Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.waf.WebAcl
Explore with Pulumi AI
Provides a WAF Web ACL Resource
Example Usage
This example blocks requests coming from 192.0.7.0/24 and allows everything else.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ipset = new aws.waf.IpSet("ipset", {
name: "tfIPSet",
ipSetDescriptors: [{
type: "IPV4",
value: "192.0.7.0/24",
}],
});
const wafrule = new aws.waf.Rule("wafrule", {
name: "tfWAFRule",
metricName: "tfWAFRule",
predicates: [{
dataId: ipset.id,
negated: false,
type: "IPMatch",
}],
}, {
dependsOn: [ipset],
});
const wafAcl = new aws.waf.WebAcl("waf_acl", {
name: "tfWebACL",
metricName: "tfWebACL",
defaultAction: {
type: "ALLOW",
},
rules: [{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: wafrule.id,
type: "REGULAR",
}],
}, {
dependsOn: [
ipset,
wafrule,
],
});
import pulumi
import pulumi_aws as aws
ipset = aws.waf.IpSet("ipset",
name="tfIPSet",
ip_set_descriptors=[{
"type": "IPV4",
"value": "192.0.7.0/24",
}])
wafrule = aws.waf.Rule("wafrule",
name="tfWAFRule",
metric_name="tfWAFRule",
predicates=[{
"data_id": ipset.id,
"negated": False,
"type": "IPMatch",
}],
opts = pulumi.ResourceOptions(depends_on=[ipset]))
waf_acl = aws.waf.WebAcl("waf_acl",
name="tfWebACL",
metric_name="tfWebACL",
default_action={
"type": "ALLOW",
},
rules=[{
"action": {
"type": "BLOCK",
},
"priority": 1,
"rule_id": wafrule.id,
"type": "REGULAR",
}],
opts = pulumi.ResourceOptions(depends_on=[
ipset,
wafrule,
]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/waf"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ipset, err := waf.NewIpSet(ctx, "ipset", &waf.IpSetArgs{
Name: pulumi.String("tfIPSet"),
IpSetDescriptors: waf.IpSetIpSetDescriptorArray{
&waf.IpSetIpSetDescriptorArgs{
Type: pulumi.String("IPV4"),
Value: pulumi.String("192.0.7.0/24"),
},
},
})
if err != nil {
return err
}
wafrule, err := waf.NewRule(ctx, "wafrule", &waf.RuleArgs{
Name: pulumi.String("tfWAFRule"),
MetricName: pulumi.String("tfWAFRule"),
Predicates: waf.RulePredicateArray{
&waf.RulePredicateArgs{
DataId: ipset.ID(),
Negated: pulumi.Bool(false),
Type: pulumi.String("IPMatch"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
ipset,
}))
if err != nil {
return err
}
_, err = waf.NewWebAcl(ctx, "waf_acl", &waf.WebAclArgs{
Name: pulumi.String("tfWebACL"),
MetricName: pulumi.String("tfWebACL"),
DefaultAction: &waf.WebAclDefaultActionArgs{
Type: pulumi.String("ALLOW"),
},
Rules: waf.WebAclRuleArray{
&waf.WebAclRuleArgs{
Action: &waf.WebAclRuleActionArgs{
Type: pulumi.String("BLOCK"),
},
Priority: pulumi.Int(1),
RuleId: wafrule.ID(),
Type: pulumi.String("REGULAR"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
ipset,
wafrule,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var ipset = new Aws.Waf.IpSet("ipset", new()
{
Name = "tfIPSet",
IpSetDescriptors = new[]
{
new Aws.Waf.Inputs.IpSetIpSetDescriptorArgs
{
Type = "IPV4",
Value = "192.0.7.0/24",
},
},
});
var wafrule = new Aws.Waf.Rule("wafrule", new()
{
Name = "tfWAFRule",
MetricName = "tfWAFRule",
Predicates = new[]
{
new Aws.Waf.Inputs.RulePredicateArgs
{
DataId = ipset.Id,
Negated = false,
Type = "IPMatch",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
ipset,
},
});
var wafAcl = new Aws.Waf.WebAcl("waf_acl", new()
{
Name = "tfWebACL",
MetricName = "tfWebACL",
DefaultAction = new Aws.Waf.Inputs.WebAclDefaultActionArgs
{
Type = "ALLOW",
},
Rules = new[]
{
new Aws.Waf.Inputs.WebAclRuleArgs
{
Action = new Aws.Waf.Inputs.WebAclRuleActionArgs
{
Type = "BLOCK",
},
Priority = 1,
RuleId = wafrule.Id,
Type = "REGULAR",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
ipset,
wafrule,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.waf.IpSet;
import com.pulumi.aws.waf.IpSetArgs;
import com.pulumi.aws.waf.inputs.IpSetIpSetDescriptorArgs;
import com.pulumi.aws.waf.Rule;
import com.pulumi.aws.waf.RuleArgs;
import com.pulumi.aws.waf.inputs.RulePredicateArgs;
import com.pulumi.aws.waf.WebAcl;
import com.pulumi.aws.waf.WebAclArgs;
import com.pulumi.aws.waf.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.waf.inputs.WebAclRuleArgs;
import com.pulumi.aws.waf.inputs.WebAclRuleActionArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var ipset = new IpSet("ipset", IpSetArgs.builder()
.name("tfIPSet")
.ipSetDescriptors(IpSetIpSetDescriptorArgs.builder()
.type("IPV4")
