oci_waas_policy_facts – Fetches details about one or multiple WaasPolicy resources in Oracle Cloud Infrastructure

New in version 2.5.

Synopsis

  • Fetches details about one or multiple WaasPolicy resources in Oracle Cloud Infrastructure
  • Gets a list of WAAS policies.
  • If waas_policy_id is specified, the details of a single WaasPolicy will be returned.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_user
string
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_fingerprint
string
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_key_file
string
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided.
api_user_key_pass_phrase
string
Passphrase used by the key referenced in api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location).
auth_type
string
    Choices:
  • api_key ←
  • instance_principal
The type of authentication to use for making API requests. By default auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance.
compartment_id
-
The OCID of the compartment. This number is generated when the compartment is created.
Required to list multiple waas_policies.
config_file_location
string
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
config_profile_name
string
The profile to load from the config file referenced by config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location.
display_name
list
Filter policies using a list of display names.

aliases: name
id
list
Filter policies using a list of policy OCIDs.
lifecycle_state
list
Filter policies using a list of lifecycle states.
region
string
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions.
sort_by
-
    Choices:
  • id
  • displayName
  • timeCreated
The value by which policies are sorted in a paginated 'List' call. If unspecified, defaults to `timeCreated`.
sort_order
-
    Choices:
  • ASC
  • DESC
The value of the sorting direction of resources in a paginated 'List' call. If unspecified, defaults to `DESC`.
tenancy
string
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm
time_created_greater_than_or_equal_to
-
A filter that matches policies created on or after the specified date and time.
time_created_less_than
-
A filter that matches policies created before the specified date-time.
waas_policy_id
-
The OCID of the WAAS policy.
Required to get a specific waas_policy.

aliases: id

Examples

- name: List waas_policies
  oci_waas_policy_facts:
    compartment_id: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx

- name: Get a specific waas_policy
  oci_waas_policy_facts:
    waas_policy_id: ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
waas_policies
complex
on success
List of WaasPolicy resources

Sample:
[{'lifecycle_state': 'CREATING', 'domain': 'domain_example', 'display_name': 'display_name_example', 'compartment_id': 'ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx', 'origins': {'http_port': 56, 'custom_headers': [{'name': 'name_example', 'value': 'value_example'}], 'uri': 'uri_example', 'https_port': 56}, 'waf_config': {'origin': 'origin_example', 'protection_rules': [{'mod_security_rule_ids': [], 'name': 'name_example', 'key': 'key_example', 'action': 'OFF', 'labels': [], 'exclusions': [{'target': 'REQUEST_COOKIES', 'exclusions': []}], 'description': 'description_example'}], 'address_rate_limiting': {'is_enabled': True, 'allowed_rate_per_address': 56, 'block_response_code': 56, 'max_delayed_count_per_address': 56}, 'js_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'failure_threshold': 56, 'action': 'DETECT', 'action_expiration_in_seconds': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'device_fingerprint_challenge': {'is_enabled': True, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'max_address_count_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'max_address_count': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'whitelists': [{'name': 'name_example', 'addresses': []}], 'human_interaction_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'recording_period_in_seconds': 56, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'interaction_threshold': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'good_bots': [{'is_enabled': True, 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}], 'access_rules': [{'block_error_page_message': 'block_error_page_message_example', 'name': 'name_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'criteria': [{'condition': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0', 'value': 'value_example'}], 'action': 'ALLOW', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example'}], 'protection_settings': {'media_types': [], 'block_error_page_message': 'block_error_page_message_example', 'max_total_name_length_of_arguments': 56, 'recommendations_period_in_days': 56, 'block_error_page_code': 'block_error_page_code_example', 'max_response_size_in_ki_b': 56, 'block_action': 'SHOW_ERROR_PAGE', 'max_argument_count': 56, 'max_name_length_per_argument': 56, 'is_response_inspected': True, 'block_response_code': 56, 'allowed_http_methods': [], 'block_error_page_description': 'block_error_page_description_example'}, 'captchas': [{'submit_label': 'submit_label_example', 'header_text': 'header_text_example', 'title': 'title_example', 'url': 'url_example', 'session_expiration_in_seconds': 56, 'footer_text': 'footer_text_example', 'failure_message': 'failure_message_example'}], 'threat_feeds': [{'action': 'OFF', 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}]}, 'defined_tags': {'Operations': {'CostCenter': 'US'}}, 'freeform_tags': {'Department': 'Finance'}, 'time_created': '2018-11-16T21:10:29Z', 'policy_config': {'certificate_id': 'ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx', 'is_https_enabled': True, 'is_https_forced': True}, 'cname': 'cname_example', 'additional_domains': [], 'id': 'ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx'}]
  additional_domains
list
on success
An array of additional domains for this web application.

  cname
string
on success
The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF.

