rule_groups
Creates, updates, deletes or gets a rule_group resource or lists rule_groups in a region
Overview
| Name | rule_groups |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a RuleGroup, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a RuleGroup, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the RuleGroup with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a RuleGroup, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | awscc.wafv2.rule_groups |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
available_labels | array | Collection of Available Labels. |
consumed_labels | array | Collection of Consumed Labels. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
region | string | AWS region. |
For more information, see AWS::WAFv2::RuleGroup.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | rule_groups | INSERT | Capacity, Scope, VisibilityConfig, region |
delete_resource | rule_groups | DELETE | Identifier, region |
update_resource | rule_groups | UPDATE | Identifier, PatchDocument, region |
list_resources | rule_groups_list_only | SELECT | region |
get_resource | rule_groups | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual rule_group.
SELECT
region,
arn,
capacity,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
available_labels,
consumed_labels
FROM awscc.wafv2.rule_groups
WHERE
region = 'us-east-1' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
Lists all rule_groups in a region.
SELECT
region,
name,
id,
scope
FROM awscc.wafv2.rule_groups_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new rule_group resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.wafv2.rule_groups (
Capacity,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ capacity }}',
'{{ scope }}',
'{{ visibility_config }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.wafv2.rule_groups (
Capacity,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
Tags,
CustomResponseBodies,
AvailableLabels,
ConsumedLabels,
region
)
SELECT
'{{ capacity }}',
'{{ description }}',
'{{ name }}',
'{{ scope }}',
'{{ rules }}',
'{{ visibility_config }}',
'{{ tags }}',
'{{ custom_response_bodies }}',
'{{ available_labels }}',
'{{ consumed_labels }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: rule_group
props:
- name: capacity
value: '{{ capacity }}'
- name: description
value: '{{ description }}'
- name: name
value: '{{ name }}'
- name: scope
value: '{{ scope }}'
- name: rules
value:
- name: null
priority: '{{ priority }}'
statement:
byte_match_statement:
search_string: '{{ search_string }}'
search_string_base64: '{{ search_string_base64 }}'
field_to_match:
single_header:
name: '{{ name }}'
single_query_argument:
name: '{{ name }}'
all_query_arguments: {}
uri_path: {}
query_string: {}
body:
oversize_handling: '{{ oversize_handling }}'
method: {}
json_body:
match_pattern:
all: {}
included_paths:
- '{{ included_paths[0] }}'
match_scope: '{{ match_scope }}'
invalid_fallback_behavior: '{{ invalid_fallback_behavior }}'
oversize_handling: null
headers:
match_pattern:
all: {}
included_headers:
- '{{ included_headers[0] }}'
excluded_headers:
- '{{ excluded_headers[0] }}'
match_scope: '{{ match_scope }}'
oversize_handling: null
cookies:
match_pattern:
all: {}
included_cookies:
- '{{ included_cookies[0] }}'
excluded_cookies:
- '{{ excluded_cookies[0] }}'
match_scope: null
oversize_handling: null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
uri_fragment:
fallback_behavior: '{{ fallback_behavior }}'
text_transformations:
- priority: '{{ priority }}'
type: '{{ type }}'
positional_constraint: '{{ positional_constraint }}'
sqli_match_statement:
field_to_match: null
text_transformations:
- null
sensitivity_level: '{{ sensitivity_level }}'
xss_match_statement:
field_to_match: null
text_transformations:
- null
size_constraint_statement:
field_to_match: null
comparison_operator: '{{ comparison_operator }}'
size: null
text_transformations:
- null
geo_match_statement:
country_codes:
- '{{ country_codes[0] }}'
forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
rule_group_reference_statement:
arn: '{{ arn }}'
excluded_rules:
- name: null
rule_action_overrides:
- name: null
action_to_use:
allow:
custom_request_handling:
insert_headers:
- name: '{{ name }}'
value: '{{ value }}'
block:
custom_response:
response_code: '{{ response_code }}'
custom_response_body_key: '{{ custom_response_body_key }}'
response_headers:
- null
count:
custom_request_handling: null
captcha:
