community / community.aws / 3.4.0 / module / wafv2_web_acl Create and delete WAF Web ACLs | "added in version" 1.5.0 of community.aws" Authors: Markus Bergholz (@markuman)community.aws.wafv2_web_acl (3.4.0) — module
Install with ansible-galaxy collection install community.aws:==3.4.0
collections: - name: community.aws version: 3.4.0
Create, modify or delete AWS WAF v2 web ACLs (not for classic WAF).
See docs at U(https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html)
- name: Create test web acl community.aws.wafv2_web_acl: name: test05 description: hallo eins scope: REGIONAL default_action: Allow sampled_requests: no cloudwatch_metrics: yes metric_name: test05-acl-metric rules: - name: zwei priority: 0 action: block: {} visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: ddos statement: xss_match_statement: field_to_match: body: {} text_transformations: - type: NONE priority: 0 - name: admin_protect priority: 1 override_action: none: {} visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: fsd statement: managed_rule_group_statement: vendor_name: AWS name: AWSManagedRulesAdminProtectionRuleSet # AWS Managed Bad Input Rule Set # but allow PROPFIND_METHOD used e.g. by webdav - name: bad_input_protect_whitelist_webdav priority: 2 override_action: none: {} visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: bad_input_protect statement: managed_rule_group_statement: vendor_name: AWS name: AWSManagedRulesKnownBadInputsRuleSet excluded_rules: - name: PROPFIND_METHOD # Rate Limit example. 1500 req/5min # counted for two domains via or_statement. login.mydomain.tld and api.mydomain.tld - name: rate_limit_example priority: 3 action: block: {} visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: mydomain-ratelimit statement: rate_based_statement: limit: 1500 aggregate_key_type: IP scope_down_statement: or_statement: statements: - byte_match_statement: search_string: login.mydomain.tld positional_constraint: CONTAINS field_to_match: single_header: name: host text_transformations: - type: LOWERCASE priority: 0 - byte_match_dtatement: search_string: api.mydomain.tld positional_constraint: CONTAINS field_to_match: single_header: name: host text_transformations: - type: LOWERCASE priority: 0 purge_rules: yes tags: A: B C: D state: present
- name: Create IP filtering web ACL community.aws.wafv2_web_acl: name: ip-filtering-traffic description: ACL that filters web traffic based on rate limits and whitelists some IPs scope: REGIONAL default_action: Allow sampled_requests: yes cloudwatch_metrics: yes metric_name: ip-filtering-traffic rules: - name: whitelist-own-IPs priority: 0 action: allow: {} statement: ip_set_reference_statement: arn: 'arn:aws:wafv2:us-east-1:520789123123:regional/ipset/own-public-ips/1c4bdfc4-0f77-3b23-5222-123123123' visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: waf-acl-rule-whitelist-own-IPs - name: rate-limit-per-IP priority: 1 action: block: custom_response: response_code: 429 custom_response_body_key: too_many_requests statement: rate_based_statement: limit: 5000 aggregate_key_type: IP visibility_config: sampled_requests_enabled: yes cloud_watch_metrics_enabled: yes metric_name: waf-acl-rule-rate-limit-per-IP purge_rules: yes custom_response_bodies: too_many_requests: content_type: APPLICATION_JSON content: '{ message: "Your request has been blocked due to too many HTTP requests coming from your IP" }' region: us-east-1 state: present
name: description: - The name of the web acl. required: true type: str tags: description: - tags for wafv2 web acl. type: dict rules: description: - The Rule statements used to identify the web requests that you want to allow, block, or count. - For a list of managed rules see U(https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). elements: dict suboptions: action: description: - Wether a rule is blocked, allowed or counted. type: dict name: description: - The name of the wafv2 rule type: str priority: description: - The rule priority type: int statement: description: - Rule configuration. type: dict visibility_config: description: - Visibility of single wafv2 rule. type: dict type: list scope: choices: - CLOUDFRONT - REGIONAL description: - Geographical scope of the web acl. required: true type: str state: choices: - present - absent description: - Whether the rule is present or absent. required: true type: str region: aliases: - aws_region - ec2_region description: - The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region) type: str ec2_url: aliases: - aws_endpoint_url - endpoint_url description: - URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used. type: str profile: aliases: - aws_profile