.value("192.0.7.0/24")
.build())
.build());
var wafrule = new Rule("wafrule", RuleArgs.builder()
.name("tfWAFRule")
.metricName("tfWAFRule")
.predicates(RulePredicateArgs.builder()
.dataId(ipset.id())
.negated(false)
.type("IPMatch")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(ipset)
.build());
var wafAcl = new WebAcl("wafAcl", WebAclArgs.builder()
.name("tfWebACL")
.metricName("tfWebACL")
.defaultAction(WebAclDefaultActionArgs.builder()
.type("ALLOW")
.build())
.rules(WebAclRuleArgs.builder()
.action(WebAclRuleActionArgs.builder()
.type("BLOCK")
.build())
.priority(1)
.ruleId(wafrule.id())
.type("REGULAR")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
ipset,
wafrule)
.build());
}
}
resources:
ipset:
type: aws:waf:IpSet
properties:
name: tfIPSet
ipSetDescriptors:
- type: IPV4
value: 192.0.7.0/24
wafrule:
type: aws:waf:Rule
properties:
name: tfWAFRule
metricName: tfWAFRule
predicates:
- dataId: ${ipset.id}
negated: false
type: IPMatch
options:
dependsOn:
- ${ipset}
wafAcl:
type: aws:waf:WebAcl
name: waf_acl
properties:
name: tfWebACL
metricName: tfWebACL
defaultAction:
type: ALLOW
rules:
- action:
type: BLOCK
priority: 1
ruleId: ${wafrule.id}
type: REGULAR
options:
dependsOn:
- ${ipset}
- ${wafrule}
Logging
NOTE: The Kinesis Firehose Delivery Stream name must begin with
aws-waf-logs-and be located inus-east-1region. See the AWS WAF Developer Guide for more information about enabling WAF logging.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.waf.WebAcl("example", {loggingConfiguration: {
logDestination: exampleAwsKinesisFirehoseDeliveryStream.arn,
redactedFields: {
fieldToMatches: [
{
type: "URI",
},
{
data: "referer",
type: "HEADER",
},
],
},
}});
import pulumi
import pulumi_aws as aws
example = aws.waf.WebAcl("example", logging_configuration={
"log_destination": example_aws_kinesis_firehose_delivery_stream["arn"],
"redacted_fields": {
"field_to_matches": [
{
"type": "URI",
},
{
"data": "referer",
"type": "HEADER",
},
],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/waf"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := waf.NewWebAcl(ctx, "example", &waf.WebAclArgs{
LoggingConfiguration: &waf.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Arn),
RedactedFields: &waf.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatches: waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Type: pulumi.String("URI"),
},
&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Data: pulumi.String("referer"),
Type: pulumi.String("HEADER"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Waf.WebAcl("example", new()
{
LoggingConfiguration = new Aws.Waf.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = exampleAwsKinesisFirehoseDeliveryStream.Arn,
RedactedFields = new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatches = new[]
{
new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Type = "URI",
},
new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Data = "referer",
Type = "HEADER",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.waf.WebAcl;
import com.pulumi.aws.waf.WebAclArgs;
import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.waf.inputs.WebAclLoggingConfigurationRedactedFieldsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAcl("example", WebAclArgs.builder()
.loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
.logDestination(exampleAwsKinesisFirehoseDeliveryStream.arn())
.redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
.fieldToMatches(
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.type("URI")
.build(),
WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.data("referer")
.type("HEADER")
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:waf:WebAcl
properties:
loggingConfiguration:
logDestination: ${exampleAwsKinesisFirehoseDeliveryStream.arn}
redactedFields:
fieldToMatches:
- type: URI
- data: referer
type: HEADER
Create WebAcl Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new WebAcl(name: string, args: WebAclArgs, opts?: CustomResourceOptions);@overload
def WebAcl(resource_name: str,
args: WebAclArgs,
opts: Optional[ResourceOptions] = None)
@overload
def WebAcl(resource_name: str,
opts: Optional[ResourceOptions] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
