Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.wafregional.WebAcl
Explore with Pulumi AI
Provides a WAF Regional Web ACL Resource for use with Application Load Balancer.
Example Usage
Regular Rule
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ipset = new aws.wafregional.IpSet("ipset", {
name: "tfIPSet",
ipSetDescriptors: [{
type: "IPV4",
value: "192.0.7.0/24",
}],
});
const wafrule = new aws.wafregional.Rule("wafrule", {
name: "tfWAFRule",
metricName: "tfWAFRule",
predicates: [{
dataId: ipset.id,
negated: false,
type: "IPMatch",
}],
});
const wafacl = new aws.wafregional.WebAcl("wafacl", {
name: "tfWebACL",
metricName: "tfWebACL",
defaultAction: {
type: "ALLOW",
},
rules: [{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: wafrule.id,
type: "REGULAR",
}],
});
import pulumi
import pulumi_aws as aws
ipset = aws.wafregional.IpSet("ipset",
name="tfIPSet",
ip_set_descriptors=[{
"type": "IPV4",
"value": "192.0.7.0/24",
}])
wafrule = aws.wafregional.Rule("wafrule",
name="tfWAFRule",
metric_name="tfWAFRule",
predicates=[{
"data_id": ipset.id,
"negated": False,
"type": "IPMatch",
}])
wafacl = aws.wafregional.WebAcl("wafacl",
name="tfWebACL",
metric_name="tfWebACL",
default_action={
"type": "ALLOW",
},
rules=[{
"action": {
"type": "BLOCK",
},
"priority": 1,
"rule_id": wafrule.id,
"type": "REGULAR",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ipset, err := wafregional.NewIpSet(ctx, "ipset", &wafregional.IpSetArgs{
Name: pulumi.String("tfIPSet"),
IpSetDescriptors: wafregional.IpSetIpSetDescriptorArray{
&wafregional.IpSetIpSetDescriptorArgs{
Type: pulumi.String("IPV4"),
Value: pulumi.String("192.0.7.0/24"),
},
},
})
if err != nil {
return err
}
wafrule, err := wafregional.NewRule(ctx, "wafrule", &wafregional.RuleArgs{
Name: pulumi.String("tfWAFRule"),
MetricName: pulumi.String("tfWAFRule"),
Predicates: wafregional.RulePredicateArray{
&wafregional.RulePredicateArgs{
DataId: ipset.ID(),
Negated: pulumi.Bool(false),
Type: pulumi.String("IPMatch"),
},
},
})
if err != nil {
return err
}
_, err = wafregional.NewWebAcl(ctx, "wafacl", &wafregional.WebAclArgs{
Name: pulumi.String("tfWebACL"),
MetricName: pulumi.String("tfWebACL"),
DefaultAction: &wafregional.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
Rules: wafregional.WebAclRuleArray{
&wafregional.WebAclRuleArgs{
Action: &wafregional.WebAclRuleActionArgs{
Type: pulumi.String("BLOCK"),
},
Priority: pulumi.Int(1),
RuleId: wafrule.ID(),
Type: pulumi.String("REGULAR"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var ipset = new Aws.WafRegional.IpSet("ipset", new()
{
Name = "tfIPSet",
IpSetDescriptors = new[]
{
new Aws.WafRegional.Inputs.IpSetIpSetDescriptorArgs
{
Type = "IPV4",
Value = "192.0.7.0/24",
},
},
});
var wafrule = new Aws.WafRegional.Rule("wafrule", new()
{
Name = "tfWAFRule",
MetricName = "tfWAFRule",
Predicates = new[]
{
new Aws.WafRegional.Inputs.RulePredicateArgs
{
DataId = ipset.Id,
Negated = false,
Type = "IPMatch",
},
},
});
var wafacl = new Aws.WafRegional.WebAcl("wafacl", new()
{
Name = "tfWebACL",
MetricName = "tfWebACL",
DefaultAction = new Aws.WafRegional.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
Rules = new[]
{
new Aws.WafRegional.Inputs.WebAclRuleArgs
{
Action = new Aws.WafRegional.Inputs.WebAclRuleActionArgs
{
Type = "BLOCK",
},
Priority = 1,
RuleId = wafrule.Id,
Type = "REGULAR",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.IpSet;
import com.pulumi.aws.wafregional.IpSetArgs;
import com.pulumi.aws.wafregional.inputs.IpSetIpSetDescriptorArgs;
import com.pulumi.aws.wafregional.Rule;
import com.pulumi.aws.wafregional.RuleArgs;
import com.pulumi.aws.wafregional.inputs.RulePredicateArgs;
import com.pulumi.aws.wafregional.WebAcl;
import com.pulumi.aws.wafregional.WebAclArgs;
import com.pulumi.aws.wafregional.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafregional.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafregional.inputs.WebAclRuleActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var ipset = new IpSet("ipset", IpSetArgs.builder()
.name("tfIPSet")
.ipSetDescriptors(IpSetIpSetDescriptorArgs.builder()
.type("IPV4")
.value("192.0.7.0/24")
.build())
.build());
var wafrule = new Rule("wafrule", RuleArgs.builder()
.name("tfWAFRule")
.metricName("tfWAFRule")
.predicates(RulePredicateArgs.builder()
.dataId(ipset.id())
.negated(false)
.type("IPMatch")
.build())
.build());
var wafacl = new WebAcl("wafacl", WebAclArgs.builder()
