oci_waas_policy – Manage a WaasPolicy resource in Oracle Cloud Infrastructure

New in version 2.5.

Synopsis

  • This module allows the user to create, update and delete a WaasPolicy resource in Oracle Cloud Infrastructure
  • For state=present, creates a new Web Application Acceleration and Security (WAAS) policy in the specified compartment. A WAAS policy must be established before creating Web Application Firewall (WAF) rules. To use WAF rules, your web application’s origin servers must defined in the WaasPolicy schema.
  • A domain name must be specified when creating a WAAS policy. The domain name should be different from the origins specified in your WaasPolicy. Once domain name is entered and stored, it is unchangeable.
  • Use the record data returned in the cname field of the WaasPolicy object to create a CNAME record in your DNS configuration that will direct your domain’s traffic through the WAF.
  • For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.
  • You must specify a display name and domain for the WAAS policy. The display name does not have to be unique and can be changed. The domain name should be different from every origin specified in WaasPolicy.
  • All Oracle Cloud Infrastructure resources, including WAAS policies, receive a unique, Oracle-assigned ID called an Oracle Cloud Identifier (OCID). When a resource is created, you can find its OCID in the response. You can also retrieve a resource’s OCID by using a list API operation for that resource type, or by viewing the resource in the Console. Fore more information, see Resource Identifiers.
  • Note: After sending the POST request, the new object’s state will temporarily be CREATING. Ensure that the resource’s state has changed to ACTIVE before use.
  • This resource has the following action operations in the oci_waas_policy_actions module: accept_recommendations.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
additional_domains
list
An array of additional domains for the specified web application.
api_user
string
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_fingerprint
string
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_key_file
string
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided.
api_user_key_pass_phrase
string
Passphrase used by the key referenced in api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location).
auth_type
string
    Choices:
  • api_key ←
  • instance_principal
The type of authentication to use for making API requests. By default auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance.
compartment_id
-
The OCID of the compartment in which to create the WAAS policy.
Required for create using state=present.
config_file_location
string
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
config_profile_name
string
The profile to load from the config file referenced by config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location.
defined_tags
dictionary
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.
display_name
-
A user-friendly name for the WAAS policy. The name is can be changed and does not need to be unique.

aliases: name
domain
-
The web application domain that the WAAS policy protects.
Required for create using state=present.
force_create
boolean
    Choices:
  • no ←
  • yes
Whether to attempt non-idempotent creation of a resource. By default, create resource is an idempotent operation, and doesn't create the resource if it already exists. Setting this option to true, forcefully creates a copy of the resource, even if it already exists.This option is mutually exclusive with key_by.
freeform_tags
dictionary
A simple key-value pair without any defined schema.
key_by
list
The list of comma-separated attributes of this resource which should be used to uniquely identify an instance of the resource. By default, all the attributes of a resource except freeform_tags are used to uniquely identify a resource.
origins
dictionary
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.
custom_headers
list
A list of HTTP headers to forward to your origin.
name
- / required
The name of the header.
value
- / required
The value of the header.
http_port
integer
The HTTP port on the origin that the web application listens on. If unspecified, defaults to `80`.
https_port
integer
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to `443`.
uri
- / required
The URI of the origin. Does not support paths. Port numbers should be specified in the `httpPort` and `httpsPort` fields.
policy_config
dictionary
certificate_id
-
The OCID of the SSL certificate to use if HTTPS is supported.
is_https_enabled
boolean
    Choices:
  • no
  • yes
Enable or disable HTTPS support. If true, a `certificateId` is required. If unspecified, defaults to `false`.
is_https_forced
boolean
    Choices:
  • no
  • yes
Force HTTP to HTTPS redirection. If unspecified, defaults to `false`.
region
string
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions.
state
-
    Choices:
  • present ←
  • absent
The state of the WaasPolicy.
Use state=present to create or update a WaasPolicy.
Use state=absent to delete a WaasPolicy.
tenancy
string
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm
waas_policy_id
-
The OCID of the WAAS policy.
Required for update using state=present, state=absent.