metric_name: Optional[str] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None)func NewWebAcl(ctx *Context, name string, args WebAclArgs, opts ...ResourceOption) (*WebAcl, error)public WebAcl(string name, WebAclArgs args, CustomResourceOptions? opts = null)
public WebAcl(String name, WebAclArgs args)
public WebAcl(String name, WebAclArgs args, CustomResourceOptions options)
type: aws:waf:WebAcl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WebAclArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var webAclResource = new Aws.Waf.WebAcl("webAclResource", new()
{
DefaultAction = new Aws.Waf.Inputs.WebAclDefaultActionArgs
{
Type = "string",
},
MetricName = "string",
LoggingConfiguration = new Aws.Waf.Inputs.WebAclLoggingConfigurationArgs
{
LogDestination = "string",
RedactedFields = new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsArgs
{
FieldToMatches = new[]
{
new Aws.Waf.Inputs.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
{
Type = "string",
Data = "string",
},
},
},
},
Name = "string",
Rules = new[]
{
new Aws.Waf.Inputs.WebAclRuleArgs
{
Priority = 0,
RuleId = "string",
Action = new Aws.Waf.Inputs.WebAclRuleActionArgs
{
Type = "string",
},
OverrideAction = new Aws.Waf.Inputs.WebAclRuleOverrideActionArgs
{
Type = "string",
},
Type = "string",
},
},
Tags =
{
{ "string", "string" },
},
});
example, err := waf.NewWebAcl(ctx, "webAclResource", &waf.WebAclArgs{
DefaultAction: &waf.WebAclDefaultActionArgs{
Type: pulumi.String("string"),
},
MetricName: pulumi.String("string"),
LoggingConfiguration: &waf.WebAclLoggingConfigurationArgs{
LogDestination: pulumi.String("string"),
RedactedFields: &waf.WebAclLoggingConfigurationRedactedFieldsArgs{
FieldToMatches: waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArray{
&waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs{
Type: pulumi.String("string"),
Data: pulumi.String("string"),
},
},
},
},
Name: pulumi.String("string"),
Rules: waf.WebAclRuleArray{
&waf.WebAclRuleArgs{
Priority: pulumi.Int(0),
RuleId: pulumi.String("string"),
Action: &waf.WebAclRuleActionArgs{
Type: pulumi.String("string"),
},
OverrideAction: &waf.WebAclRuleOverrideActionArgs{
Type: pulumi.String("string"),
},
Type: pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var webAclResource = new WebAcl("webAclResource", WebAclArgs.builder()
.defaultAction(WebAclDefaultActionArgs.builder()
.type("string")
.build())
.metricName("string")
.loggingConfiguration(WebAclLoggingConfigurationArgs.builder()
.logDestination("string")
.redactedFields(WebAclLoggingConfigurationRedactedFieldsArgs.builder()
.fieldToMatches(WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs.builder()
.type("string")
.data("string")
.build())
.build())
.build())
.name("string")
.rules(WebAclRuleArgs.builder()
.priority(0)
.ruleId("string")
.action(WebAclRuleActionArgs.builder()
.type("string")
.build())
.overrideAction(WebAclRuleOverrideActionArgs.builder()
.type("string")
.build())
.type("string")
.build())
.tags(Map.of("string", "string"))
.build());
web_acl_resource = aws.waf.WebAcl("webAclResource",
default_action={
"type": "string",
},
metric_name="string",
logging_configuration={
"log_destination": "string",
"redacted_fields": {
"field_to_matches": [{
"type": "string",
"data": "string",
}],
},
},
name="string",
rules=[{
"priority": 0,
"rule_id": "string",
"action": {
"type": "string",
},
"override_action": {
"type": "string",
},
"type": "string",
}],
tags={
"string": "string",
})
const webAclResource = new aws.waf.WebAcl("webAclResource", {
defaultAction: {
type: "string",
},
metricName: "string",
loggingConfiguration: {
logDestination: "string",
redactedFields: {
fieldToMatches: [{
type: "string",
data: "string",
}],
},
},
name: "string",
rules: [{
priority: 0,
ruleId: "string",
action: {
type: "string",
},
overrideAction: {
type: "string",
},
type: "string",
}],
tags: {
string: "string",
},
});
type: aws:waf:WebAcl
properties:
defaultAction:
type: string
loggingConfiguration:
logDestination: string
redactedFields:
fieldToMatches:
- data: string
type: string
metricName: string
name: string
rules:
- action:
type: string
overrideAction:
type: string
priority: 0
ruleId: string
type: string
tags:
string: string
WebAcl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The WebAcl resource accepts the following input properties:
- Default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- Name string
- The name or description of the web ACL.
