filter.html#cfn-wafv2-loggingconfiguration-filter-conditions */ readonly conditions: Array<CfnLoggingConfiguration.ConditionProperty | cdk.IResolvable> | cdk.IResolvable; /** * Logic to apply to the filtering conditions. * * You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-filter.html#cfn-wafv2-loggingconfiguration-filter-requirement */ readonly requirement: string; } /** * A single match condition for a log filter. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-condition.html */ interface ConditionProperty { /** * A single action condition. * * This is the action setting that a log record must contain in order to meet the condition. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-condition.html#cfn-wafv2-loggingconfiguration-condition-actioncondition */ readonly actionCondition?: CfnLoggingConfiguration.ActionConditionProperty | cdk.IResolvable; /** * A single label name condition. * * This is the fully qualified label name that a log record must contain in order to meet the condition. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-condition.html#cfn-wafv2-loggingconfiguration-condition-labelnamecondition */ readonly labelNameCondition?: cdk.IResolvable | CfnLoggingConfiguration.LabelNameConditionProperty; } /** * A single label name condition for a condition in a logging filter. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-labelnamecondition.html */ interface LabelNameConditionProperty { /** * The label name that a log record must contain in order to meet the condition. * * This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-labelnamecondition.html#cfn-wafv2-loggingconfiguration-labelnamecondition-labelname */ readonly labelName: string; } /** * A single action condition for a condition in a logging filter. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-actioncondition.html */ interface ActionConditionProperty { /** * The action setting that a log record must contain in order to meet the condition. * * This is the action that AWS WAF applied to the web request. * * For rule groups, this is either the configured rule action setting, or if you've applied a rule action override to the rule, it's the override action. The value `EXCLUDED_AS_COUNT` matches on excluded rules and also on rules that have a rule action override of Count. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-actioncondition.html#cfn-wafv2-loggingconfiguration-actioncondition-action */ readonly action: string; } /** * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-jsonbody.html */ interface JsonBodyProperty { /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-jsonbody.html#cfn-wafv2-loggingconfiguration-jsonbody-invalidfallbackbehavior */ readonly invalidFallbackBehavior?: string; /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-jsonbody.html#cfn-wafv2-loggingconfiguration-jsonbody-matchpattern */ readonly matchPattern: cdk.IResolvable | CfnLoggingConfiguration.MatchPatternProperty; /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-jsonbody.html#cfn-wafv2-loggingconfiguration-jsonbody-matchscope */ readonly matchScope: string; } /** * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-matchpattern.html */ interface MatchPatternProperty { /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-matchpattern.html#cfn-wafv2-loggingconfiguration-matchpattern-all */ readonly all?: any | cdk.IResolvable; /** * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-matchpattern.html#cfn-wafv2-loggingconfiguration-matchpattern-includedpaths */ readonly includedPaths?: Array<string>; } /** * Inspect one of the headers in the web request, identified by name, for example, `User-Agent` or `Referer` . * * The name isn't case sensitive. * * You can filter and inspect all headers with the `FieldToMatch` setting `Headers` . * * This is used to indicate the web request component to inspect, in the `FieldToMatch` specification. * * Example JSON: `"SingleHeader": { "Name": "haystack" }` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-singleheader.html */ interface SingleHeaderProperty { /** * The name of the query header to inspect. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-singleheader.html#cfn-wafv2-loggingconfiguration-singleheader-name */ readonly name: string; } } /** * Properties for defining a `CfnLoggingConfiguration` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html */ export interface CfnLoggingConfigurationProps { /** * The logging destination configuration that you want to associate with the web ACL. * * > You can associate one logging destination to a web ACL. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html#cfn-wafv2-loggingconfiguration-logdestinationconfigs */ readonly logDestinationConfigs: Array<string>; /** * Filtering that specifies which web requests are kept in the logs and which are dropped. * * You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html#cfn-wafv2-loggingconfiguration-loggingfilter */ readonly loggingFilter?: any | cdk.IResolvable; /** * The parts of the request that you want to keep out of the logs. * * For example, if you redact the `SingleHeader` field, the `HEADER` field in the logs will be `REDACTED` for all rules that use the `SingleHeader` `FieldToMatch` setting. * * Redaction applies only to the component that's specified in the rule's `FieldToMatch` setting, so the `SingleHeader` redaction doesn't apply to rules that use the `Headers` `FieldToMatch` . * * > You can specify only the following fields for redaction: `UriPath` , `QueryString` , `SingleHeader` , and `Method` . > This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling in the web ACL visibility configuration. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html#cfn-wafv2-loggingconfiguration-redactedfields */ readonly redactedFields?: Array<CfnLoggingConfiguration.FieldToMatchProperty | cdk.IResolvable> | cdk.IResolvable; /** * The Amazon Resource Name (ARN) of the web ACL that you want to associate with `LogDestinationConfigs` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html#cfn-wafv2-loggingconfiguration-resourcearn */ readonly resourceArn: string; } /** * > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. * * For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . * * Use an `RegexPatternSet` to have AWS WAF inspect a web request component for a specific set of regular expression patterns. * * You use a regex pattern set by providing its Amazon Resource Name (ARN) to the rule statement `RegexPatternSetReferenceStatement` , when you add a rule to a rule group or web ACL. * * @cloudformationResource AWS::WAFv2::RegexPatternSet * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html */ export declare class CfnRegexPatternSet extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnRegexPatternSet from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnRegexPatternSet; /** * The Amazon Resource Name (ARN) of the regex pattern set. * * @cloudformationAttribute Arn */ readonly attrArn: string; /** * The ID of the regex pattern set. * * @cloudformationAttribute Id */ readonly attrId: string; /** * A description of the set that helps with identification. */ description?: string; /** * The name of the set. */ name?: string; /** * The regular expression patterns in the set. */ regularExpressionList: Array<string>; /** * Specifies whether this is for an Amazon CloudFront distribution or for a regional application. */ scope: string; /** * Tag Manager which manages the tags for this resource */ readonly tags: cdk.TagManager; /** * Key:value pairs associated with an AWS resource. */ tagsRaw?: Array<cdk.CfnTag>; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnRegexPatternSetProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } /** * Properties for defining a `CfnRegexPatternSet` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html */ export interface CfnRegexPatternSetProps { /** * A description of the set that helps with identification. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html#cfn-wafv2-regexpatternset-description */ readonly description?: string; /** * The name of the set. * * You cannot change the name after you create the set. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html#cfn-wafv2-regexpatternset-name */ readonly name?: string; /** * The regular expression patterns in the set. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html#cfn-wafv2-regexpatternset-regularexpressionlist */ readonly regularExpressionList: Array<string>; /** * Specifies whether this is for an Amazon CloudFront distribution or for a regional application. * * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` . * * > For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html#cfn-wafv2-regexpatternset-scope */ readonly scope: string; /** * Key:value pairs associated with an AWS resource. * * The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. * * > To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-regexpatternset.html#cfn-wafv2-regexpatternset-tags */ readonly tags?: Array<cdk.CfnTag>; } /** * > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. * * For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . * * Use an `RuleGroup` to define a collection of rules for inspecting and controlling web requests. You use a rule group in an `WebACL` by providing its Amazon Resource Name (ARN) to the rule statement `RuleGroupReferenceStatement` , when you add rules to the web ACL. * * When you create a rule group, you define an immutable capacity limit. If you update a rule group, you must stay within the capacity. This allows others to reuse the rule group with confidence in its capacity requirements. * * @cloudformationResource AWS::WAFv2::RuleGroup * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-rulegroup.html */ export declare class CfnRuleGroup extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnRuleGroup from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnRuleGroup; /** * The Amazon Resource Name (ARN) of the rule group. * * @cloudformationAttribute Arn */ readonly attrArn: string; /** * The ID of the rule group. * * @cloudformationAttribute Id */ readonly attrId: string; /** * The label namespace prefix for this rule group. All labels added by rules in this rule group