aliases: id
waf_config
dictionary
access_rules
list
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of `ALLOW`, `DETECT`, and `BLOCK` rules, based on different criteria.
action
- / required
    Choices:
  • ALLOW
  • DETECT
  • BLOCK
The action to take when the access criteria are met for a rule. If unspecified, defaults to `ALLOW`.
block_action
-
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE
The method used to block requests if `action` is set to `BLOCK` and the access criteria are met. If unspecified, defaults to `SET_RESPONSE_CODE`.
block_error_page_code
-
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access rules'.
block_error_page_description
-
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'
block_error_page_message
-
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'
block_response_code
integer
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the access criteria are met. If unspecified, defaults to `403`.
criteria
list / required
The list of access rule criteria.
condition
- / required
    Choices:
  • URL_IS
  • URL_IS_NOT
  • URL_STARTS_WITH
  • URL_PART_ENDS_WITH
  • URL_PART_CONTAINS
  • URL_REGEX
  • IP_IS
  • IP_IS_NOT
  • HTTP_HEADER_CONTAINS
  • COUNTRY_IS
  • COUNTRY_IS_NOT
  • USER_AGENT_IS
  • USER_AGENT_IS_NOT
The criteria the access rule uses to determine if action should be taken on a request.
- **URL_IS:** Matches if the concatenation of request URL path and query is identical to the contents of the `value` field. - **URL_IS_NOT:** Matches if the concatenation of request URL path and query is not identical to the contents of the `value` field. - **URL_STARTS_WITH:** Matches if the concatenation of request URL path and query starts with the contents of the `value` field. - **URL_PART_ENDS_WITH:** Matches if the concatenation of request URL path and query ends with the contents of the `value` field. - **URL_PART_CONTAINS:** Matches if the concatenation of request URL path and query contains the contents of the `value` field. - **URL_REGEX:** Matches if the request is described by the regular expression in the `value` field. - **IP_IS:** Matches if the request originates from an IP address in the `value` field. - **IP_IS_NOT:** Matches if the request does not originate from an IP address in the `value` field. - **HTTP_HEADER_CONTAINS:** Matches if the request includes an HTTP header field whose name and value correspond to data specified in the `value` field with a separating colon. **Example:** `host:test.example.com` where `host` is the name of the field and `test.example.com` is the value of the host field. Comparison is independently applied to every header field whose name is a case insensitive match, and the value is required to be case-sensitive identical. - **COUNTRY_IS:** Matches if the request originates from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **COUNTRY_IS_NOT:** Matches if the request does not originate from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **USER_AGENT_IS:** Matches if the requesting user agent is identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0` - **USER_AGENT_IS_NOT:** Matches if the requesting user agent is not identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0`
value
- / required
The criteria value.
name
- / required
The unique name of the access rule.
address_rate_limiting
dictionary
The IP address rate limiting settings used to limit the number of requests from an address.
allowed_rate_per_address
integer
The number of allowed requests per second from one IP address. If unspecified, defaults to `1`.
block_response_code
integer
The response status code returned when a request is blocked. If unspecified, defaults to `503`.
is_enabled
boolean / required
    Choices:
  • no
  • yes
Enables or disables the address rate limiting Web Application Firewall feature.
max_delayed_count_per_address
integer
The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to `10`.
captchas
list
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.
failure_message
- / required
The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to `The CAPTCHA was incorrect. Try again.`
footer_text
-
The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.'
header_text
-
The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.'
session_expiration_in_seconds
integer / required
The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to `300`.
submit_label
- / required
The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to `Yes, I am human`.
title
- / required
The title used when displaying a CAPTCHA challenge. If unspecified, defaults to `Are you human?`
url
- / required
The unique URL path at which to show the CAPTCHA challenge.
device_fingerprint_challenge
dictionary
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.
action
-
    Choices:
  • DETECT
  • BLOCK
The action to take on requests from detected bots. If unspecified, defaults to `DETECT`.
action_expiration_in_seconds
integer
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
challenge_settings
dictionary
block_action
-
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
block_error_page_code
-
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
block_error_page_description
-
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
block_error_page_message
-
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
block_response_code
integer
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
captcha_footer
-
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
captcha_header
-
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
captcha_submit_label
-
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
captcha_title
-
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
failure_threshold
integer
The number of failed requests allowed before taking action. If unspecified, defaults to `10`.
failure_threshold_expiration_in_seconds
integer
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
is_enabled
boolean / required
    Choices:
  • no
  • yes
Enables or disables the device fingerprint challenge Web Application Firewall feature.
max_address_count
integer
The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to `20`.
max_address_count_expiration_in_seconds
integer
The number of seconds before the maximum addresses count resets. If unspecified, defaults to `60`.
good_bots
list
A list of bots allowed to access the web application.
description
-
The description of the bot.
is_enabled
boolean / required
    Choices:
  • no
  • yes
Enables or disables the bot.
key
- / required
The unique key for the bot.
name
-
The bot name.
human_interaction_challenge
dictionary
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.
action
-
    Choices:
  • DETECT
  • BLOCK
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
action_expiration_in_seconds
integer
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
challenge_settings
dictionary
block_action
-
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
block_error_page_code
-
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
block_error_page_description
-
