web_acls
Creates, updates, deletes or gets a web_acl resource or lists web_acls in a region
Overview
| Name | web_acls |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a WebACL, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | awscc.wafv2.web_acls |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
default_action | object | Default Action WebACL will take against ingress traffic when there is no matching Rule. |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
data_protection_config | object | Collection of dataProtects. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
captcha_config | object | |
challenge_config | object | |
token_domains | array | List of domains to accept in web request tokens, in addition to the domain of the protected resource. |
association_config | object | AssociationConfig for body inspection |
on_source_ddo_sprotection_config | object | Configures the options for on-source DDoS protection provided by supported resource type. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
region | string | AWS region. |
For more information, see AWS::WAFv2::WebACL.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | web_acls | INSERT | DefaultAction, Scope, VisibilityConfig, region |
delete_resource | web_acls | DELETE | Identifier, region |
update_resource | web_acls | UPDATE | Identifier, PatchDocument, region |
list_resources | web_acls_list_only | SELECT | region |
get_resource | web_acls | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual web_acl.
SELECT
region,
arn,
capacity,
default_action,
description,
name,
id,
scope,
rules,
visibility_config,
data_protection_config,
tags,
label_namespace,
custom_response_bodies,
captcha_config,
challenge_config,
token_domains,
association_config,
on_source_ddo_sprotection_config
FROM awscc.wafv2.web_acls
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
Lists all web_acls in a region.
SELECT
region,
name,
id,
scope
FROM awscc.wafv2.web_acls_list_only
WHERE
region = '{{ region }}';
INSERT example
Use the following StackQL query and manifest file to create a new web_acl resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.wafv2.web_acls (
DefaultAction,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ default_action }}',
'{{ scope }}',
'{{ visibility_config }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
/*+ create */
INSERT INTO awscc.wafv2.web_acls (
DefaultAction,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
DataProtectionConfig,
Tags,
CustomResponseBodies,
CaptchaConfig,
ChallengeConfig,
TokenDomains,
AssociationConfig,
OnSourceDDoSProtectionConfig,
region
)
SELECT
'{{ default_action }}',
'{{ description }}',
'{{ name }}',
'{{ scope }}',
'{{ rules }}',
'{{ visibility_config }}',
'{{ data_protection_config }}',
'{{ tags }}',
'{{ custom_response_bodies }}',
'{{ captcha_config }}',
'{{ challenge_config }}',
'{{ token_domains }}',
'{{ association_config }}',
'{{ on_source_ddo_sprotection_config }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: web_acl
props:
- name: default_action
value:
allow:
custom_request_handling:
insert_headers:
- name: '{{ name }}'
value: '{{ value }}'
block:
custom_response:
response_code: '{{ response_code }}'
custom_response_body_key: '{{ custom_response_body_key }}'
response_headers:
- null
- name: description
value: '{{ description }}'
- name: name
value: '{{ name }}'
- name: scope
value: '{{ scope }}'
- name: rules
value:
- name: null
priority: '{{ priority }}'
statement:
byte_match_statement:
search_string: '{{ search_string }}'
search_string_base64: '{{ search_string_base64 }}'
field_to_match:
single_header:
name: '{{ name }}'
single_query_argument:
name: '{{ name }}'
all_query_arguments: {}
uri_path: {}
query_string: {}
body:
oversize_handling: '{{ oversize_handling }}'
method: {}
json_body:
match_pattern:
all: {}
included_paths:
- '{{ included_paths[0] }}'
match_scope: '{{ match_scope }}'
invalid_fallback_behavior: '{{ invalid_fallback_behavior }}'
oversize_handling: null
headers:
match_pattern:
all: {}
included_headers:
- '{{ included_headers[0] }}'
excluded_headers:
- '{{ excluded_headers[0] }}'
match_scope: '{{ match_scope }}'
oversize_handling: null
cookies:
match_pattern:
all: {}
included_cookies:
- '{{ included_cookies[0] }}'
excluded_cookies:
- '{{ excluded_cookies[0] }}'
match_scope: null
oversize_handling: null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
uri_fragment:
fallback_behavior: '{{ fallback_behavior }}'
text_transformations:
- priority: '{{ priority }}'
type: '{{ type }}'
positional_constraint: '{{ positional_constraint }}'
sqli_match_statement:
field_to_match: null
text_transformations:
- null
sensitivity_level: '{{ sensitivity_level }}'
xss_match_statement:
field_to_match: null
text_transformations:
- null
size_constraint_statement:
field_to_match: null
comparison_operator: '{{ comparison_operator }}'
size: null
text_transformations:
- null
geo_match_statement:
country_codes:
- '{{ country_codes[0] }}'
forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
rule_group_reference_statement:
arn: '{{ arn }}'
excluded_rules:
- name: null
rule_action_overrides:
- name: null
action_to_use:
allow: null
block: null
count:
custom_request_handling: null
captcha:
custom_request_handling: null
challenge:
custom_request_handling: null
ip_set_reference_statement:
arn: null
ip_set_forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
position: '{{ position }}'
regex_pattern_set_reference_statement:
