@pulumi/aws 7.4.0-alpha.1755086162 → 7.4.0

package/wafv2/webAclRuleGroupAssociation.d.ts

@@ -0,0 +1,482 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+/**
+ * Associates a WAFv2 Rule Group (custom or managed) with a Web ACL by adding a rule that references the Rule Group. Use this resource to apply the rules defined in a Rule Group to a Web ACL without duplicating rule definitions.
+ *
+ * This resource supports both:
+ *
+ * - **Custom Rule Groups**: User-created rule groups that you manage within your AWS account
+ * - **Managed Rule Groups**: Pre-configured rule groups provided by AWS or third-party vendors
+ *
+ * !> **Warning:** Verify the rule names in your `ruleActionOverride`s carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.
+ *
+ * !> **Warning:** Using this resource will cause the associated Web ACL resource to show configuration drift in the `rule` argument unless you add `lifecycle { ignoreChanges = [rule] }` to the Web ACL resource configuration. This is because this resource modifies the Web ACL's rules outside of the Web ACL resource's direct management.
+ *
+ * > **Note:** This resource creates a rule within the Web ACL that references the entire Rule Group. The rule group's individual rules are evaluated as a unit when requests are processed by the Web ACL.
+ *
+ * ## Example Usage
+ *
+ * ### Custom Rule Group - Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.wafv2.RuleGroup("example", {
+ *     name: "example-rule-group",
+ *     scope: "REGIONAL",
+ *     capacity: 10,
+ *     rules: [{
+ *         name: "block-suspicious-requests",
+ *         priority: 1,
+ *         action: {
+ *             block: {},
+ *         },
+ *         statement: {
+ *             geoMatchStatement: {
+ *                 countryCodes: [
+ *                     "CN",
+ *                     "RU",
+ *                 ],
+ *             },
+ *         },
+ *         visibilityConfig: {
+ *             cloudwatchMetricsEnabled: true,
+ *             metricName: "block-suspicious-requests",
+ *             sampledRequestsEnabled: true,
+ *         },
+ *     }],
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "example-rule-group",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const exampleWebAcl = new aws.wafv2.WebAcl("example", {
+ *     name: "example-web-acl",
+ *     scope: "REGIONAL",
+ *     defaultAction: {
+ *         allow: {},
+ *     },
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "example-web-acl",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", {
+ *     ruleName: "example-rule-group-rule",
+ *     priority: 100,
+ *     webAclArn: exampleWebAcl.arn,
+ *     ruleGroupReference: {
+ *         arn: example.arn,
+ *     },
+ * });
+ * ```
+ *
+ * ### Managed Rule Group - Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.wafv2.WebAcl("example", {
+ *     name: "example-web-acl",
+ *     scope: "REGIONAL",
+ *     defaultAction: {
+ *         allow: {},
+ *     },
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "example-web-acl",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const managedExample = new aws.wafv2.WebAclRuleGroupAssociation("managed_example", {
+ *     ruleName: "aws-common-rule-set",
+ *     priority: 50,
+ *     webAclArn: example.arn,
+ *     managedRuleGroup: {
+ *         name: "AWSManagedRulesCommonRuleSet",
+ *         vendorName: "AWS",
+ *     },
+ * });
+ * ```
+ *
+ * ### Managed Rule Group - With Version
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const managedVersioned = new aws.wafv2.WebAclRuleGroupAssociation("managed_versioned", {
+ *     ruleName: "aws-common-rule-set-versioned",
+ *     priority: 60,
+ *     webAclArn: example.arn,
+ *     managedRuleGroup: {
+ *         name: "AWSManagedRulesCommonRuleSet",
+ *         vendorName: "AWS",
+ *         version: "Version_1.0",
+ *     },
+ * });
+ * ```
+ *
+ * ### Managed Rule Group - With Rule Action Overrides
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const managedWithOverrides = new aws.wafv2.WebAclRuleGroupAssociation("managed_with_overrides", {
+ *     ruleName: "aws-common-rule-set-with-overrides",
+ *     priority: 70,
+ *     webAclArn: example.arn,
+ *     managedRuleGroup: {
+ *         name: "AWSManagedRulesCommonRuleSet",
+ *         vendorName: "AWS",
+ *         ruleActionOverrides: [
+ *             {
+ *                 name: "GenericRFI_BODY",
+ *                 actionToUse: {
+ *                     count: {
+ *                         customRequestHandling: {
+ *                             insertHeaders: [{
+ *                                 name: "X-RFI-Override",
+ *                                 value: "counted",
+ *                             }],
+ *                         },
+ *                     },
+ *                 },
+ *             },
+ *             {
+ *                 name: "SizeRestrictions_BODY",
+ *                 actionToUse: {
+ *                     captcha: {},
+ *                 },
+ *             },
+ *         ],
+ *     },
+ * });
+ * ```
+ *
+ * ### Custom Rule Group - With Override Action
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.wafv2.WebAclRuleGroupAssociation("example", {