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
block_error_page_message
-
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
block_response_code
integer
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
captcha_footer
-
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
captcha_header
-
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
captcha_submit_label
-
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
captcha_title
-
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
failure_threshold
integer
The number of failed requests before taking action. If unspecified, defaults to `10`.
failure_threshold_expiration_in_seconds
integer
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
interaction_threshold
integer
The number of interactions required to pass the challenge. If unspecified, defaults to `3`.
is_enabled
boolean / required
    Choices:
  • no
  • yes
Enables or disables the human interaction challenge Web Application Firewall feature.
recording_period_in_seconds
integer
The number of seconds to record the interactions from the user. If unspecified, defaults to `15`.
set_http_header
dictionary
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
name
- / required
The name of the header.
value
- / required
The value of the header.
js_challenge
dictionary
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.
action
-
    Choices:
  • DETECT
  • BLOCK
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
action_expiration_in_seconds
integer
The number of seconds between challenges from the same IP address. If unspecified, defaults to `60`.
challenge_settings
dictionary
block_action
-
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
block_error_page_code
-
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
block_error_page_description
-
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
block_error_page_message
-
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
block_response_code
integer
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
captcha_footer
-
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
captcha_header
-
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
captcha_submit_label
-
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
captcha_title
-
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
failure_threshold
integer
The number of failed requests before taking action. If unspecified, defaults to `10`.
is_enabled
boolean / required
    Choices:
  • no
  • yes
Enables or disables the JavaScript challenge Web Application Firewall feature.
set_http_header
dictionary
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
name
- / required
The name of the header.
value
- / required
The value of the header.
origin
-
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in `Origins`. Required when creating the `WafConfig` resource, but not on update.
protection_rules
list
A list of the protection rules and their details.
action
-
    Choices:
  • OFF
  • DETECT
  • BLOCK
The action to take when the traffic is detected as malicious. If unspecified, defaults to `OFF`.
description
-
The description of the protection rule.
exclusions
list
exclusions
list
target
-
    Choices:
  • REQUEST_COOKIES
  • REQUEST_COOKIE_NAMES
  • ARGS
  • ARGS_NAMES
The target of the exclusion.
key
-
The unique key of the protection rule.
labels
list
The list of labels for the protection rule.
**Note:** Protection rules with a `ResponseBody` label will have no effect unless `isResponseInspected` is true.
mod_security_rule_ids
list
The list of the ModSecurity rule IDs that apply to this protection rule. For more information about ModSecurity's open source WAF rules, see Mod Security's documentation.
name
-
The name of the protection rule.
protection_settings
dictionary
The settings to apply to protection rules.
allowed_http_methods
list
    Choices:
  • OPTIONS
  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • TRACE
  • CONNECT
  • PATCH
  • PROPFIND
The list of allowed HTTP methods. If unspecified, default to `[OPTIONS, GET, HEAD, POST]`.
block_action
-
    Choices:
  • SHOW_ERROR_PAGE
  • SET_RESPONSE_CODE
If `action` is set to `BLOCK`, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to `SET_RESPONSE_CODE`.
block_error_page_code
-
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
block_error_page_description
-
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
block_error_page_message
-
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'
block_response_code
integer
The response code returned when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
is_response_inspected
boolean
    Choices:
  • no
  • yes
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to `false`.
**Note:** Only origin responses with a Content-Type matching a value in `mediaTypes` will be inspected.
max_argument_count
integer
The maximum number of arguments allowed to be passed to your application before an action is taken. If unspecified, defaults to `255`.
max_name_length_per_argument
integer
The maximum length allowed for each argument name, in characters. If unspecified, defaults to `400`.
max_response_size_in_ki_b
integer
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to `1024`.
max_total_name_length_of_arguments
integer
The maximum length allowed for the sum of all argument names, in characters. If unspecified, defaults to `64000`.
media_types
list
The list of media types to allow for inspection, if `isResponseInspected` is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to `[`text/html`, `text/plain`, `text/xml`]`.
Supported MIME types include:
- text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml
recommendations_period_in_days
integer
The length of time to analyze traffic traffic, in days. After the analysis period, `WafRecommendations` will be populated. If unspecified, defaults to `10`.
Use `GET /waasPolicies/{waasPolicyId}/wafRecommendations` to view WAF recommendations.
threat_feeds
list
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.
action
-
    Choices:
  • OFF
  • DETECT
  • BLOCK
The action to take when traffic is flagged as malicious by data from the threat intelligence feed. If unspecified, defaults to `OFF`.
description
-
The description of the threat intelligence feed.
key
-
The unique key of the threat intelligence feed.
name
-
The name of the threat intelligence feed.
whitelists
list
A list of IP addresses that bypass the Web Application Firewall.
addresses
list / required
A set of IP addresses or CIDR notations to include in the whitelist.
name
- / required
The unique name of the whitelist.
wait
boolean
    Choices:
  • no
  • yes ←
Whether to wait for create or delete operation to complete.
wait_timeout
integer
Default:
1200
Time, in seconds, to wait when wait=yes.
wait_until
string
The lifecycle state to wait for the resource to transition into when wait=yes. By default, when wait=yes, we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/ RUNNING applicable lifecycle state during create operation & to get into DELETED/DETACHED/ TERMINATED lifecycle state during delete operation.