.name("tfWebACL")
.metricName("tfWebACL")
.defaultAction(WebAclDefaultActionArgs.builder()
.type("ALLOW")
.build())
.rules(WebAclRuleArgs.builder()
.action(WebAclRuleActionArgs.builder()
.type("BLOCK")
.build())
.priority(1)
.ruleId(wafrule.id())
.type("REGULAR")
.build())
.build());
}
}
resources:
ipset:
type: aws:wafregional:IpSet
properties:
name: tfIPSet
ipSetDescriptors:
- type: IPV4
value: 192.0.7.0/24
wafrule:
type: aws:wafregional:Rule
properties:
name: tfWAFRule
metricName: tfWAFRule
predicates:
- dataId: ${ipset.id}
negated: false
type: IPMatch
wafacl:
type: aws:wafregional:WebAcl
properties:
name: tfWebACL
metricName: tfWebACL
defaultAction:
type: ALLOW
rules:
- action:
type: BLOCK
priority: 1
ruleId: ${wafrule.id}
type: REGULAR
Group Rule
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.wafregional.WebAcl("example", {
name: "example",
metricName: "example",
defaultAction: {
type: "ALLOW",
},
rules: [{
priority: 1,
ruleId: exampleAwsWafregionalRuleGroup.id,
type: "GROUP",
overrideAction: {
type: "NONE",
},
}],
});
import pulumi
import pulumi_aws as aws
example = aws.wafregional.WebAcl("example",
name="example",
metric_name="example",
default_action={
"type": "ALLOW",
},
rules=[{
"priority": 1,
"rule_id": example_aws_wafregional_rule_group["id"],
"type": "GROUP",
"override_action": {
"type": "NONE",
},
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := wafregional.NewWebAcl(ctx, "example", &wafregional.WebAclArgs{
Name: pulumi.String("example"),
MetricName: pulumi.String("example"),
DefaultAction: &wafregional.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
Rules: wafregional.WebAclRuleArray{
&wafregional.WebAclRuleArgs{
Priority: pulumi.Int(1),
RuleId: pulumi.Any(exampleAwsWafregionalRuleGroup.Id),
Type: pulumi.String("GROUP"),
OverrideAction: &wafregional.WebAclRuleOverrideActionArgs{
Type: pulumi.String("NONE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WafRegional.WebAcl("example", new()
{
Name = "example",
MetricName = "example",
DefaultAction = new Aws.WafRegional.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
Rules = new[]
{
new Aws.WafRegional.Inputs.WebAclRuleArgs
{
Priority = 1,
RuleId = exampleAwsWafregionalRuleGroup.Id,
Type = "GROUP",
OverrideAction = new Aws.WafRegional.Inputs.WebAclRuleOverrideActionArgs
{
Type = "NONE",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.WebAcl;
import com.pulumi.aws.wafregional.WebAclArgs;
import com.pulumi.aws.wafregional.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafregional.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafregional.inputs.WebAclRuleOverrideActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.name("example")
.metricName("example")
.defaultAction(WebAclDefaultActionArgs.builder()
.type("ALLOW")
.build())
.rules(WebAclRuleArgs.builder()
.priority(1)
.ruleId(exampleAwsWafregionalRuleGroup.id())
.type("GROUP")
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.type("NONE")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:wafregional:WebAcl
properties:
name: example
metricName: example
defaultAction:
type: ALLOW
rules:
- priority: 1
ruleId: ${exampleAwsWafregionalRuleGroup.id}
type: GROUP
overrideAction:
type: NONE
Logging
NOTE: The Kinesis Firehose Delivery Stream name must begin with
aws-waf-logs-. See the AWS WAF Developer Guide for more information about enabling WAF logging.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.wafregional.WebAcl("example", {loggingConfiguration: {
logDestination: exampleAwsKinesisFirehoseDeliveryStream.arn,
redactedFields: {
fieldToMatches: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
}});
import pulumi
import pulumi_aws as aws
example = aws.wafregional.WebAcl("example", logging_configuration={
"log_destination": example_aws_kinesis_firehose_delivery_stream["arn"],
"redacted_fields": {
"field_to_matches": [
{
"type": "URI",
},
{
"data": "referer",
"type": "HEADER",
},
],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := wafregional.NewWebAcl(ctx, "example", &wafregional.WebAclArgs{
LoggingConfiguration: &wafregional.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Arn),
RedactedFields: &wafregional.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatches: wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
&wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Type: pulumi.String("URI"),
},
&wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Data: pulumi.String("referer"),