+ *     ruleName: "example-rule-group-rule",
+ *     priority: 100,
+ *     webAclArn: exampleAwsWafv2WebAcl.arn,
+ *     overrideAction: "count",
+ *     ruleGroupReference: {
+ *         arn: exampleAwsWafv2RuleGroup.arn,
+ *     },
+ * });
+ * ```
+ *
+ * ### Custom Rule Group - With Rule Action Overrides
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.wafv2.RuleGroup("example", {
+ *     name: "example-rule-group",
+ *     scope: "REGIONAL",
+ *     capacity: 10,
+ *     rules: [
+ *         {
+ *             name: "geo-block-rule",
+ *             priority: 1,
+ *             action: {
+ *                 block: {},
+ *             },
+ *             statement: {
+ *                 geoMatchStatement: {
+ *                     countryCodes: [
+ *                         "CN",
+ *                         "RU",
+ *                     ],
+ *                 },
+ *             },
+ *             visibilityConfig: {
+ *                 cloudwatchMetricsEnabled: true,
+ *                 metricName: "geo-block-rule",
+ *                 sampledRequestsEnabled: true,
+ *             },
+ *         },
+ *         {
+ *             name: "rate-limit-rule",
+ *             priority: 2,
+ *             action: {
+ *                 block: {},
+ *             },
+ *             statement: {
+ *                 rateBasedStatement: {
+ *                     limit: 1000,
+ *                     aggregateKeyType: "IP",
+ *                 },
+ *             },
+ *             visibilityConfig: {
+ *                 cloudwatchMetricsEnabled: true,
+ *                 metricName: "rate-limit-rule",
+ *                 sampledRequestsEnabled: true,
+ *             },
+ *         },
+ *     ],
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "example-rule-group",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const exampleWebAcl = new aws.wafv2.WebAcl("example", {
+ *     name: "example-web-acl",
+ *     scope: "REGIONAL",
+ *     defaultAction: {
+ *         allow: {},
+ *     },
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "example-web-acl",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const exampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("example", {
+ *     ruleName: "example-rule-group-rule",
+ *     priority: 100,
+ *     webAclArn: exampleWebAcl.arn,
+ *     ruleGroupReference: {
+ *         arn: example.arn,
+ *         ruleActionOverrides: [
+ *             {
+ *                 name: "geo-block-rule",
+ *                 actionToUse: {
+ *                     count: {
+ *                         customRequestHandling: {
+ *                             insertHeaders: [{
+ *                                 name: "X-Geo-Block-Override",
+ *                                 value: "counted",
+ *                             }],
+ *                         },
+ *                     },
+ *                 },
+ *             },
+ *             {
+ *                 name: "rate-limit-rule",
+ *                 actionToUse: {
+ *                     captcha: {
+ *                         customRequestHandling: {
+ *                             insertHeaders: [{
+ *                                 name: "X-Rate-Limit-Override",
+ *                                 value: "captcha-required",
+ *                             }],
+ *                         },
+ *                     },
+ *                 },
+ *             },
+ *         ],
+ *     },
+ * });
+ * ```
+ *
+ * ### Custom Rule Group - CloudFront Web ACL
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const cloudfrontExample = new aws.wafv2.RuleGroup("cloudfront_example", {
+ *     name: "cloudfront-rule-group",
+ *     scope: "CLOUDFRONT",
+ *     capacity: 10,
+ *     rules: [{
+ *         name: "rate-limit",
+ *         priority: 1,
+ *         action: {
+ *             block: {},
+ *         },
+ *         statement: {
+ *             rateBasedStatement: {
+ *                 limit: 2000,
+ *                 aggregateKeyType: "IP",
+ *             },
+ *         },
+ *         visibilityConfig: {
+ *             cloudwatchMetricsEnabled: true,
+ *             metricName: "rate-limit",
+ *             sampledRequestsEnabled: true,
+ *         },
+ *     }],
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "cloudfront-rule-group",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const cloudfrontExampleWebAcl = new aws.wafv2.WebAcl("cloudfront_example", {
+ *     name: "cloudfront-web-acl",
+ *     scope: "CLOUDFRONT",
+ *     defaultAction: {
+ *         allow: {},
+ *     },
+ *     visibilityConfig: {
+ *         cloudwatchMetricsEnabled: true,
+ *         metricName: "cloudfront-web-acl",
+ *         sampledRequestsEnabled: true,
+ *     },
+ * });
+ * const cloudfrontExampleWebAclRuleGroupAssociation = new aws.wafv2.WebAclRuleGroupAssociation("cloudfront_example", {
+ *     ruleName: "cloudfront-rule-group-rule",
+ *     priority: 50,
+ *     webAclArn: cloudfrontExampleWebAcl.arn,
+ *     ruleGroupReference: {
+ *         arn: cloudfrontExample.arn,
