rule_groups
Creates, updates, deletes or gets a rule_group resource or lists rule_groups in a region
Overview
| Name | rule_groups |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a RuleGroup, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a RuleGroup, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the RuleGroup with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a RuleGroup, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | awscc.wafv2.rule_groups |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
available_labels | array | Collection of Available Labels. |
consumed_labels | array | Collection of Consumed Labels. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
region | string | AWS region. |
For more information, see AWS::WAFv2::RuleGroup.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | rule_groups | INSERT | Capacity, Scope, VisibilityConfig, region |
delete_resource | rule_groups | DELETE | Identifier, region |
update_resource | rule_groups | UPDATE | Identifier, PatchDocument, region |
list_resources | rule_groups_list_only | SELECT | region |
get_resource | rule_groups | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual rule_group.
SELECT
region,
arn,
capacity,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
available_labels,
consumed_labels
FROM awscc.wafv2.rule_groups
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
Lists all rule_groups in a region.
SELECT
region,
name,
id,
scope
FROM awscc.wafv2.rule_groups_list_only
WHERE
region = '{{ region }}';
INSERT example
Use the following StackQL query and manifest file to create a new rule_group resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.wafv2.rule_groups (
Capacity,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ capacity }}',
'{{ scope }}',
'{{ visibility_config }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
/*+ create */
INSERT INTO awscc.wafv2.rule_groups (
Capacity,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
Tags,
CustomResponseBodies,
AvailableLabels,
ConsumedLabels,
region
)
SELECT
'{{ capacity }}',
'{{ description }}',
'{{ name }}',
'{{ scope }}',
'{{ rules }}',
'{{ visibility_config }}',
'{{ tags }}',
'{{ custom_response_bodies }}',
'{{ available_labels }}',
'{{ consumed_labels }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: rule_group
props:
- name: capacity
value: '{{ capacity }}'
- name: description
value: '{{ description }}'
- name: name
value: '{{ name }}'
- name: scope
value: '{{ scope }}'
- name: rules
value:
- name: null
priority: '{{ priority }}'
statement:
byte_match_statement:
search_string: '{{ search_string }}'
search_string_base64: '{{ search_string_base64 }}'
field_to_match:
single_header:
name: '{{ name }}'
single_query_argument:
name: '{{ name }}'
all_query_arguments: {}
uri_path: {}
query_string: {}
body:
oversize_handling: '{{ oversize_handling }}'
method: {}
json_body:
match_pattern:
all: {}
included_paths:
- '{{ included_paths[0] }}'
match_scope: '{{ match_scope }}'
invalid_fallback_behavior: '{{ invalid_fallback_behavior }}'
oversize_handling: null
headers:
match_pattern:
all: {}
included_headers:
- '{{ included_headers[0] }}'
excluded_headers:
- '{{ excluded_headers[0] }}'
match_scope: '{{ match_scope }}'
oversize_handling: null
cookies:
match_pattern:
all: {}
included_cookies:
- '{{ included_cookies[0] }}'
excluded_cookies:
- '{{ excluded_cookies[0] }}'
match_scope: null
oversize_handling: null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
uri_fragment:
fallback_behavior: '{{ fallback_behavior }}'
text_transformations:
- priority: '{{ priority }}'
type: '{{ type }}'
positional_constraint: '{{ positional_constraint }}'
sqli_match_statement:
field_to_match: null
text_transformations:
- null
sensitivity_level: '{{ sensitivity_level }}'
xss_match_statement:
field_to_match: null
text_transformations:
- null
size_constraint_statement:
field_to_match: null
comparison_operator: '{{ comparison_operator }}'
size: null
text_transformations:
- null
geo_match_statement:
country_codes:
- '{{ country_codes[0] }}'
forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
rule_group_reference_statement:
arn: '{{ arn }}'
excluded_rules:
- name: null
rule_action_overrides:
- name: null
action_to_use:
allow:
custom_request_handling:
insert_headers:
- name: '{{ name }}'
value: '{{ value }}'
block:
custom_response:
response_code: '{{ response_code }}'
custom_response_body_key: '{{ custom_response_body_key }}'
response_headers:
- null
count:
custom_request_handling: null
captcha:
custom_request_handling: null
challenge:
custom_request_handling: null
ip_set_reference_statement:
arn: null
ip_set_forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
position: '{{ position }}'
