Try SpotterCreate and delete WAF Conditions
| "added in version" 1.0.0 of community.aws"
Authors: Will Thames (@willthames), Mike Mochan (@mmochan)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0Read the AWS documentation for WAF U(https://aws.amazon.com/documentation/waf/)
Prior to release 5.0.0 this module was called C(community.aws.aws_waf_condition). The usage did not change.
- name: create WAF byte condition
community.aws.waf_condition:
name: my_byte_condition
filters:
- field_to_match: header
position: STARTS_WITH
target_string: Hello
header: Content-type
type: byte
- name: create WAF geo condition
community.aws.waf_condition:
name: my_geo_condition
filters:
- country: US
- country: AU
- country: AT
type: geo
- name: create IP address condition
community.aws.waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "10.0.0.0/8"
- ip_address: "192.168.0.0/24"
type: ip
- name: create WAF regex condition
community.aws.waf_condition:
name: my_regex_condition
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
- name: create WAF size condition
community.aws.waf_condition:
name: my_size_condition
filters:
- field_to_match: query_string
size: 300
comparison: GT
type: size
- name: create WAF sql injection condition
community.aws.waf_condition:
name: my_sql_condition
filters:
- field_to_match: query_string
transformation: url_decode
type: sql
- name: create WAF xss condition
community.aws.waf_condition:
name: my_xss_condition
filters:
- field_to_match: query_string
transformation: url_decode
type: xss
name:
description: Name of the Web Application Firewall condition to manage.
required: true
type: str
type:
choices:
- byte
- geo
- ip
- regex
- size
- sql
- xss
description: The type of matching to perform.
required: true
type: str
state:
choices:
- present
- absent
default: present
description: Whether the condition should be C(present) or C(absent).
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
filters:
description:
- A list of the filters against which to match.
- For I(type=byte), valid keys are I(field_to_match), I(position), I(header), I(transformation)
and I(target_string).
- For I(type=geo), the only valid key is I(country).
- For I(type=ip), the only valid key is I(ip_address).
- For I(type=regex), valid keys are I(field_to_match), I(transformation) and I(regex_pattern).
- For I(type=size), valid keys are I(field_to_match), I(transformation), I(comparison)
and I(size).
- For I(type=sql), valid keys are I(field_to_match) and I(transformation).
- For I(type=xss), valid keys are I(field_to_match) and I(transformation).
- Required when I(state=present).
elements: dict
suboptions:
comparison:
choices:
- EQ
- NE
- LE
- LT
- GE
- GT
description:
- What type of comparison to perform.
- Only valid key when I(type=size).
type: str
country:
description:
- Value of geo constraint (typically a two letter country code).
- The only valid key when I(type=geo).
type: str
field_to_match:
choices:
- uri
- query_string
- header
- method
- body
description:
- The field upon which to perform the match.
- Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss).
type: str
header:
description:
- Which specific header should be matched.
- Required when I(field_to_match=header).
- Valid when I(type=byte).
type: str
ip_address:
description:
- An IP Address or CIDR to match.
- The only valid key when I(type=ip).
type: str
position:
choices:
- exactly
- starts_with
- ends_with
- contains
- contains_word
description:
- Where in the field the match needs to occur.
- Only valid when I(type=byte).
type: str
regex_pattern:
description:
- A dict describing the regular expressions used to perform the match.
- Only valid when I(type=regex).
suboptions:
name:
description: A name to describe the set of patterns.
type: str
regex_strings:
description: A list of regular expressions to match.
elements: str
type: list
type: dict
size:
description:
- The size of the field (in bytes).
- Only valid key when I(type=size).
type: int
target_string:
description:
- The string to search for.
- May be up to 50 bytes.
- Valid when I(type=byte).
type: str
transformation:
choices:
- none
- compress_white_space
- html_entity_decode
- lowercase
- cmd_line
- url_decode
description:
- A transform to apply on the field prior to performing the match.
- Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss).
type: str
type: list
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
waf_regional:
default: false
description: Whether to use C(waf-regional) module.
required: false
type: bool
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
purge_filters:
default: false
description:
- Whether to remove existing filters from a condition if not passed in I(filters).
type: bool
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
condition:
contains:
byte_match_set_id:
description: ID for byte match set.
returned: always
sample: c4882c96-837b-44a2-a762-4ea87dbf812b
type: str
byte_match_tuples:
contains:
field_to_match:
contains:
data:
description: Which specific header (if type is header).
sample: content-type
type: str
type:
description: Type of field
sample: HEADER
type: str
description: Field to match.
returned: always
type: complex
positional_constraint:
description: Position in the field to match.
sample: STARTS_WITH
type: str
target_string:
description: String to look for.
sample: Hello
type: str
text_transformation:
description: Transformation to apply to the field before matching.
sample: NONE
type: str
description: List of byte match tuples.
returned: always
type: complex
condition_id:
description: Type-agnostic ID for the condition.
returned: when state is present
sample: dd74b1ff-8c06-4a4f-897a-6b23605de413
type: str
geo_match_constraints:
contains:
type:
description: Type of geo constraint.
sample: Country
type: str
value:
description: Value of geo constraint (typically a country code).
sample: AT
type: str
description: List of geographical constraints.
returned: when type is geo and state is present
type: complex
geo_match_set_id:
description: ID of the geo match set.
returned: when type is geo and state is present
sample: dd74b1ff-8c06-4a4f-897a-6b23605de413
type: str
ip_set_descriptors:
contains:
type:
description: Type of IP address (IPV4 or IPV6).
returned: always
sample: IPV4
type: str
value:
description: IP address.
returned: always
sample: 10.0.0.0/8
type: str
description: list of IP address filters
returned: when type is ip and state is present
type: complex
ip_set_id:
description: ID of condition.
returned: when type is ip and state is present
sample: 78ad334a-3535-4036-85e6-8e11e745217b
type: str
name:
description: Name of condition.
returned: when state is present
sample: my_waf_condition
type: str
regex_match_set_id:
description: ID of the regex match set.
returned: when type is regex and state is present
sample: 5ea3f6a8-3cd3-488b-b637-17b79ce7089c
type: str
regex_match_tuples:
contains:
field_to_match:
contains:
type:
description: The field name.
returned: when type is regex and state is present
sample: QUERY_STRING
type: str
description: Field on which the regex match is applied.
type: complex
regex_pattern_set_id:
description: ID of the regex pattern.
sample: 6fdf7f2d-9091-445c-aef2-98f3c051ac9e
type: str
text_transformation:
description: transformation applied to the text before matching
sample: NONE
type: str
description: List of regex matches.
returned: when type is regex and state is present
type: complex
size_constraint_set_id:
description: ID of the size constraint set.
returned: when type is size and state is present
sample: de84b4b3-578b-447e-a9a0-0db35c995656
type: str
size_constraints:
contains:
comparison_operator:
description: Comparison operator to apply.
sample: GT
type: str
field_to_match:
contains:
type:
description: Field name.
sample: QUERY_STRING
type: str
description: Field on which the size constraint is applied.
type: complex
size:
description: Size to compare against the field.
sample: 300
type: int
text_transformation:
description: Transformation applied to the text before matching.
sample: NONE
type: str
description: List of size constraints to apply.
returned: when type is size and state is present
type: complex
sql_injection_match_set_id:
description: ID of the SQL injection match set.
returned: when type is sql and state is present
sample: de84b4b3-578b-447e-a9a0-0db35c995656
type: str
sql_injection_match_tuples:
contains:
field_to_match:
contains:
type:
description: Field name.
sample: QUERY_STRING
type: str
description: Field on which the SQL injection match is applied.
type: complex
text_transformation:
description: Transformation applied to the text before matching.
sample: URL_DECODE
type: str
description: List of SQL injection match sets.
returned: when type is sql and state is present
type: complex
xss_match_set_id:
description: ID of the XSS match set.
returned: when type is xss and state is present
sample: de84b4b3-578b-447e-a9a0-0db35c995656
type: str
xss_match_tuples:
contains:
field_to_match:
contains:
type:
description: Field name
sample: QUERY_STRING
type: str
description: Field on which the XSS match is applied.
type: complex
text_transformation:
description: transformation applied to the text before matching.
sample: URL_DECODE
type: str
description: List of XSS match sets.
returned: when type is xss and state is present
type: complex
description: Condition returned by operation.
returned: always
type: complex