have this prefix. * * The syntax for the label namespace prefix for a rule group is the following: `awswaf:<account ID>:rule group:<rule group name>:` * * When a rule with a label matches a web request, AWS WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon. * * @cloudformationAttribute LabelNamespace */ readonly attrLabelNamespace: string; /** * The labels that one or more rules in this rule group add to matching web requests. */ availableLabels?: Array<cdk.IResolvable | CfnRuleGroup.LabelSummaryProperty> | cdk.IResolvable; /** * The web ACL capacity units (WCUs) required for this rule group. */ capacity: number; /** * The labels that one or more rules in this rule group match against in label match statements. */ consumedLabels?: Array<cdk.IResolvable | CfnRuleGroup.LabelSummaryProperty> | cdk.IResolvable; /** * A map of custom response keys and content bodies. */ customResponseBodies?: cdk.IResolvable | Record<string, CfnRuleGroup.CustomResponseBodyProperty | cdk.IResolvable>; /** * A description of the rule group that helps with identification. */ description?: string; /** * The name of the rule group. */ name?: string; /** * The rule statements used to identify the web requests that you want to allow, block, or count. */ rules?: Array<cdk.IResolvable | CfnRuleGroup.RuleProperty> | cdk.IResolvable; /** * Specifies whether this is for an Amazon CloudFront distribution or for a regional application. */ scope: string; /** * Tag Manager which manages the tags for this resource */ readonly tags: cdk.TagManager; /** * Key:value pairs associated with an AWS resource. */ tagsRaw?: Array<cdk.CfnTag>; /** * Defines and enables Amazon CloudWatch metrics and web request sample collection. */ visibilityConfig: cdk.IResolvable | CfnRuleGroup.VisibilityConfigProperty; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnRuleGroupProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } export declare namespace CfnRuleGroup { /** * List of labels used by one or more of the rules of a `RuleGroup` . * * This summary object is used for the following rule group lists: * * - `AvailableLabels` - Labels that rules add to matching requests. These labels are defined in the `RuleLabels` for a rule. * - `ConsumedLabels` - Labels that rules match against. These labels are defined in a `LabelMatchStatement` specification, in the `Statement` definition of a rule. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-labelsummary.html */ interface LabelSummaryProperty { /** * An individual label specification. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-labelsummary.html#cfn-wafv2-rulegroup-labelsummary-name */ readonly name?: string; } /** * The response body to use in a custom response to a web request. * * This is referenced by key from `CustomResponse` `CustomResponseBodyKey` . * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-customresponsebody.html */ interface CustomResponseBodyProperty { /** * The payload of the custom response. * * You can use JSON escape strings in JSON content. To do this, you must specify JSON content in the `ContentType` setting. * * For information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-customresponsebody.html#cfn-wafv2-rulegroup-customresponsebody-content */ readonly content: string; /** * The type of content in the payload that you are defining in the `Content` string. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-customresponsebody.html#cfn-wafv2-rulegroup-customresponsebody-contenttype */ readonly contentType: string; } /** * A single rule, which you can use in a `WebACL` or `RuleGroup` to identify web requests that you want to manage in some way. * * Each rule includes one top-level `Statement` that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html */ interface RuleProperty { /** * The action that AWS WAF should take on a web request when it matches the rule statement. * * Settings at the web ACL level can override the rule action setting. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-action */ readonly action?: cdk.IResolvable | CfnRuleGroup.RuleActionProperty; /** * Specifies how AWS WAF should handle `CAPTCHA` evaluations. * * If you don't specify this, AWS WAF uses the `CAPTCHA` configuration that's defined for the web ACL. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-captchaconfig */ readonly captchaConfig?: CfnRuleGroup.CaptchaConfigProperty | cdk.IResolvable; /** * Specifies how AWS WAF should handle `Challenge` evaluations. * * If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-challengeconfig */ readonly challengeConfig?: CfnRuleGroup.ChallengeConfigProperty | cdk.IResolvable; /** * The name of the rule. * * If you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-name */ readonly name: string; /** * If you define more than one `Rule` in a `WebACL` , AWS WAF evaluates each request against the `Rules` in order based on the value of `Priority` . * * AWS WAF processes rules with lower priority first. The priorities don't need to be consecutive, but they must all be different. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-priority */ readonly priority: number; /** * Labels to apply to web requests that match the rule match statement. * * AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace. * * Rules that run after this rule in the web ACL can match against these labels using a `LabelMatchStatement` . * * For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines: * * - Separate each component of the label with a colon. * - Each namespace or name can have up to 128 characters. * - You can specify up to 5 namespaces in a label. * - Don't use the following reserved words in your label specification: `aws` , `waf` , `managed` , `rulegroup` , `webacl` , `regexpatternset` , or `ipset` . * * For example, `myLabelName` or `nameSpace1:nameSpace2:myLabelName` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-rulelabels */ readonly ruleLabels?: Array<cdk.IResolvable | CfnRuleGroup.LabelProperty> | cdk.IResolvable; /** * The AWS WAF processing statement for the rule, for example `ByteMatchStatement` or `SizeConstraintStatement` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-statement */ readonly statement: cdk.IResolvable | CfnRuleGroup.StatementProperty; /** * Defines and enables Amazon CloudWatch metrics and web request sample collection. * * If you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html#cfn-wafv2-rulegroup-rule-visibilityconfig */ readonly visibilityConfig: cdk.IResolvable | CfnRuleGroup.VisibilityConfigProperty; } /** * The action that AWS WAF should take on a web request when it matches a rule's statement. * * Settings at the web ACL level can override the rule action setting. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html */ interface RuleActionProperty { /** * Instructs AWS WAF to allow the web request. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html#cfn-wafv2-rulegroup-ruleaction-allow */ readonly allow?: any | cdk.IResolvable; /** * Instructs AWS WAF to block the web request. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html#cfn-wafv2-rulegroup-ruleaction-block */ readonly block?: any | cdk.IResolvable; /** * Specifies that AWS WAF should run a `CAPTCHA` check against the request:. * * - If the request includes a valid, unexpired `CAPTCHA` token, AWS WAF allows the web request inspection to proceed to the next rule, similar to a `CountAction` . * - If the request doesn't include a valid, unexpired `CAPTCHA` token, AWS WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination. * * AWS WAF generates a response that it sends back to the client, which includes the following: * * - The header `x-amzn-waf-action` with a value of `captcha` . * - The HTTP status code `405 Method Not Allowed` . * - If the request contains an `Accept` header with a value of `text/html` , the response includes a `CAPTCHA` challenge. * * You can configure the expiration time in the `CaptchaConfig` `ImmunityTimeProperty` setting at the rule and web ACL level. The rule setting overrides the web ACL setting. * * This action option is available for rules. It isn't available for web ACL default actions. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html#cfn-wafv2-rulegroup-ruleaction-captcha */ readonly captcha?: any | cdk.IResolvable; /** * Instructs AWS WAF to run a `Challenge` check against the web request. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html#cfn-wafv2-rulegroup-ruleaction-challenge */ readonly challenge?: any | cdk.IResolvable; /** * Instructs AWS WAF to count the web request and then continue evaluating the request using the remaining rules in the web ACL. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ruleaction.html#cfn-wafv2-rulegroup-ruleaction-count */ readonly count?: any | cdk.IResolvable; } /** * The processing guidance for a rule, used by AWS WAF to determine whether a web request matches the rule. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-statement.html */ interface StatementProperty { /** * A logical rule statement used to combine other rule statements with AND logic. * * You provide more than one `Statement` within the `AndStatement` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-statement.html#cfn-wafv2-rulegroup-statement-andstatement */ readonly andStatement?: CfnRuleGroup.AndStatementProperty | cdk.IResolvable; /** * A rule statement that defines a string match search for AWS WAF to apply to web requests. * * The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the AWS WAF console and the developer guide, this is called a string match statement. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-statement.html#cfn-wafv2-rulegroup-statement-bytematchstatement */ readonly byteMatchStatement?: CfnRuleGroup.ByteMatchStatementProperty | cdk.IResolvable; /** * A rule statement that labels web requests by country and region and that matches against web requests based on country code. * * A geo match rule labels every request that it inspects regardless of whether it finds a match. * * - To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the `CountryCodes` array. * - Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed. * * AWS WAF labels requests using the alpha-2 country and region codes from the Intern