Examples

- name: Create waas_policy
  oci_waas_policy:
    compartment_id: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
    domain: domain_example

- name: Update waas_policy
  oci_waas_policy:
    display_name: display_name_example
    origins:
      uri: uri_example
    waas_policy_id: ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx

- name: Delete waas_policy
  oci_waas_policy:
    waas_policy_id: ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
waas_policy
complex
on success
Details of the WaasPolicy resource acted upon by the current operation

Sample:
{'lifecycle_state': 'CREATING', 'domain': 'domain_example', 'display_name': 'display_name_example', 'compartment_id': 'ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx', 'origins': {'http_port': 56, 'custom_headers': [{'name': 'name_example', 'value': 'value_example'}], 'uri': 'uri_example', 'https_port': 56}, 'waf_config': {'origin': 'origin_example', 'protection_rules': [{'mod_security_rule_ids': [], 'name': 'name_example', 'key': 'key_example', 'action': 'OFF', 'labels': [], 'exclusions': [{'target': 'REQUEST_COOKIES', 'exclusions': []}], 'description': 'description_example'}], 'address_rate_limiting': {'is_enabled': True, 'allowed_rate_per_address': 56, 'block_response_code': 56, 'max_delayed_count_per_address': 56}, 'js_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'failure_threshold': 56, 'action': 'DETECT', 'action_expiration_in_seconds': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'device_fingerprint_challenge': {'is_enabled': True, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'max_address_count_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'max_address_count': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'whitelists': [{'name': 'name_example', 'addresses': []}], 'human_interaction_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'recording_period_in_seconds': 56, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'interaction_threshold': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'good_bots': [{'is_enabled': True, 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}], 'access_rules': [{'block_error_page_message': 'block_error_page_message_example', 'name': 'name_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'criteria': [{'condition': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0', 'value': 'value_example'}], 'action': 'ALLOW', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example'}], 'protection_settings': {'media_types': [], 'block_error_page_message': 'block_error_page_message_example', 'max_total_name_length_of_arguments': 56, 'recommendations_period_in_days': 56, 'block_error_page_code': 'block_error_page_code_example', 'max_response_size_in_ki_b': 56, 'block_action': 'SHOW_ERROR_PAGE', 'max_argument_count': 56, 'max_name_length_per_argument': 56, 'is_response_inspected': True, 'block_response_code': 56, 'allowed_http_methods': [], 'block_error_page_description': 'block_error_page_description_example'}, 'captchas': [{'submit_label': 'submit_label_example', 'header_text': 'header_text_example', 'title': 'title_example', 'url': 'url_example', 'session_expiration_in_seconds': 56, 'footer_text': 'footer_text_example', 'failure_message': 'failure_message_example'}], 'threat_feeds': [{'action': 'OFF', 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}]}, 'defined_tags': {'Operations': {'CostCenter': 'US'}}, 'freeform_tags': {'Department': 'Finance'}, 'time_created': '2018-11-16T21:10:29Z', 'policy_config': {'certificate_id': 'ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx', 'is_https_enabled': True, 'is_https_forced': True}, 'cname': 'cname_example', 'additional_domains': [], 'id': 'ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx'}
  additional_domains
list
on success
An array of additional domains for this web application.

