community / community.aws / 1.1.0 / module / aws_waf_condition Create and delete WAF Conditions | "added in version" 1.0.0 of community.aws" Authors: Will Thames (@willthames), Mike Mochan (@mmochan)community.aws.aws_waf_condition (1.1.0) — module
Install with ansible-galaxy collection install community.aws:==1.1.0
collections: - name: community.aws version: 1.1.0
Read the AWS documentation for WAF U(https://aws.amazon.com/documentation/waf/)
- name: create WAF byte condition community.aws.aws_waf_condition: name: my_byte_condition filters: - field_to_match: header position: STARTS_WITH target_string: Hello header: Content-type type: byte
- name: create WAF geo condition community.aws.aws_waf_condition: name: my_geo_condition filters: - country: US - country: AU - country: AT type: geo
- name: create IP address condition community.aws.aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "10.0.0.0/8" - ip_address: "192.168.0.0/24" type: ip
- name: create WAF regex condition community.aws.aws_waf_condition: name: my_regex_condition filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex
- name: create WAF size condition community.aws.aws_waf_condition: name: my_size_condition filters: - field_to_match: query_string size: 300 comparison: GT type: size
- name: create WAF sql injection condition community.aws.aws_waf_condition: name: my_sql_condition filters: - field_to_match: query_string transformation: url_decode type: sql
- name: create WAF xss condition community.aws.aws_waf_condition: name: my_xss_condition filters: - field_to_match: query_string transformation: url_decode type: xss
name: description: Name of the Web Application Firewall condition to manage. required: true type: str type: choices: - byte - geo - ip - regex - size - sql - xss description: The type of matching to perform. required: true type: str state: choices: - present - absent default: present description: Whether the condition should be C(present) or C(absent). type: str region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str filters: description: - A list of the filters against which to match. - For I(type=byte), valid keys are I(field_to_match), I(position), I(header), I(transformation) and I(target_string). - For I(type=geo), the only valid key is I(country). - For I(type=ip), the only valid key is I(ip_address). - For I(type=regex), valid keys are I(field_to_match), I(transformation) and I(regex_pattern). - For I(type=size), valid keys are I(field_to_match), I(transformation), I(comparison) and I(size). - For I(type=sql), valid keys are I(field_to_match) and I(transformation). - For I(type=xss), valid keys are I(field_to_match) and I(transformation). - Required when I(state=present). elements: dict suboptions: comparison: choices: - EQ - NE - LE - LT - GE - GT description: - What type of comparison to perform. - Only valid key when I(type=size). type: str country: description: - Value of geo constraint (typically a two letter country code). - The only valid key when I(type=geo). type: str field_to_match: choices: - uri - query_string - header - method - body description: - The field upon which to perform the match. - Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss). type: str header: description: - Which specific header should be matched. - Required when I(field_to_match=header). - Valid when I(type=byte). type: str ip_address: description: - An IP Address or CIDR to match. - The only valid key when I(type=ip). type: str position: choices: - exactly - starts_with - ends_with - contains - contains_word description: - Where in the field the match needs to occur. - Only valid when I(type=byte). type: str regex_pattern: description: - A dict describing the regular expressions used to perform the match. - Only valid when I(type=regex). suboptions: name: description: A name to describe the set of patterns. type: str regex_strings: description: A list of regular expressions to match. elements: str type: list type: dict size: description: - The size of the field (in bytes). - Only valid key when I(type=size). type: int target_string: description: - The string to search for. - May be up to 50 bytes. - Valid when I(type=byte). type: str transformation: choices: - none - compress_white_space - html_entity_decode - lowercase - cmd_line - url_decode description: - A transform to apply on the field prior to performing the match. - Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss). type: str type: list profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str waf_regional: default: false description: Whether to use waf-regional module. required: false type: bool aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path purge_filters: default: false description: - Whether to remove existing filters from a condition if not passed in I(filters). type: bool session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
condition: contains: byte_match_set_id: description: ID for byte match set. returned: always sample: c4882c96-837b-44a2-a762-4ea87dbf812b type: str byte_match_tuples: contains: field_to_match: contains: data: description: Which specific header (if type is header). sample: content-type type: str type: description: Type of field sample: HEADER type: str description: Field to match. returned: always type: complex positional_constraint: description: Position in the field to match. sample: STARTS_WITH type: str target_string: description: String to look for. sample: Hello type: str text_transformation: description: Transformation to apply to the field before matching. sample: NONE type: str description: List of byte match tuples. returned: always type: complex condition_id: description: Type-agnostic ID for the condition. returned: when state is present sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 type: str geo_match_constraints: contains: type: description: Type of geo constraint. sample: Country type: str value: description: Value of geo constraint (typically a country code). sample: AT type: str description: List of geographical constraints. returned: when type is geo and state is present type: complex geo_match_set_id: description: ID of the geo match set. returned: when type is geo and state is present sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 type: str ip_set_descriptors: contains: type: description: Type of IP address (IPV4 or IPV6). returned: always sample: IPV4 type: str value: description: IP address. returned: always sample: 10.0.0.0/8 type: str description: list of IP address filters returned: when type is ip and state is present type: complex ip_set_id: description: ID of condition. returned: when type is ip and state is present sample: 78ad334a-3535-4036-85e6-8e11e745217b type: str name: description: Name of condition. returned: when state is present sample: my_waf_condition type: str regex_match_set_id: description: ID of the regex match set. returned: when type is regex and state is present sample: 5ea3f6a8-3cd3-488b-b637-17b79ce7089c type: str regex_match_tuples: contains: field_to_match: contains: type: description: The field name. returned: when type is regex and state is present sample: QUERY_STRING type: str description: Field on which the regex match is applied. type: complex regex_pattern_set_id: description: ID of the regex pattern. sample: 6fdf7f2d-9091-445c-aef2-98f3c051ac9e type: str text_transformation: description: transformation applied to the text before matching sample: NONE type: str description: List of regex matches. returned: when type is regex and state is present type: complex size_constraint_set_id: description: ID of the size constraint set. returned: when type is size and state is present sample: de84b4b3-578b-447e-a9a0-0db35c995656 type: str size_constraints: contains: comparison_operator: description: Comparison operator to apply. sample: GT type: str field_to_match: contains: type: description: Field name. sample: QUERY_STRING type: str description: Field on which the size constraint is applied. type: complex size: description: Size to compare against the field. sample: 300 type: int text_transformation: description: Transformation applied to the text before matching. sample: NONE type: str description: List of size constraints to apply. returned: when type is size and state is present type: complex sql_injection_match_set_id: description: ID of the SQL injection match set. returned: when type is sql and state is present sample: de84b4b3-578b-447e-a9a0-0db35c995656 type: str sql_injection_match_tuples: contains: field_to_match: contains: type: description: Field name. sample: QUERY_STRING type: str description: Field on which the SQL injection match is applied. type: complex text_transformation: description: Transformation applied to the text before matching. sample: URL_DECODE type: str description: List of SQL injection match sets. returned: when type is sql and state is present type: complex xss_match_set_id: description: ID of the XSS match set. returned: when type is xss and state is present sample: de84b4b3-578b-447e-a9a0-0db35c995656 type: str xss_match_tuples: contains: field_to_match: contains: type: description: Field name sample: QUERY_STRING type: str description: Field on which the XSS match is applied. type: complex text_transformation: description: transformation applied to the text before matching. sample: URL_DECODE type: str description: List of XSS match sets. returned: when type is xss and state is present type: complex description: Condition returned by operation. returned: always type: complex