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import WAFv2 web ACL custom rule group associations using `WebACLARN,RuleGroupARN,RuleName`. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/example-rule-group/87654321-4321-4321-4321-210987654321,example-rule-group-rule"
+ * ```
+ * Using `pulumi import`, import WAFv2 web ACL managed rule group associations using `WebACLARN,VendorName:RuleGroupName[:Version],RuleName`. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:wafv2/webAclRuleGroupAssociation:WebAclRuleGroupAssociation managed_example "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012,AWS:AWSManagedRulesCommonRuleSet,aws-common-rule-set"
+ * ```
+ */
+export declare class WebAclRuleGroupAssociation extends pulumi.CustomResource {
+    /**
+     * Get an existing WebAclRuleGroupAssociation resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WebAclRuleGroupAssociationState, opts?: pulumi.CustomResourceOptions): WebAclRuleGroupAssociation;
+    /**
+     * Returns true if the given object is an instance of WebAclRuleGroupAssociation.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is WebAclRuleGroupAssociation;
+    /**
+     * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below.
+     */
+    readonly managedRuleGroup: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup | undefined>;
+    /**
+     * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests.
+     */
+    readonly overrideAction: pulumi.Output<string>;
+    /**
+     * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first.
+     */
+    readonly priority: pulumi.Output<number>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    readonly region: pulumi.Output<string>;
+    /**
+     * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below.
+     */
+    readonly ruleGroupReference: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference | undefined>;
+    /**
+     * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters.
+     */
+    readonly ruleName: pulumi.Output<string>;
+    readonly timeouts: pulumi.Output<outputs.wafv2.WebAclRuleGroupAssociationTimeouts | undefined>;
+    /**
+     * ARN of the Web ACL to associate the Rule Group with.
+     *
+     * The following arguments are optional:
+     */
+    readonly webAclArn: pulumi.Output<string>;
+    /**
+     * Create a WebAclRuleGroupAssociation resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: WebAclRuleGroupAssociationArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering WebAclRuleGroupAssociation resources.
+ */
+export interface WebAclRuleGroupAssociationState {
+    /**
+     * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below.
+     */
+    managedRuleGroup?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup>;
+    /**
+     * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests.
+     */
+    overrideAction?: pulumi.Input<string>;
+    /**
+     * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first.
+     */
+    priority?: pulumi.Input<number>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+    /**
+     * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below.
+     */
+    ruleGroupReference?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference>;
+    /**
+     * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters.
+     */
+    ruleName?: pulumi.Input<string>;
+    timeouts?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationTimeouts>;
+    /**
+     * ARN of the Web ACL to associate the Rule Group with.
+     *
+     * The following arguments are optional:
+     */
+    webAclArn?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a WebAclRuleGroupAssociation resource.
+ */
+export interface WebAclRuleGroupAssociationArgs {
+    /**
+     * Managed Rule Group configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `ruleGroupReference`. See below.
+     */
+    managedRuleGroup?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationManagedRuleGroup>;
+    /**
+     * Override action for the rule group. Valid values are `none` and `count`. Defaults to `none`. When set to `count`, the actions defined in the rule group rules are overridden to count matches instead of blocking or allowing requests.
+     */
+    overrideAction?: pulumi.Input<string>;
+    /**
+     * Priority of the rule within the Web ACL. Rules are evaluated in order of priority, with lower numbers evaluated first.
+     */
+    priority: pulumi.Input<number>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+    /**
+     * Custom Rule Group reference configuration. One of `ruleGroupReference` or `managedRuleGroup` is required. Conflicts with `managedRuleGroup`. See below.
+     */
+    ruleGroupReference?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationRuleGroupReference>;
+    /**
+     * Name of the rule to create in the Web ACL that references the rule group. Must be between 1 and 128 characters.
+     */
+    ruleName: pulumi.Input<string>;
+    timeouts?: pulumi.Input<inputs.wafv2.WebAclRuleGroupAssociationTimeouts>;
+    /**
+     * ARN of the Web ACL to associate the Rule Group with.
+     *
+     * The following arguments are optional:
+     */
+    webAclArn: pulumi.Input<string>;
+}