alicloud_wafv3_defense_rule

Provides a WAFV3 Defense Rule resource.

For information about WAFV3 Defense Rule and how to use it, see What is Defense Rule.

-> NOTE: Available since v1.257.0.

Example Usage

Basic Usage

variable "name" {
  default = "tfaccwafv310619"
}

variable "region_id" {
  default = "cn-hangzhou"
}

data "alicloud_wafv3_instances" "default" {
}

resource "alicloud_wafv3_domain" "default" {
  instance_id = data.alicloud_wafv3_instances.default.ids.0
  listen {
    protection_resource = "share"
    http_ports = [
      "81",
      "82",
      "83"
    ]
    https_ports = [

    ]
    xff_header_mode = "2"
    xff_headers = [
      "examplea",
      "exampleb",
      "examplec"
    ]
    custom_ciphers = [

    ]
    ipv6_enabled = "true"
  }

  redirect {
    keepalive_timeout = "15"
    backends = [
      "1.1.1.1",
      "3.3.3.3",
      "2.2.2.2"
    ]
    write_timeout      = "5"
    keepalive_requests = "1000"
    request_headers {
      key   = "examplekey1"
      value = "exampleValue1"
    }
    request_headers {
      key   = "key1"
      value = "value1"
    }
    request_headers {
      key   = "key22"
      value = "value22"
    }

    loadbalance        = "iphash"
    focus_http_backend = "false"
    sni_enabled        = "false"
    connect_timeout    = "5"
    read_timeout       = "5"
    keepalive          = "true"
    retry              = "true"
  }

  domain      = "zcexample_250746.wafqax.top"
  access_type = "share"
}


resource "alicloud_wafv3_defense_rule" "default" {
  defense_origin = "custom"
  config {
    account_identifiers {
      priority    = "2"
      decode_type = "jwt"
      key         = "Query-Arg"
      sub_key     = "adb"
      position    = "jwt"
    }
  }

  instance_id   = data.alicloud_wafv3_instances.default.ids.0
  defense_type  = "resource"
  defense_scene = "account_identifier"
  rule_status   = "1"
  resource      = alicloud_wafv3_domain.default.domain_id
}

Argument Reference

The following arguments are supported:

• config - (Required, List) Rule configuration content, in JSON format, constructed with a series of parameters.

-> NOTE: Depending on the specified protection rule type(DefenseScene), the specific parameters vary. For more information, see Protection Rule Parameter Description. See config below.

• defense_origin - (Optional, ForceNew) Sources of protection. Value:
  • custom: user-defined.
  • system: Automatically generated by the system.
• defense_scene - (Required, ForceNew) The WAF protection scenario to be created.

When the protection rule type DefenseType is set to template, the value is as follows:

• ip_blacklist: indicates the IP address blacklist.
• custom_acl: indicates a custom rule.
• whitelist: indicates the whitelist.
• region_block: indicates that the region is blocked.
• cc: indicates CC protection.
• tamperproof: Indicates that the web page is tamper-proof.
• dlp: Indicates information leakage protection.
• spike_throttle: indicates peak current limit.

When the protection rule type DefenseType is set to resource, the value is as follows:

• account_identifier: indicates account extraction.

• defense_type - (Required, ForceNew) The protection rule type. Value:
  • template (default): indicates the template protection rule.
  • resource: indicates the rule of the protected object dimension.
• instance_id - (Required, ForceNew) The ID of the Web Application Firewall (WAF) instance.
• resource - (Optional, ForceNew) The protection object corresponding to the rule to be queried.

-> NOTE: This parameter is required only when DefenseType is set to resource.

• rule_name - (Optional) The rule name.
• rule_status - (Optional, Int) Protection rule status.
  • 0: indicates closed.
  • 1: indicates open.
• template_id - (Optional, ForceNew, Int) The protection template ID of the protection rule to be created.

config

The config supports the following:

• abroad_regions - (Optional) The regions outside China from which you want to block requests. Separate multiple region codes with commas (,). You can call the DescribeIpAbroadCountryInfos operation to query the countries and regions outside China that can be blocked.
• account_identifiers - (Optional, Set) The policies for account extraction. Up to five policies are supported. Each policy is a JSON string. For more information, see accountIdentifiers description. See account_identifiers below.
• bypass_regular_rules - (Optional, Set) The list of regular rule IDs that are not detected. The value is in the ["XX1", "XX2",...] format. This parameter is required only when the module to which the whitelist applies is set to specific regular rules in basic protection (BypassTags is set to regular_rule).
• bypass_regular_types - (Optional, Set) The regular rule type is not detected. This parameter is configured only when the whitelist module is configured as the Web application regular type (the value of the BypassTags parameter is regular_type). Value:
  • sqli: Indicates SQL injection.
  • xss: Indicates cross-site scripting (XSS).
  • cmdi: Indicates OS command injection.
  • expression_injection: Indicates expression injection.
  • java_deserialization: indicates Java deserialization.
  • dot_net_deserialization: Represents. net deserialization.
  • php_deserialization: indicates PHP deserialization.
  • code_exec: Indicates code execution.
  • ssrf: indicates SSRF (server-side request forgery).
  • path_traversal: indicates a Path Traversal.
  • arbitrary_file_uploading: Indicates to upload any file.
  • webshell: Represents a webshell.
  • rfilei: Indicates the remote file contains (RFI).
  • lfilei: Indicates that the local file contains (LFI).
  • protocol_violation: indicates a protocol violation.
  • scanner_behavior: Indicates scanner behavior.
  • logic_flaw: Indicates a business logic defect.
  • arbitrary_file_reading: Indicates arbitrary file reading.
  • arbitrary_file_download: Indicates an arbitrary file download.
  • xxe: Indicates external entity injection.
  • csrf: indicates cross-site request forgery.
  • crlf: indicates CRLF.
  • other: indicates other.
• bypass_tags - (Optional, Set) The modules to which the whitelist applies. The value is in the ["XX1", "XX2",...] format. Valid values:
  • waf: indicates all modules.
  • customrule: indicates custom rules.
  • blacklist: indicates IP blacklist.
  • antiscan: indicates scan protection.
  • regular: indicates basic protection rules.
  • regular_rule: indicates specific regular rules in basic protection.
  • regular_type: indicates specific regular rule types in basic protection.
  • major_protection: indicates major event support protection.
  • cc: indicates CC protection.
  • region_block: indicates Location Blacklist.
  • antibot_scene: indicates BOT scenario protection.
  • dlp: indicates information leakage prevention.
  • tamperproof: indicates web tamper-proofing.
  • spike_throttle: indicates peak traffic throttling.
• cc_effect - (Optional) Set the effective range of the speed limit. This information is configured only when ccStatus is set to 1. Value:
  • service: indicates that the effective object is a protected object.
  • rule: indicates that the effective object is a single rule.
• cc_status - (Optional, Int) Whether to open the speed limit. Value:
  • 0: indicates that the speed limit is off.
  • 1: Indicates that the speed limit is on.
• cn_regions - (Optional) The regions in China from which you want to block requests. If you specify "CN", requests from the Chinese mainland (excluding Hong Kong, Macao, and Taiwan) are blocked. Separate multiple regions with commas (,). For more information about region codes, see Description of region codes in China.
• conditions - (Optional, Set) The traffic characteristics of ACL, which are described in JSON format. You can enter up to five matching conditions. For specific configuration information, see detailed configuration of conditions. See conditions below.
• mode - (Optional, Int) The HTTP flood protection mode. Valid values:
  • 0 (default): indicates normal protection.
  • 1: indicates emergency protection.
• protocol - (Optional) The protocol type of the cached page address. Valid values: http, https.
• rate_limit - (Optional, List) The detailed speed limit configuration, which is described in the JSON string format. This information is configured only when CcStatus is set to 1. For specific configuration information, see detailed configuration of Ratelimit. See rate_limit below.
• remote_addr - (Optional, Set) The IP addresses that you want to add to the blacklist. Specify the value of this parameter in the ["ip1","ip2",...] format.
• rule_action - (Optional) Protection rule action. Value:
  • block: Indicates an intercept.
  • monitor: indicates observation.
  • js: indicates JS validation.
  • captcha: Indicates a slider.
  • captcha_strict: indicates a strict slider.
  • filter: filters sensitive information. This action applies only to scenarios that the Information leakage prevention rule include sensitive information match conditions.

-> NOTE: For the supported protection rule actions, follow the rule actions displayed in the WAF console.

• throttle_threhold - (Optional, Int) The throttling threshold. Valid values:
  • The QPS throttling threshold ranges from 1 to 5000000. If you select QPS throttling (such as 500 QPS), traffic that meets the throttling conditions and exceeds 500 QPS will be blocked.
  • The percentage throttling threshold ranges from 1 to 99. If you select percentage throttling (such as 80%), only 80% of the traffic that meets the throttling conditions will be allowed.
• throttle_type - (Optional) The throttling method. Valid values:
  • qps: indicates throttling based on queries per second (QPS).
  • ratio (default): indicates throttling based on percentage.
• ua - (Optional) The User-Agent string that is allowed for access to the address.
• url - (Optional) The address of the cached page.

config-account_identifiers

The config-account_identifiers supports the following:

• decode_type - (Optional) The authentication mode. Valid values:
  • plain: indicates plaintext.
  • basic: indicates Basic authentication.
  • jwt: indicates JWT authentication. For JWT authentication, you must specify the field that stores the decoded account information (position).
• key - (Optional) The field from which you want to extract account information. Valid values: Query-Arg, Cookie-Exact, Post-Arg, Header.
• position - (Optional) The field that stores the decoded account information.
• priority - (Optional, Int) The priority of the current extraction configuration. Each traffic can match at most one extraction policy. Valid values: [0,20]. A smaller value indicates a higher priority. The priority value must be unique.
• sub_key - (Optional) The child match field.

config-conditions

The config-conditions supports the following:

• key - (Optional) Match field. Valid values: URL, URLPath, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, Host, HttpCode, and SensitiveInfo.