custom_request_handling: null
challenge:
custom_request_handling: null
ip_set_reference_statement:
arn: null
ip_set_forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
position: '{{ position }}'
regex_pattern_set_reference_statement:
arn: null
field_to_match: null
text_transformations:
- null
managed_rule_group_statement:
name: null
vendor_name: '{{ vendor_name }}'
version: '{{ version }}'
excluded_rules:
- null
scope_down_statement: null
managed_rule_group_configs:
- login_path: '{{ login_path }}'
payload_type: '{{ payload_type }}'
username_field:
identifier: '{{ identifier }}'
password_field: null
aws_managed_rules_bot_control_rule_set:
inspection_level: '{{ inspection_level }}'
enable_machine_learning: '{{ enable_machine_learning }}'
aws_managed_rules_at_prule_set:
login_path: '{{ login_path }}'
enable_regex_in_path: '{{ enable_regex_in_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
response_inspection:
status_code:
success_codes:
- '{{ success_codes[0] }}'
failure_codes:
- '{{ failure_codes[0] }}'
header:
name: '{{ name }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
body_contains:
success_strings:
- '{{ success_strings[0] }}'
failure_strings:
- '{{ failure_strings[0] }}'
json:
identifier: '{{ identifier }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
aws_managed_rules_ac_fp_rule_set:
creation_path: '{{ creation_path }}'
registration_page_path: '{{ registration_page_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
email_field: null
phone_number_fields:
- null
address_fields:
- null
response_inspection: null
enable_regex_in_path: '{{ enable_regex_in_path }}'
aws_managed_rules_anti_ddo_srule_set:
client_side_action_config:
challenge:
usage_of_action: '{{ usage_of_action }}'
sensitivity: '{{ sensitivity }}'
exempt_uri_regular_expressions:
- regex_string: '{{ regex_string }}'
sensitivity_to_block: null
rule_action_overrides:
- null
rate_based_statement:
limit: '{{ limit }}'
evaluation_window_sec: '{{ evaluation_window_sec }}'
aggregate_key_type: '{{ aggregate_key_type }}'
custom_keys:
- cookie:
name: '{{ name }}'
text_transformations:
- null
forwarded_ip: {}
header:
name: '{{ name }}'
text_transformations:
- null
h_tt_pmethod: {}
ip: {}
label_namespace:
namespace: '{{ namespace }}'
query_argument:
name: '{{ name }}'
text_transformations:
- null
query_string:
text_transformations:
- null
uri_path:
text_transformations:
- null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
a_sn: {}
scope_down_statement: null
forwarded_ip_config: null
and_statement:
statements:
- null
or_statement:
statements:
- null
not_statement:
statement: null
label_match_statement:
scope: '{{ scope }}'
key: '{{ key }}'
regex_match_statement:
regex_string: '{{ regex_string }}'
field_to_match: null
text_transformations:
- null
asn_match_statement:
asn_list:
- '{{ asn_list[0] }}'
forwarded_ip_config: null
action: null
override_action:
count: {}
none: {}
rule_labels:
- name: '{{ name }}'
visibility_config:
sampled_requests_enabled: '{{ sampled_requests_enabled }}'
cloud_watch_metrics_enabled: '{{ cloud_watch_metrics_enabled }}'
metric_name: '{{ metric_name }}'
captcha_config:
immunity_time_property:
immunity_time: '{{ immunity_time }}'
challenge_config:
immunity_time_property: null
- name: visibility_config
value: null
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: custom_response_bodies
value: {}
- name: available_labels
value:
- name: null
- name: consumed_labels
value:
- null
UPDATE example
Use the following StackQL query and manifest file to update a rule_group resource, using stack-deploy.
/*+ update */
UPDATE awscc.wafv2.rule_groups
SET PatchDocument = string('{{ {
"Capacity": capacity,
"Description": description,
"Rules": rules,
"VisibilityConfig": visibility_config,
"Tags": tags,
"CustomResponseBodies": custom_response_bodies
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
DELETE example
/*+ delete */
DELETE FROM awscc.wafv2.rule_groups
WHERE
Identifier = '{{ name }}|{{ id }}|{{ scope }}' AND
region = 'us-east-1';
Permissions
To operate on the rule_groups resource, the following permissions are required:
- Create
- Delete
- Read
- Update
- List
wafv2:CreateRuleGroup,
wafv2:GetRuleGroup,
wafv2:TagResource,
wafv2:UntagResource,
wafv2:ListTagsForResource
wafv2:DeleteRuleGroup,
wafv2:GetRuleGroup
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
wafv2:TagResource,
wafv2:UntagResource,
wafv2:UpdateRuleGroup,
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
wafv2:listRuleGroups