Type: pulumi.String("HEADER"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WafRegional.WebAcl("example", new()
{
LoggingConfiguration = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = exampleAwsKinesisFirehoseDeliveryStream.Arn,
RedactedFields = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatches = new[]
{
new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Type = "URI",
},
new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Data = "referer",
Type = "HEADER",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.WebAcl;
import com.pulumi.aws.wafregional.WebAclArgs;
import com.pulumi.aws.wafregional.inputs.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.wafregional.inputs.WebAclLoggingConfigurationRedactedFieldsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
.logDestination(exampleAwsKinesisFirehoseDeliveryStream.arn())
.redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
.fieldToMatches(
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.type("URI")
.build(),
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.data("referer")
.type("HEADER")
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:wafregional:WebAcl
properties:
loggingConfiguration:
logDestination: ${exampleAwsKinesisFirehoseDeliveryStream.arn}
redactedFields:
fieldToMatches:
- type: URI
- data: referer
type: HEADER
Create WebAcl Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new WebAcl(name: string, args: WebAclArgs, opts?: CustomResourceOptions);@overload
def WebAcl(resource_name: str,
args: WebAclArgs,
opts: Optional[ResourceOptions] = None)
@overload
def WebAcl(resource_name: str,
opts: Optional[ResourceOptions] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
metric_name: Optional[str] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None)func NewWebAcl(ctx *Context, name string, args WebAclArgs, opts ...ResourceOption) (*WebAcl, error)public WebAcl(string name, WebAclArgs args, CustomResourceOptions? opts = null)
public WebAcl(String name, WebAclArgs args)
public WebAcl(String name, WebAclArgs args, CustomResourceOptions options)
type: aws:wafregional:WebAcl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var awsWebAclResource = new Aws.WafRegional.WebAcl("awsWebAclResource", new()
{
DefaultAction = new Aws.WafRegional.Inputs.WebAclDefaultActionArgs
{
Type = "string",
},
MetricName = "string",
LoggingConfiguration = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = "string",
RedactedFields = new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatches = new[]
{
new Aws.WafRegional.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Type = "string",
Data = "string",
},
},
},
},
Name = "string",
Rules = new[]
{
new Aws.WafRegional.Inputs.WebAclRuleArgs
{
Priority = 0,
RuleId = "string",
Action = new Aws.WafRegional.Inputs.WebAclRuleActionArgs
{
Type = "string",
},
OverrideAction = new Aws.WafRegional.Inputs.WebAclRuleOverrideActionArgs
{
Type = "string",
},
Type = "string",
},
},
Tags =
{
{ "string", "string" },
},
});
example, err := wafregional.NewWebAcl(ctx, "awsWebAclResource", &wafregional.WebAclArgs{
DefaultAction: &wafregional.WebAclDefaultActionArgs{
Type: pulumi.String("string"),
},
MetricName: pulumi.String("string"),
LoggingConfiguration: &wafregional.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.String("string"),
RedactedFields: &wafregional.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatches: wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
&wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Type: pulumi.String("string"),
Data: pulumi.String("string"),
},
},
},
},
Name: pulumi.String("string"),
Rules: wafregional.WebAclRuleArray{
&wafregional.WebAclRuleArgs{
Priority: pulumi.Int(0),
RuleId: pulumi.String("string"),
Action: &wafregional.WebAclRuleActionArgs{
Type: pulumi.String("string"),
},
OverrideAction: &wafregional.WebAclRuleOverrideActionArgs{
Type: pulumi.String("string"),
},
Type: pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var awsWebAclResource = new WebAcl("awsWebAclResource", WebAclArgs.builder()
.defaultAction(WebAclDefaultActionArgs.builder()
.type("string")
.build())
.metricName("string")
.loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
.logDestination("string")
.redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
.fieldToMatches(WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.type("string")
.data("string")