- Rules
List<Web
Acl Rule> - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Dictionary<string, string>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Default
Action WebAcl Default Action Args - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Logging
Configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- Name string
- The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- map[string]string
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- name String
- The name or description of the web ACL.
- rules
List<Web
Acl Rule> - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String,String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- name string
- The name or description of the web ACL.
- rules
Web
Acl Rule[] - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- {[key: string]: string}
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default_
action WebAcl Default Action Args - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric_
name str - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging_
configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- name str
- The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Mapping[str, str]
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- default
Action Property Map - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- logging
Configuration Property Map - Configuration block to enable WAF logging. Detailed below.
- name String
- The name or description of the web ACL.
- rules List<Property Map>
- Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the WebAcl resource produces the following output properties:
Look up Existing WebAcl Resource
Get an existing WebAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WebAclState, opts?: CustomResourceOptions): WebAcl@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
default_action: Optional[WebAclDefaultActionArgs] = None,
logging_configuration: Optional[WebAclLoggingConfigurationArgs] = None,
metric_name: Optional[str] = None,
name: Optional[str] = None,
rules: Optional[Sequence[WebAclRuleArgs]] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> WebAclfunc GetWebAcl(ctx *Context, name string, id IDInput, state *WebAclState, opts ...ResourceOption) (*WebAcl, error)public static WebAcl Get(string name, Input<string> id, WebAclState? state, CustomResourceOptions? opts = null)public static WebAcl get(String name, Output<String> id, WebAclState state, CustomResourceOptions options)resources: _: type: aws:waf:WebAcl get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The ARN of the WAF WebACL.
- Default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
- The name or description of the web ACL.
- Rules
List<Web
Acl Rule> - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Dictionary<string, string>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- The ARN of the WAF WebACL.
- Default
Action WebAcl Default Action Args - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- Logging
Configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- Metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- Name string
- The name or description of the web ACL.
- Rules
[]Web
Acl Rule Args - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- map[string]string
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- The ARN of the WAF WebACL.
- default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
- The name or description of the web ACL.
- rules
List<Web
Acl Rule> - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String,String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- The ARN of the WAF WebACL.
- default
Action WebAcl Default Action - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration WebAcl Logging Configuration - Configuration block to enable WAF logging. Detailed below.
- metric
Name string - The name or description for the Amazon CloudWatch metric of this web ACL.
- name string
- The name or description of the web ACL.
- rules
Web
Acl Rule[] - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- {[key: string]: string}
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- The ARN of the WAF WebACL.
- default_
action WebAcl Default Action Args - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging_
configuration WebAcl Logging Configuration Args - Configuration block to enable WAF logging. Detailed below.
- metric_
name str - The name or description for the Amazon CloudWatch metric of this web ACL.
- name str
- The name or description of the web ACL.
- rules
Sequence[Web
Acl Rule Args] - Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Mapping[str, str]
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- The ARN of the WAF WebACL.
- default
Action Property Map - Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
- logging
Configuration Property Map - Configuration block to enable WAF logging. Detailed below.
- metric
Name String - The name or description for the Amazon CloudWatch metric of this web ACL.
- name String
- The name or description of the web ACL.