-> NOTE: Support for matching fields is based on the display in the WAF console. HttpCode and SensitiveInfo are the matching fields supported by the information leakage prevention rule (dlp).

• op_value - (Optional) Logical character. Value:
  • not-contain: does not contain.
  • contain: Indicates to contain.
  • none: It does not exist.
  • ne: means not equal.
  • eq: means equal.
  • lt: indicates that the value is less.
  • gt: indicates that the value is greater.
  • len-lt: indicates that the length is less.
  • len-eq: indicates that the length is equal.
  • len-gt: indicates that the length is greater.
  • not-match: indicates a mismatch.
  • match-one: means equal to one of the multiple values.
  • all-not-match: means not equal to any value.
  • all-not-contain: does not contain any value.
  • contain-one: Indicates that one of the multiple values is contained.
  • not-regex: Indicates a regular mismatch.
  • regex: Indicates a regular match.
  • all-not-regex: indicates that the regular expressions do not match.
  • regex-one: Represents a regular match for one of them.
  • prefix-match: Indicates a prefix match.
  • suffix-match: indicates a suffix match.
  • mpty: Indicates that the content is empty.
  • exists: Indicates that the field exists.
  • inl: indicates in the list.

-> NOTE: Not all logical characters (opvalues) can be configured for the match field (key) of each custom rule. For the logical characters supported by different matching fields, please refer to the association relationship between the matching fields and the logical characters in the custom rules of the WAF console.

• sub_key - (Optional) Custom child match fields.

-> NOTE: Not every match field (key) of a custom rule has a custom subKey. For whether different match fields support custom sub-match fields, please refer to the relationship between the match field and the custom match field in the WAF console custom rule.

• values - (Optional) Match the content and fill in the corresponding content as needed.

-> NOTE: The value range of the logical (opValue) and matching content (values) parameters in the matching condition parameter is related to the specified matching field (key).

config-rate_limit

The config-rate_limit supports the following:

• interval - (Optional, Int) The statistical period, in seconds. This parameter specifies the period during which access counts are collected, and works with the Threshold parameter. Valid values: 1 to 1800 seconds.
• status - (Optional, List) Response code frequency setting. The description is in the JSON string format. See status below.
• sub_key - (Optional) The characteristics of the statistical object. When the Target parameter is set to cookie, header, or queryarg, you must specify the corresponding information in the Subkey parameter.
• target - (Optional) The type of the statistical object. Valid values:
  • remote_addr (default): indicates IP.
  • cookie.acw_tc: indicates session.
  • header: indicates custom header. If you use custom headers, you must specify the headers in subkey.
  • queryarg: indicates custom parameters. If you use custom parameters, you must specify the parameters in subkey.
  • cookie: indicates custom cookies. If you use custom cookies, you must specify the cookies in subkey.
• threshold - (Optional, Int) The maximum number of requests that can be sent from a statistical object.
• ttl - (Optional, Int) The period of time during which you want the specified action to be valid. Unit: seconds. Valid values: 60 to 86400.

config-rate_limit-status

The config-rate_limit-status supports the following:

• code - (Optional, Int) Required. Specifies the response code.
• count - (Optional, Int) The threshold for the number of occurrences. When the number of occurrences of the specified HTTP status code exceeds this threshold, the protection rule is triggered. Valid values: 2 to 50000. You can specify Count or Ratio. You cannot specify the two parameters at the same time.
• ratio - (Optional, Int) The threshold for the proportion of occurrences (percentage). When the proportion of occurrences of the specified HTTP status code exceeds this threshold, the protection rule is triggered. Valid values: 1 to 100. You can specify Count or Ratio. You cannot specify the two parameters at the same time.

Attributes Reference

The following attributes are exported:

• id - The ID of the resource supplied above.The value is formulated as <instance_id>:<defense_type>:<rule_id>.
• rule_id - The protection rule ID.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

• create - (Defaults to 5 mins) Used when create the Defense Rule.
• delete - (Defaults to 5 mins) Used when delete the Defense Rule.
• update - (Defaults to 5 mins) Used when update the Defense Rule.

Import

WAFV3 Defense Rule can be imported using the id, e.g.

$ terraform import alicloud_wafv3_defense_rule.example <instance_id>:<defense_type>:<rule_id>