.build())
.build())
.build())
.name("string")
.rules(WebAclRuleArgs.builder()
.priority(0)
.ruleId("string")
.action(WebAclRuleActionArgs.builder()
.type("string")
.build())
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.type("string")
.build())
.type("string")
.build())
.tags(Map.of("string", "string"))
.build());
aws_web_acl_resource = aws.wafregional.WebAcl("awsWebAclResource",
default_action={
"type": "string",
},
metric_name="string",
logging_configuration={
"log_destination": "string",
"redacted_fields": {
"field_to_matches": [{
"type": "string",
"data": "string",
}],
},
},
name="string",
rules=[{
"priority": 0,
"rule_id": "string",
"action": {
"type": "string",
},
"override_action": {
"type": "string",
},
"type": "string",
}],
tags={
"string": "string",
})
const awsWebAclResource = new aws.wafregional.WebAcl("awsWebAclResource", {
defaultAction: {
type: "string",
},
metricName: "string",
loggingConfiguration: {
logDestination: "string",
redactedFields: {
fieldToMatches: [{
type: "string",
data: "string",
}],
},
},
name: "string",
rules: [{
priority: 0,
ruleId: "string",
action: {
type: "string",
},
overrideAction: {
type: "string",
},
type: "string",
}],
tags: {
string: "string",
},
});
type: aws:wafregional:WebAcl
properties:
defaultAction:
type: string
loggingConfiguration:
logDestination: string
redactedFields:
fieldToMatches:
- data: string
type: string
metricName: string
name: string
rules:
- action:
type: string
overrideAction:
type: string
priority: 0
ruleId: string
type: string
tags:
string: string
WebAcl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The WebAcl resource accepts the following input properties:
- Default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- Name string
- The name or description of the web ACL.
- Rules
List<Web
Acl Rule> - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dictionary<string, string>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Default
Action WebAcl Default Action Args - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- Name string
- The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args - Set of configuration blocks containing rules for the web ACL. Detailed below.
- map[string]string
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- name String
- The name or description of the web ACL.
- rules
List<Web
Acl Rule> - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Map<String,String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- name string
- The name or description of the web ACL.
- rules
Web
Acl Rule[] - Set of configuration blocks containing rules for the web ACL. Detailed below.
- {[key: string]: string}
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default_
action WebAcl Default Action Args - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- metric_
name str - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging_
configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- name str
- The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Mapping[str, str]
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action Property Map - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration Property Map - Configuration block to enable WAF logging. Detailed below.
- name String
- The name or description of the web ACL.
- rules List<Property Map>
- Set of configuration blocks containing rules for the web ACL. Detailed below.
- Map<String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the WebAcl resource produces the following output properties:
Look up Existing WebAcl Resource
Get an existing WebAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WebAclState, opts?: CustomResourceOptions): WebAcl@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
metric_name: Optional[str] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> WebAclfunc GetWebAcl(ctx *Context, name string, id IDInput, state *WebAclState, opts ...ResourceOption) (*WebAcl, error)public static WebAcl Get(string name, Input<string> id, WebAclState? state, CustomResourceOptions? opts = null)public static WebAcl get(String name, Output<String> id, WebAclState state, CustomResourceOptions options)resources: _: type: aws:wafregional:WebAcl get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- Default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- Logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
- The name or description of the web ACL.