  cname
string
on success
The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF.

Sample:
cname_example
  compartment_id
string
on success
The OCID of the WAAS policy's compartment.

Sample:
ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
  defined_tags
dictionary
on success
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.

Sample:
{'Operations': {'CostCenter': 'US'}}
  display_name
string
on success
The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique.

Sample:
display_name_example
  domain
string
on success
The web application domain that the WAAS policy protects.

Sample:
domain_example
  freeform_tags
dictionary
on success
A simple key-value pair without any defined schema.

Sample:
{'Department': 'Finance'}
  id
string
on success
The OCID of the WAAS policy.

Sample:
ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
  lifecycle_state
string
on success
The current lifecycle state of the WAAS policy.

Sample:
CREATING
  origins
complex
on success
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.

    custom_headers
complex
on success
A list of HTTP headers to forward to your origin.

      name
string
on success
The name of the header.

Sample:
name_example
      value
string
on success
The value of the header.

Sample:
value_example
    http_port
integer
on success
The HTTP port on the origin that the web application listens on. If unspecified, defaults to `80`.

Sample:
56
    https_port
integer
on success
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to `443`.

Sample:
56
    uri
string
on success
The URI of the origin. Does not support paths. Port numbers should be specified in the `httpPort` and `httpsPort` fields.

Sample:
uri_example
  policy_config
complex
on success

    certificate_id
string
on success
The OCID of the SSL certificate to use if HTTPS is supported.

Sample:
ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx
    is_https_enabled
boolean
on success
Enable or disable HTTPS support. If true, a `certificateId` is required. If unspecified, defaults to `false`.

Sample:
True
    is_https_forced
boolean
on success
Force HTTP to HTTPS redirection. If unspecified, defaults to `false`.

Sample:
True
  time_created
string
on success
The date and time the policy was created, expressed in RFC 3339 timestamp format.

Sample:
2018-11-16 21:10:29
  waf_config
complex
on success

    access_rules
complex
on success
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of `ALLOW`, `DETECT`, and `BLOCK` rules, based on different criteria.

      action
string
on success
The action to take when the access criteria are met for a rule. If unspecified, defaults to `ALLOW`.

Sample:
ALLOW
      block_action
string
on success
The method used to block requests if `action` is set to `BLOCK` and the access criteria are met. If unspecified, defaults to `SET_RESPONSE_CODE`.

Sample:
SET_RESPONSE_CODE
      block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access rules'.

Sample:
block_error_page_code_example
      block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'

Sample:
block_error_page_description_example
      block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'

Sample:
block_error_page_message_example
      block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the access criteria are met. If unspecified, defaults to `403`.