description: - Using I(profile) will override I(aws_access_key), I(aws_secret_key) and I(security_token) and support for passing them at the same time as I(profile) has been deprecated. - I(aws_access_key), I(aws_secret_key) and I(security_token) will be made mutually exclusive with I(profile) after 2022-06-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). - Only the 'user_agent' key is used for boto modules. See U(http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto) for more boto configuration. type: dict description: description: - Description of wafv2 web acl. type: str metric_name: description: - Name of cloudwatch metrics. - If not given and cloudwatch_metrics is enabled, the name of the web acl itself will be taken. type: str purge_rules: default: true description: - When set to C(no), keep the existing load balancer rules in place. Will modify and add, but will not delete. type: bool aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - Not used by boto 2 based modules. - 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied from the controller if not run locally.' type: path aws_access_key: aliases: - ec2_access_key - access_key description: - C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variable is used. - If I(profile) is set this parameter is ignored. - Passing the I(aws_access_key) and I(profile) options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01. type: str aws_secret_key: aliases: - ec2_secret_key - secret_key description: - C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variable is used. - If I(profile) is set this parameter is ignored. - Passing the I(aws_secret_key) and I(profile) options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01. type: str default_action: choices: - Block - Allow description: - Default action of the wafv2 web acl. type: str security_token: aliases: - aws_security_token - access_token description: - C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variable is used. - If I(profile) is set this parameter is ignored. - Passing the I(security_token) and I(profile) options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01. type: str validate_certs: default: true description: - When set to "no", SSL certificates will not be validated for communication with the AWS APIs. type: bool sampled_requests: default: false description: - Whether to store a sample of the web requests, true or false. type: bool cloudwatch_metrics: default: true description: - Enable cloudwatch metric for wafv2 web acl. type: bool custom_response_bodies: description: - A map of custom response keys and content bodies. Define response bodies here and reference them in the rules by providing - the key of the body dictionary element. - Each element must have a unique dict key and in the dict two keys for I(content_type) and I(content). - Requires botocore >= 1.20.40 type: dict version_added: 3.1.0 version_added_collection: community.aws debug_botocore_endpoint_logs: default: 'no' description: - Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used. type: bool
arn: description: web acl arn returned: Always, as long as the web acl exists sample: arn:aws:wafv2:eu-central-1:11111111:regional/webacl/test05/318c1ab9-fa74-4b3b-a974-f92e25106f61 type: str capacity: description: Current capacity of the web acl returned: Always, as long as the web acl exists sample: 140 type: int custom_response_bodies: description: Custom response body configurations to be used in rules returned: Always, as long as the web acl exists sample: too_many_requests: content: '{ message: "Your request has been blocked due to too many HTTP requests coming from your IP" }' content_type: APPLICATION_JSON type: dict default_action: description: Default action of ACL returned: Always, as long as the web acl exists sample: allow: {} type: dict description: description: Description of the web acl returned: Always, as long as the web acl exists sample: Some web acl description type: str name: description: Web acl name returned: Always, as long as the web acl exists sample: test02 type: str rules: description: Current rules of the web acl returned: Always, as long as the web acl exists sample: - name: admin_protect override_action: none: {} priority: 1 statement: managed_rule_group_statement: name: AWSManagedRulesAdminProtectionRuleSet vendor_name: AWS visibility_config: cloud_watch_metrics_enabled: true metric_name: admin_protect sampled_requests_enabled: true type: list visibility_config: description: Visibility config of the web acl returned: Always, as long as the web acl exists sample: cloud_watch_metrics_enabled: true metric_name: blub sampled_requests_enabled: false type: dict