- rules List<Property Map>
- Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
- Map<String>
- Key-value map of resource tags. .If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Supporting Types
WebAclDefaultAction, WebAclDefaultActionArgs
- Type string
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
- Type string
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
- type String
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
- type string
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
- type str
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
- type String
- Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the
rules. e.g.,ALLOWorBLOCK
WebAclLoggingConfiguration, WebAclLoggingConfigurationArgs
- Log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- Log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- Redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination string - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log_
destination str - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted_
fields WebAcl Logging Configuration Redacted Fields - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
- log
Destination String - Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
- redacted
Fields Property Map - Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
WebAclLoggingConfigurationRedactedFields, WebAclLoggingConfigurationRedactedFieldsArgs
- Field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> - Set of configuration blocks for fields to redact. Detailed below.
- Field
To []WebMatches Acl Logging Configuration Redacted Fields Field To Match - Set of configuration blocks for fields to redact. Detailed below.
- field
To List<WebMatches Acl Logging Configuration Redacted Fields Field To Match> - Set of configuration blocks for fields to redact. Detailed below.
- field
To WebMatches Acl Logging Configuration Redacted Fields Field To Match[] - Set of configuration blocks for fields to redact. Detailed below.
- field_
to_ Sequence[Webmatches Acl Logging Configuration Redacted Fields Field To Match] - Set of configuration blocks for fields to redact. Detailed below.
- field
To List<Property Map>Matches - Set of configuration blocks for fields to redact. Detailed below.
WebAclLoggingConfigurationRedactedFieldsFieldToMatch, WebAclLoggingConfigurationRedactedFieldsFieldToMatchArgs
- Type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - Data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- Type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - Data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type String
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data String
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type string
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data string
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type str
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data str
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
- type String
- The part of the web request that you want AWS WAF to search for a specified stringE.g.,
HEADERorMETHOD - data String
- When the value of
typeisHEADER, enter the name of the header that you want the WAF to search, for example,User-AgentorReferer. If the value oftypeis any other value, omitdata.
WebAclRule, WebAclRuleArgs
- Priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - Action
Web
Acl Rule Action - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - Override
Action WebAcl Rule Override Action - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - Type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- Priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- Rule
Id string - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - Action
Web
Acl Rule Action - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - Override
Action WebAcl Rule Override Action - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - Type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority Integer
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - action
Web
Acl Rule Action - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - override
Action WebAcl Rule Override Action - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - type String
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority number
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id string - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - action
Web
Acl Rule Action - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - override
Action WebAcl Rule Override Action - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - type string
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority int
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule_
id str - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - action
Web
Acl Rule Action - The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - override_
action WebAcl Rule Override Action - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - type str
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
- priority Number
- Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
- rule
Id String - ID of the associated WAF (Global) rule (e.g.,
aws.waf.Rule). WAF (Regional) rules cannot be used. - action Property Map
- The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if
typeisGROUP. - override
Action Property Map - Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if
typeisGROUP. - type String
- The rule type, either
REGULAR, as defined by Rule,RATE_BASED, as defined by RateBasedRule, orGROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settypeasRATE_BASED. If you add a GROUP rule, you need to settypeasGROUP.
WebAclRuleAction, WebAclRuleActionArgs
- Type string
- valid values are:
BLOCK,ALLOW, orCOUNT
- Type string
- valid values are:
BLOCK,ALLOW, orCOUNT
- type String
- valid values are:
BLOCK,ALLOW, orCOUNT
- type string
- valid values are:
BLOCK,ALLOW, orCOUNT
- type str
- valid values are:
BLOCK,ALLOW, orCOUNT
- type String
- valid values are:
BLOCK,ALLOW, orCOUNT
WebAclRuleOverrideAction, WebAclRuleOverrideActionArgs
- Type string
- valid values are:
NONEorCOUNT
- Type string
- valid values are:
NONEorCOUNT
- type String
- valid values are:
NONEorCOUNT
- type string
- valid values are:
NONEorCOUNT
- type str
- valid values are:
NONEorCOUNT
- type String
- valid values are:
NONEorCOUNT
Import
Using pulumi import, import WAF Web ACL using the id. For example:
$ pulumi import aws:waf/webAcl:WebAcl main 0c8e583e-18f3-4c13-9e2a-67c4805d2f94
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.