- Rules
List<Web
Acl Rule> - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Dictionary<string, string>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- Default
Action WebAcl Default Action Args - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- Logging
Configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
- The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args - Set of configuration blocks containing rules for the web ACL. Detailed below.
- map[string]string
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
- The name or description of the web ACL.
- rules
List<Web
Acl Rule> - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Map<String,String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default
Action WebAcl Default Action - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- name string
- The name or description of the web ACL.
- rules
Web
Acl Rule[] - Set of configuration blocks containing rules for the web ACL. Detailed below.
- {[key: string]: string}
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default_
action WebAcl Default Action Args - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- logging_
configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- metric_
name str - The name or description for the Amazon CloudWatch metric of this web ACL.
- name str
- The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] - Set of configuration blocks containing rules for the web ACL. Detailed below.
- Mapping[str, str]
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- Amazon Resource Name (ARN) of the WAF Regional WebACL.
- default
Action Property Map - The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
- logging
Configuration Property Map - Configuration block to enable WAF logging. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
- The name or description of the web ACL.
- rules List<Property Map>
- Set of configuration blocks containing rules for the web ACL. Detailed below.
- Map<String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Supporting Types
WebAclDefaultAction, WebAclDefaultActionArgs
- Type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
- Type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
- type String
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
- type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
- type str
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
- type String
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,
ALLOW,BLOCKorCOUNT
WebAclLoggingConfiguration, WebAclLoggingConfigurationArgs
- Log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- Log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log_
destination str - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted_
fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields Property Map - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
WebAclLoggingConfigurationRedactedFields, WebAclLoggingConfigurationRedactedFieldsArgs
- Field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> - Set of configuration blocks for fields to redact. Detailed below.
- Field
To []WebMatches Acl Logging Configuration Redacted Fields Field To Match - Set of configuration blocks for fields to redact. Detailed below.
- field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> - Set of configuration blocks for fields to redact. Detailed below.
- field
To WebMatches Acl Logging Configuration Redacted Fields Field To Match[] - Set of configuration blocks for fields to redact. Detailed below.
- field_
to_ Sequence[Webmatches Acl Logging Configuration Redacted Fields Field To Match] - Set of configuration blocks for fields to redact. Detailed below.
- field
To List<Property Map>Matches - Set of configuration blocks for fields to redact. Detailed below.
WebAclLoggingConfigurationRedactedFieldsFieldToMatch, WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
- Type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - Data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- Type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - Data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type String
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data String
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type str
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data str
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type String
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data String
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
WebAclRule, WebAclRuleArgs
- Priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - Action
Web
Acl Rule Action - Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - Override
Action WebAcl Rule Override Action - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - Type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- Priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - Action
Web
Acl Rule Action - Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - Override
Action WebAcl Rule Override Action - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - Type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority Integer
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - action
Web
Acl Rule Action - Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - override
Action WebAcl Rule Override Action - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - type String
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority number
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id string - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - action
Web
Acl Rule Action - Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - override
Action WebAcl Rule Override Action - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule_
id str - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - action
Web
Acl Rule Action - Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - override_
action WebAcl Rule Override Action - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - type str
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority Number
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String - ID of the associated WAF (Regional) rule (e.g.,
aws.wafregional.Rule). WAF (Global) rules cannot be used. - action Property Map
- Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. Detailed below. - override
Action Property Map - Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. Detailed below. - type String
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
WebAclRuleAction, WebAclRuleActionArgs
- Type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
- Type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
- type String
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
- type string
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
- type str
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
- type String
- Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for
actionareALLOW,BLOCKorCOUNT. Valid values foroverride_actionareCOUNTandNONE.
WebAclRuleOverrideAction, WebAclRuleOverrideActionArgs
- Type string
- Type string
- type String
- type string
- type str
- type String
Import
Using pulumi import, import WAF Regional Web ACL using the id. For example:
$ pulumi import aws:wafregional/webAcl:WebAcl wafacl a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.