Sample:
cname_example
  compartment_id
string
on success
The OCID of the WAAS policy's compartment.

Sample:
ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
  defined_tags
dictionary
on success
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.

Sample:
{'Operations': {'CostCenter': 'US'}}
  display_name
string
on success
The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique.

Sample:
display_name_example
  domain
string
on success
The web application domain that the WAAS policy protects.

Sample:
domain_example
  freeform_tags
dictionary
on success
A simple key-value pair without any defined schema.

Sample:
{'Department': 'Finance'}
  id
string
on success
The OCID of the WAAS policy.

Sample:
ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
  lifecycle_state
string
on success
The current lifecycle state of the WAAS policy.

Sample:
CREATING
  origins
complex
on success
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.

    custom_headers
complex
on success
A list of HTTP headers to forward to your origin.

      name
string
on success
The name of the header.

Sample:
name_example
      value
string
on success
The value of the header.

Sample:
value_example
    http_port
integer
on success
The HTTP port on the origin that the web application listens on. If unspecified, defaults to `80`.

Sample:
56
    https_port
integer
on success
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to `443`.

Sample:
56
    uri
string
on success
The URI of the origin. Does not support paths. Port numbers should be specified in the `httpPort` and `httpsPort` fields.

Sample:
uri_example
  policy_config
complex
on success

    certificate_id
string
on success
The OCID of the SSL certificate to use if HTTPS is supported.

Sample:
ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx
    is_https_enabled
boolean
on success
Enable or disable HTTPS support. If true, a `certificateId` is required. If unspecified, defaults to `false`.

Sample:
True
    is_https_forced
boolean
on success
Force HTTP to HTTPS redirection. If unspecified, defaults to `false`.

Sample:
True
  time_created
string
on success
The date and time the policy was created, expressed in RFC 3339 timestamp format.

Sample:
2018-11-16 21:10:29
  waf_config
complex
on success

    access_rules
complex
on success
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of `ALLOW`, `DETECT`, and `BLOCK` rules, based on different criteria.

      action
string
on success
The action to take when the access criteria are met for a rule. If unspecified, defaults to `ALLOW`.

Sample:
ALLOW
      block_action
string
on success
The method used to block requests if `action` is set to `BLOCK` and the access criteria are met. If unspecified, defaults to `SET_RESPONSE_CODE`.

Sample:
SET_RESPONSE_CODE
      block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access rules'.

Sample:
block_error_page_code_example
      block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'

Sample:
block_error_page_description_example
      block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'

Sample:
block_error_page_message_example
      block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the access criteria are met. If unspecified, defaults to `403`.

Sample:
56
      criteria
complex
on success
The list of access rule criteria.

        condition
string
on success
The criteria the access rule uses to determine if action should be taken on a request.
- **URL_IS:** Matches if the concatenation of request URL path and query is identical to the contents of the `value` field. - **URL_IS_NOT:** Matches if the concatenation of request URL path and query is not identical to the contents of the `value` field. - **URL_STARTS_WITH:** Matches if the concatenation of request URL path and query starts with the contents of the `value` field. - **URL_PART_ENDS_WITH:** Matches if the concatenation of request URL path and query ends with the contents of the `value` field. - **URL_PART_CONTAINS:** Matches if the concatenation of request URL path and query contains the contents of the `value` field. - **URL_REGEX:** Matches if the request is described by the regular expression in the `value` field. - **IP_IS:** Matches if the request originates from an IP address in the `value` field. - **IP_IS_NOT:** Matches if the request does not originate from an IP address in the `value` field. - **HTTP_HEADER_CONTAINS:** Matches if the request includes an HTTP header field whose name and value correspond to data specified in the `value` field with a separating colon. **Example:** `host:test.example.com` where `host` is the name of the field and `test.example.com` is the value of the host field. Comparison is independently applied to every header field whose name is a case insensitive match, and the value is required to be case-sensitive identical. - **COUNTRY_IS:** Matches if the request originates from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **COUNTRY_IS_NOT:** Matches if the request does not originate from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **USER_AGENT_IS:** Matches if the requesting user agent is identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0` - **USER_AGENT_IS_NOT:** Matches if the requesting user agent is not identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0`

Sample:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
        value
string
on success
The criteria value.