regex_pattern_set_reference_statement:
arn: null
field_to_match: null
text_transformations:
- null
managed_rule_group_statement:
name: null
vendor_name: '{{ vendor_name }}'
version: '{{ version }}'
excluded_rules:
- null
scope_down_statement: null
managed_rule_group_configs:
- login_path: '{{ login_path }}'
payload_type: '{{ payload_type }}'
username_field:
identifier: '{{ identifier }}'
password_field: null
aws_managed_rules_bot_control_rule_set:
inspection_level: '{{ inspection_level }}'
enable_machine_learning: '{{ enable_machine_learning }}'
aws_managed_rules_at_prule_set:
login_path: '{{ login_path }}'
enable_regex_in_path: '{{ enable_regex_in_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
response_inspection:
status_code:
success_codes:
- '{{ success_codes[0] }}'
failure_codes:
- '{{ failure_codes[0] }}'
header:
name: '{{ name }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
body_contains:
success_strings:
- '{{ success_strings[0] }}'
failure_strings:
- '{{ failure_strings[0] }}'
json:
identifier: '{{ identifier }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
aws_managed_rules_ac_fp_rule_set:
creation_path: '{{ creation_path }}'
registration_page_path: '{{ registration_page_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
email_field: null
phone_number_fields:
- null
address_fields:
- null
response_inspection: null
enable_regex_in_path: '{{ enable_regex_in_path }}'
aws_managed_rules_anti_ddo_srule_set:
client_side_action_config:
challenge:
usage_of_action: '{{ usage_of_action }}'
sensitivity: '{{ sensitivity }}'
exempt_uri_regular_expressions:
- regex_string: '{{ regex_string }}'
sensitivity_to_block: null
rule_action_overrides:
- null
rate_based_statement:
limit: '{{ limit }}'
evaluation_window_sec: '{{ evaluation_window_sec }}'
aggregate_key_type: '{{ aggregate_key_type }}'
custom_keys:
- cookie:
name: '{{ name }}'
text_transformations:
- null
forwarded_ip: {}
header:
name: '{{ name }}'
text_transformations:
- null
h_tt_pmethod: {}
ip: {}
label_namespace:
namespace: '{{ namespace }}'
query_argument:
name: '{{ name }}'
text_transformations:
- null
query_string:
text_transformations:
- null
uri_path:
text_transformations:
- null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
a_sn: {}
scope_down_statement: null
forwarded_ip_config: null
and_statement:
statements:
- null
or_statement:
statements:
- null
not_statement:
statement: null
label_match_statement:
scope: '{{ scope }}'
key: '{{ key }}'
regex_match_statement:
regex_string: '{{ regex_string }}'
field_to_match: null
text_transformations:
- null
asn_match_statement:
asn_list:
- '{{ asn_list[0] }}'
forwarded_ip_config: null
action: null
override_action:
count: {}
none: {}
rule_labels:
- name: '{{ name }}'
visibility_config:
sampled_requests_enabled: '{{ sampled_requests_enabled }}'
cloud_watch_metrics_enabled: '{{ cloud_watch_metrics_enabled }}'
metric_name: '{{ metric_name }}'
captcha_config:
immunity_time_property:
immunity_time: '{{ immunity_time }}'
challenge_config:
immunity_time_property: null
- name: visibility_config
value: null
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: custom_response_bodies
value: {}
- name: available_labels
value:
- name: null
- name: consumed_labels
value:
- null
UPDATE example
Use the following StackQL query and manifest file to update a rule_group resource, using stack-deploy.
/*+ update */
UPDATE awscc.wafv2.rule_groups
SET PatchDocument = string('{{ {
"Capacity": capacity,
"Description": description,
"Rules": rules,
"VisibilityConfig": visibility_config,
"Tags": tags,
"CustomResponseBodies": custom_response_bodies
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
DELETE example
/*+ delete */
DELETE FROM awscc.wafv2.rule_groups
WHERE
Identifier = '{{ name }}|{{ id }}|{{ scope }}' AND
region = '{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
Additional Parameters
Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:
| Parameter | Description |
|---|---|
ClientToken | A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request. |
RoleArn | The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.If you do not specify a role, a temporary session is created using your AWS user credentials. |
TypeVersionId | For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used. |
Permissions
To operate on the rule_groups resource, the following permissions are required:
- Create
- Delete
- Read
- Update
- List
wafv2:CreateRuleGroup,
wafv2:GetRuleGroup,
wafv2:TagResource,
wafv2:UntagResource,
wafv2:ListTagsForResource
wafv2:DeleteRuleGroup,
wafv2:GetRuleGroup
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
wafv2:TagResource,
wafv2:UntagResource,
wafv2:UpdateRuleGroup,
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
wafv2:listRuleGroups