Sample:
56
      criteria
complex
on success
The list of access rule criteria.

        condition
string
on success
The criteria the access rule uses to determine if action should be taken on a request.
- **URL_IS:** Matches if the concatenation of request URL path and query is identical to the contents of the `value` field. - **URL_IS_NOT:** Matches if the concatenation of request URL path and query is not identical to the contents of the `value` field. - **URL_STARTS_WITH:** Matches if the concatenation of request URL path and query starts with the contents of the `value` field. - **URL_PART_ENDS_WITH:** Matches if the concatenation of request URL path and query ends with the contents of the `value` field. - **URL_PART_CONTAINS:** Matches if the concatenation of request URL path and query contains the contents of the `value` field. - **URL_REGEX:** Matches if the request is described by the regular expression in the `value` field. - **IP_IS:** Matches if the request originates from an IP address in the `value` field. - **IP_IS_NOT:** Matches if the request does not originate from an IP address in the `value` field. - **HTTP_HEADER_CONTAINS:** Matches if the request includes an HTTP header field whose name and value correspond to data specified in the `value` field with a separating colon. **Example:** `host:test.example.com` where `host` is the name of the field and `test.example.com` is the value of the host field. Comparison is independently applied to every header field whose name is a case insensitive match, and the value is required to be case-sensitive identical. - **COUNTRY_IS:** Matches if the request originates from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **COUNTRY_IS_NOT:** Matches if the request does not originate from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **USER_AGENT_IS:** Matches if the requesting user agent is identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0` - **USER_AGENT_IS_NOT:** Matches if the requesting user agent is not identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0`

Sample:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
        value
string
on success
The criteria value.

Sample:
value_example
      name
string
on success
The unique name of the access rule.

Sample:
name_example
    address_rate_limiting
complex
on success
The IP address rate limiting settings used to limit the number of requests from an address.

      allowed_rate_per_address
integer
on success
The number of allowed requests per second from one IP address. If unspecified, defaults to `1`.

Sample:
56
      block_response_code
integer
on success
The response status code returned when a request is blocked. If unspecified, defaults to `503`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the address rate limiting Web Application Firewall feature.

Sample:
True
      max_delayed_count_per_address
integer
on success
The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to `10`.

Sample:
56
    captchas
complex
on success
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.

      failure_message
string
on success
The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to `The CAPTCHA was incorrect. Try again.`

Sample:
failure_message_example
      footer_text
string
on success
The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.'

Sample:
footer_text_example
      header_text
string
on success
The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.'

Sample:
header_text_example
      session_expiration_in_seconds
integer
on success
The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to `300`.

Sample:
56
      submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to `Yes, I am human`.

Sample:
submit_label_example
      title
string
on success
The title used when displaying a CAPTCHA challenge. If unspecified, defaults to `Are you human?`

Sample:
title_example
      url
string
on success
The unique URL path at which to show the CAPTCHA challenge.

Sample:
url_example
    device_fingerprint_challenge
complex
on success
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.

      action
string
on success
The action to take on requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests allowed before taking action. If unspecified, defaults to `10`.

Sample:
56
      failure_threshold_expiration_in_seconds
integer
on success
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the device fingerprint challenge Web Application Firewall feature.

Sample:
True
      max_address_count
integer
on success
The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to `20`.

Sample:
56
      max_address_count_expiration_in_seconds
integer
on success
The number of seconds before the maximum addresses count resets. If unspecified, defaults to `60`.

Sample:
56
    good_bots
complex
on success
A list of bots allowed to access the web application.

      description
string
on success
The description of the bot.

Sample:
description_example
      is_enabled
boolean
on success
Enables or disables the bot.

Sample:
True
      key
string
on success
The unique key for the bot.

Sample:
key_example
      name
string
on success
The bot name.

Sample:
name_example
    human_interaction_challenge
complex
on success
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.

      action
string
on success
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests before taking action. If unspecified, defaults to `10`.

Sample:
56
      failure_threshold_expiration_in_seconds
integer
on success
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.

Sample:
56
      interaction_threshold
integer
on success
The number of interactions required to pass the challenge. If unspecified, defaults to `3`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the human interaction challenge Web Application Firewall feature.

Sample:
True
      recording_period_in_seconds
integer
on success
The number of seconds to record the interactions from the user. If unspecified, defaults to `15`.

Sample:
56
      set_http_header
complex
on success
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.

        name
string
on success
The name of the header.