arn: null
field_to_match: null
text_transformations:
- null
managed_rule_group_statement:
name: null
vendor_name: '{{ vendor_name }}'
version: '{{ version }}'
excluded_rules:
- null
scope_down_statement: null
managed_rule_group_configs:
- login_path: '{{ login_path }}'
payload_type: '{{ payload_type }}'
username_field:
identifier: '{{ identifier }}'
password_field: null
aws_managed_rules_bot_control_rule_set:
inspection_level: '{{ inspection_level }}'
enable_machine_learning: '{{ enable_machine_learning }}'
aws_managed_rules_at_prule_set:
login_path: '{{ login_path }}'
enable_regex_in_path: '{{ enable_regex_in_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
response_inspection:
status_code:
success_codes:
- '{{ success_codes[0] }}'
failure_codes:
- '{{ failure_codes[0] }}'
header:
name: '{{ name }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
body_contains:
success_strings:
- '{{ success_strings[0] }}'
failure_strings:
- '{{ failure_strings[0] }}'
json:
identifier: '{{ identifier }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
aws_managed_rules_ac_fp_rule_set:
creation_path: '{{ creation_path }}'
registration_page_path: '{{ registration_page_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
email_field: null
phone_number_fields:
- null
address_fields:
- null
response_inspection: null
enable_regex_in_path: '{{ enable_regex_in_path }}'
aws_managed_rules_anti_ddo_srule_set:
client_side_action_config:
challenge:
usage_of_action: '{{ usage_of_action }}'
sensitivity: '{{ sensitivity }}'
exempt_uri_regular_expressions:
- regex_string: '{{ regex_string }}'
sensitivity_to_block: null
rule_action_overrides:
- null
rate_based_statement:
limit: '{{ limit }}'
evaluation_window_sec: '{{ evaluation_window_sec }}'
aggregate_key_type: '{{ aggregate_key_type }}'
custom_keys:
- cookie:
name: '{{ name }}'
text_transformations:
- null
forwarded_ip: {}
header:
name: '{{ name }}'
text_transformations:
- null
h_tt_pmethod: {}
ip: {}
label_namespace:
namespace: '{{ namespace }}'
query_argument:
name: '{{ name }}'
text_transformations:
- null
query_string:
text_transformations:
- null
uri_path:
text_transformations:
- null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
a_sn: {}
scope_down_statement: null
forwarded_ip_config: null
and_statement:
statements:
- null
or_statement:
statements:
- null
not_statement:
statement: null
label_match_statement:
scope: '{{ scope }}'
key: '{{ key }}'
regex_match_statement:
regex_string: '{{ regex_string }}'
field_to_match: null
text_transformations:
- null
asn_match_statement:
asn_list:
- '{{ asn_list[0] }}'
forwarded_ip_config: null
action: null
override_action:
count: {}
none: {}
rule_labels:
- name: '{{ name }}'
visibility_config:
sampled_requests_enabled: '{{ sampled_requests_enabled }}'
cloud_watch_metrics_enabled: '{{ cloud_watch_metrics_enabled }}'
metric_name: '{{ metric_name }}'
captcha_config:
immunity_time_property:
immunity_time: '{{ immunity_time }}'
challenge_config:
immunity_time_property: null
- name: visibility_config
value: null
- name: data_protection_config
value:
data_protections:
- field:
field_type: '{{ field_type }}'
field_keys:
- '{{ field_keys[0] }}'
action: '{{ action }}'
exclude_rule_match_details: '{{ exclude_rule_match_details }}'
exclude_rate_based_details: '{{ exclude_rate_based_details }}'
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: custom_response_bodies
value: {}
- name: captcha_config
value: null
- name: challenge_config
value: null
- name: token_domains
value:
- '{{ token_domains[0] }}'
- name: association_config
value:
request_body: {}
- name: on_source_ddo_sprotection_config
value:
a_lb_low_reputation_mode: '{{ a_lb_low_reputation_mode }}'
UPDATE example
Use the following StackQL query and manifest file to update a web_acl resource, using stack-deploy.
/*+ update */
UPDATE awscc.wafv2.web_acls
SET PatchDocument = string('{{ {
"DefaultAction": default_action,
"Description": description,
"Rules": rules,
"VisibilityConfig": visibility_config,
"DataProtectionConfig": data_protection_config,
"Tags": tags,
"CustomResponseBodies": custom_response_bodies,
"CaptchaConfig": captcha_config,
"ChallengeConfig": challenge_config,
"TokenDomains": token_domains,
"AssociationConfig": association_config,
"OnSourceDDoSProtectionConfig": on_source_ddo_sprotection_config
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
DELETE example
/*+ delete */
DELETE FROM awscc.wafv2.web_acls
WHERE
Identifier = '{{ name }}|{{ id }}|{{ scope }}' AND
region = '{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
Additional Parameters
Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:
| Parameter | Description |
|---|---|
ClientToken | A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request. |
RoleArn | The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.If you do not specify a role, a temporary session is created using your AWS user credentials. |
TypeVersionId | For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used. |
Permissions
To operate on the web_acls resource, the following permissions are required:
- Create
- Delete
- Read
- Update
- List
wafv2:CreateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource,
wafv2:TagResource,
wafv2:UntagResource
wafv2:DeleteWebACL,
wafv2:GetWebACL
wafv2:GetWebACL,
wafv2:ListTagsForResource
wafv2:UpdateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource,
wafv2:TagResource,
wafv2:UntagResource
wafv2:listWebACLs