rule_groups
Creates, updates, deletes or gets a rule_group resource or lists rule_groups in a region
Overview
| Name | rule_groups |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a RuleGroup, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a RuleGroup, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the RuleGroup with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a RuleGroup, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | aws.wafv2.rule_groups |
Fields
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
available_labels | array | Collection of Available Labels. |
consumed_labels | array | Collection of Consumed Labels. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | Capacity, Scope, VisibilityConfig, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all rule_groups in a region.
SELECT
region,
arn,
capacity,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
available_labels,
consumed_labels
FROM aws.wafv2.rule_groups
;
Gets all properties from an individual rule_group.
SELECT
region,
arn,
capacity,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
available_labels,
consumed_labels
FROM aws.wafv2.rule_groups
WHERE data__Identifier = '<Name>|<Id>|<Scope>';
INSERT example
Use the following StackQL query and manifest file to create a new rule_group resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.wafv2.rule_groups (
Capacity,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ Capacity }}',
'{{ Scope }}',
'{{ VisibilityConfig }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.wafv2.rule_groups (
Capacity,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
Tags,
CustomResponseBodies,
AvailableLabels,
ConsumedLabels,
region
)
SELECT
'{{ Capacity }}',
'{{ Description }}',
'{{ Name }}',
'{{ Scope }}',
'{{ Rules }}',
'{{ VisibilityConfig }}',
'{{ Tags }}',
'{{ CustomResponseBodies }}',
'{{ AvailableLabels }}',
'{{ ConsumedLabels }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: rule_group
props:
- name: Capacity
value: '{{ Capacity }}'
- name: Description
value: '{{ Description }}'
- name: Name
value: '{{ Name }}'
- name: Scope
value: '{{ Scope }}'
- name: Rules
value:
- Name: null
Priority: '{{ Priority }}'
Statement:
ByteMatchStatement:
SearchString: '{{ SearchString }}'
SearchStringBase64: '{{ SearchStringBase64 }}'
FieldToMatch:
SingleHeader:
Name: '{{ Name }}'
SingleQueryArgument:
Name: '{{ Name }}'
AllQueryArguments: {}
UriPath: {}
QueryString: {}
Body:
OversizeHandling: '{{ OversizeHandling }}'
Method: {}
JsonBody:
MatchPattern:
All: {}
IncludedPaths:
- '{{ IncludedPaths[0] }}'
MatchScope: '{{ MatchScope }}'
InvalidFallbackBehavior: '{{ InvalidFallbackBehavior }}'
OversizeHandling: null
Headers:
MatchPattern:
All: {}
IncludedHeaders:
- '{{ IncludedHeaders[0] }}'
ExcludedHeaders:
- '{{ ExcludedHeaders[0] }}'
MatchScope: '{{ MatchScope }}'
OversizeHandling: null
Cookies:
MatchPattern:
All: {}
IncludedCookies:
- '{{ IncludedCookies[0] }}'
ExcludedCookies:
- '{{ ExcludedCookies[0] }}'
MatchScope: null
OversizeHandling: null
JA3Fingerprint:
FallbackBehavior: '{{ FallbackBehavior }}'
TextTransformations:
- Priority: '{{ Priority }}'
Type: '{{ Type }}'
PositionalConstraint: '{{ PositionalConstraint }}'
SqliMatchStatement:
FieldToMatch: null
TextTransformations:
- null
SensitivityLevel: '{{ SensitivityLevel }}'
XssMatchStatement:
FieldToMatch: null
TextTransformations:
- null
SizeConstraintStatement:
FieldToMatch: null
ComparisonOperator: '{{ ComparisonOperator }}'
Size: null
TextTransformations:
- null
GeoMatchStatement:
CountryCodes:
- '{{ CountryCodes[0] }}'
ForwardedIPConfig:
HeaderName: '{{ HeaderName }}'
FallbackBehavior: '{{ FallbackBehavior }}'
RuleGroupReferenceStatement:
Arn: '{{ Arn }}'
ExcludedRules:
- Name: null
RuleActionOverrides:
- Name: null
ActionToUse:
Allow:
CustomRequestHandling:
InsertHeaders:
- Name: '{{ Name }}'
Value: '{{ Value }}'
Block:
CustomResponse:
ResponseCode: '{{ ResponseCode }}'
CustomResponseBodyKey: '{{ CustomResponseBodyKey }}'
ResponseHeaders:
- null
Count:
CustomRequestHandling: null
Captcha:
CustomRequestHandling: null
Challenge:
CustomRequestHandling: null
IPSetReferenceStatement:
Arn: null
IPSetForwardedIPConfig:
HeaderName: '{{ HeaderName }}'
FallbackBehavior: '{{ FallbackBehavior }}'
Position: '{{ Position }}'
RegexPatternSetReferenceStatement:
Arn: null
FieldToMatch: null
TextTransformations:
- null
ManagedRuleGroupStatement:
Name: null
VendorName: '{{ VendorName }}'
Version: '{{ Version }}'
ExcludedRules:
- null
ScopeDownStatement: null
ManagedRuleGroupConfigs:
- LoginPath: '{{ LoginPath }}'
PayloadType: '{{ PayloadType }}'
UsernameField:
Identifier: '{{ Identifier }}'
PasswordField: null
AWSManagedRulesBotControlRuleSet:
InspectionLevel: '{{ InspectionLevel }}'
EnableMachineLearning: '{{ EnableMachineLearning }}'
AWSManagedRulesATPRuleSet:
LoginPath: '{{ LoginPath }}'
EnableRegexInPath: '{{ EnableRegexInPath }}'
RequestInspection:
PayloadType: '{{ PayloadType }}'
UsernameField: null
PasswordField: null
ResponseInspection:
StatusCode:
SuccessCodes:
- '{{ SuccessCodes[0] }}'
FailureCodes:
- '{{ FailureCodes[0] }}'
Header:
Name: '{{ Name }}'
SuccessValues:
- '{{ SuccessValues[0] }}'
FailureValues:
- '{{ FailureValues[0] }}'
BodyContains:
SuccessStrings:
- '{{ SuccessStrings[0] }}'
FailureStrings:
- '{{ FailureStrings[0] }}'
Json:
Identifier: '{{ Identifier }}'
SuccessValues:
- '{{ SuccessValues[0] }}'
FailureValues:
- '{{ FailureValues[0] }}'
AWSManagedRulesACFPRuleSet:
CreationPath: '{{ CreationPath }}'
RegistrationPagePath: '{{ RegistrationPagePath }}'
RequestInspection:
PayloadType: '{{ PayloadType }}'
UsernameField: null
PasswordField: null
EmailField: null
PhoneNumberFields:
- null
AddressFields:
- null
ResponseInspection: null
EnableRegexInPath: '{{ EnableRegexInPath }}'
RuleActionOverrides:
- null
RateBasedStatement:
Limit: '{{ Limit }}'
EvaluationWindowSec: '{{ EvaluationWindowSec }}'
AggregateKeyType: '{{ AggregateKeyType }}'
CustomKeys:
- Cookie:
Name: '{{ Name }}'
TextTransformations:
- null
ForwardedIP: {}
Header:
Name: '{{ Name }}'
TextTransformations:
- null
HTTPMethod: {}
IP: {}
LabelNamespace:
Namespace: '{{ Namespace }}'
QueryArgument:
Name: '{{ Name }}'
TextTransformations:
- null
QueryString:
TextTransformations:
- null
UriPath:
TextTransformations:
- null
ScopeDownStatement: null
ForwardedIPConfig: null
AndStatement:
Statements:
- null
OrStatement:
Statements:
- null
NotStatement:
Statement: null
LabelMatchStatement:
Scope: '{{ Scope }}'
Key: '{{ Key }}'
RegexMatchStatement:
RegexString: '{{ RegexString }}'
FieldToMatch: null
TextTransformations:
- null
Action: null
OverrideAction:
Count: {}
None: {}
RuleLabels:
- Name: '{{ Name }}'
VisibilityConfig:
SampledRequestsEnabled: '{{ SampledRequestsEnabled }}'
CloudWatchMetricsEnabled: '{{ CloudWatchMetricsEnabled }}'
MetricName: '{{ MetricName }}'
CaptchaConfig:
ImmunityTimeProperty:
ImmunityTime: '{{ ImmunityTime }}'
ChallengeConfig:
ImmunityTimeProperty: null
- name: VisibilityConfig
value: null
- name: Tags
value:
- Key: '{{ Key }}'
Value: '{{ Value }}'
- name: CustomResponseBodies
value: {}
- name: AvailableLabels
value:
- Name: null
- name: ConsumedLabels
value:
- null
DELETE example
/*+ delete */
DELETE FROM aws.wafv2.rule_groups
WHERE data__Identifier = '<Name|Id|Scope>'
AND region = 'us-east-1';
Permissions
To operate on the rule_groups resource, the following permissions are required:
Create
wafv2:CreateRuleGroup,
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
Delete
wafv2:DeleteRuleGroup,
wafv2:GetRuleGroup
Read
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
Update
wafv2:UpdateRuleGroup,
wafv2:GetRuleGroup,
wafv2:ListTagsForResource
List
wafv2:listRuleGroups