Sample:
name_example
        value
string
on success
The value of the header.

Sample:
value_example
    js_challenge
complex
on success
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.

      action
string
on success
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges from the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests before taking action. If unspecified, defaults to `10`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the JavaScript challenge Web Application Firewall feature.

Sample:
True
      set_http_header
complex
on success
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.

        name
string
on success
The name of the header.

Sample:
name_example
        value
string
on success
The value of the header.

Sample:
value_example
    origin
string
on success
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in `Origins`. Required when creating the `WafConfig` resource, but not on update.

Sample:
origin_example
    protection_rules
complex
on success
A list of the protection rules and their details.

      action
string
on success
The action to take when the traffic is detected as malicious. If unspecified, defaults to `OFF`.

      description
string
on success
The description of the protection rule.

Sample:
description_example
      exclusions
complex
on success

        exclusions
list
on success

        target
string
on success
The target of the exclusion.

Sample:
REQUEST_COOKIES
      key
string
on success
The unique key of the protection rule.

Sample:
key_example
      labels
list
on success
The list of labels for the protection rule.
**Note:** Protection rules with a `ResponseBody` label will have no effect unless `isResponseInspected` is true.

      mod_security_rule_ids
list
on success
The list of the ModSecurity rule IDs that apply to this protection rule. For more information about ModSecurity's open source WAF rules, see Mod Security's documentation.

      name
string
on success
The name of the protection rule.

Sample:
name_example
    protection_settings
complex
on success
The settings to apply to protection rules.

      allowed_http_methods
list
on success
The list of allowed HTTP methods. If unspecified, default to `[OPTIONS, GET, HEAD, POST]`.

      block_action
string
on success
If `action` is set to `BLOCK`, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to `SET_RESPONSE_CODE`.

Sample:
SHOW_ERROR_PAGE
      block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
      block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
      block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'

Sample:
block_error_page_message_example
      block_response_code
integer
on success
The response code returned when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.

Sample:
56
      is_response_inspected
boolean
on success
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to `false`.
**Note:** Only origin responses with a Content-Type matching a value in `mediaTypes` will be inspected.

Sample:
True
      max_argument_count
integer
on success
The maximum number of arguments allowed to be passed to your application before an action is taken. If unspecified, defaults to `255`.

Sample:
56
      max_name_length_per_argument
integer
on success
The maximum length allowed for each argument name, in characters. If unspecified, defaults to `400`.

Sample:
56
      max_response_size_in_ki_b
integer
on success
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to `1024`.

Sample:
56
      max_total_name_length_of_arguments
integer
on success
The maximum length allowed for the sum of all argument names, in characters. If unspecified, defaults to `64000`.

Sample:
56
      media_types
list
on success
The list of media types to allow for inspection, if `isResponseInspected` is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to `[`text/html`, `text/plain`, `text/xml`]`.
Supported MIME types include:
- text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml

      recommendations_period_in_days
integer
on success
The length of time to analyze traffic traffic, in days. After the analysis period, `WafRecommendations` will be populated. If unspecified, defaults to `10`.
Use `GET /waasPolicies/{waasPolicyId}/wafRecommendations` to view WAF recommendations.

Sample:
56
    threat_feeds
complex
on success
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.

      action
string
on success
The action to take when traffic is flagged as malicious by data from the threat intelligence feed. If unspecified, defaults to `OFF`.

      description
string
on success
The description of the threat intelligence feed.

Sample:
description_example
      key
string
on success
The unique key of the threat intelligence feed.

Sample:
key_example
      name
string
on success
The name of the threat intelligence feed.

Sample:
name_example
    whitelists
complex
on success
A list of IP addresses that bypass the Web Application Firewall.

      addresses
list
on success
A set of IP addresses or CIDR notations to include in the whitelist.

      name
string
on success
The unique name of the whitelist.

Sample:
name_example


Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]
  • This module is maintained by the Ansible Community. [community]

Authors

  • Manoj Meda (@manojmeda)
  • Mike Ross (@mross22)
  • Nabeel Al-Saber (@nalsaber)

Hint

If you notice any issues in this documentation you can edit this document to improve it.