Sample:
value_example
      name
string
on success
The unique name of the access rule.

Sample:
name_example
    address_rate_limiting
complex
on success
The IP address rate limiting settings used to limit the number of requests from an address.

      allowed_rate_per_address
integer
on success
The number of allowed requests per second from one IP address. If unspecified, defaults to `1`.

Sample:
56
      block_response_code
integer
on success
The response status code returned when a request is blocked. If unspecified, defaults to `503`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the address rate limiting Web Application Firewall feature.

Sample:
True
      max_delayed_count_per_address
integer
on success
The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to `10`.

Sample:
56
    captchas
complex
on success
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.

      failure_message
string
on success
The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to `The CAPTCHA was incorrect. Try again.`

Sample:
failure_message_example
      footer_text
string
on success
The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.'

Sample:
footer_text_example
      header_text
string
on success
The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.'

Sample:
header_text_example
      session_expiration_in_seconds
integer
on success
The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to `300`.

Sample:
56
      submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to `Yes, I am human`.

Sample:
submit_label_example
      title
string
on success
The title used when displaying a CAPTCHA challenge. If unspecified, defaults to `Are you human?`

Sample:
title_example
      url
string
on success
The unique URL path at which to show the CAPTCHA challenge.

Sample:
url_example
    device_fingerprint_challenge
complex
on success
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.

      action
string
on success
The action to take on requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests allowed before taking action. If unspecified, defaults to `10`.

Sample:
56
      failure_threshold_expiration_in_seconds
integer
on success
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the device fingerprint challenge Web Application Firewall feature.

Sample:
True
      max_address_count
integer
on success
The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to `20`.

Sample:
56
      max_address_count_expiration_in_seconds
integer
on success
The number of seconds before the maximum addresses count resets. If unspecified, defaults to `60`.

Sample:
56
    good_bots
complex
on success
A list of bots allowed to access the web application.

      description
string
on success
The description of the bot.

Sample:
description_example
      is_enabled
boolean
on success
Enables or disables the bot.

Sample:
True
      key
string
on success
The unique key for the bot.

Sample:
key_example
      name
string
on success
The bot name.

Sample:
name_example
    human_interaction_challenge
complex
on success
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.

      action
string
on success
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests before taking action. If unspecified, defaults to `10`.

Sample:
56
      failure_threshold_expiration_in_seconds
integer
on success
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.

Sample:
56
      interaction_threshold
integer
on success
The number of interactions required to pass the challenge. If unspecified, defaults to `3`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the human interaction challenge Web Application Firewall feature.

Sample:
True
      recording_period_in_seconds
integer
on success
The number of seconds to record the interactions from the user. If unspecified, defaults to `15`.

Sample:
56
      set_http_header
complex
on success
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.

        name
string
on success
The name of the header.

Sample:
name_example
        value
string
on success
The value of the header.

Sample:
value_example
    js_challenge
complex
on success
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.

      action
string
on success
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.

Sample:
DETECT
      action_expiration_in_seconds
integer
on success
The number of seconds between challenges from the same IP address. If unspecified, defaults to `60`.

Sample:
56
      challenge_settings
complex
on success

        block_action
string
on success
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.

Sample:
SET_RESPONSE_CODE
        block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
        block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
        block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.

Sample:
block_error_page_message_example
        block_response_code
integer
on success
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.

Sample:
56
        captcha_footer
string
on success
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.

Sample:
captcha_footer_example
        captcha_header
string
on success
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`

Sample:
captcha_header_example
        captcha_submit_label
string
on success
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.

Sample:
captcha_submit_label_example
        captcha_title
string
on success
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`

Sample:
captcha_title_example
      failure_threshold
integer
on success
The number of failed requests before taking action. If unspecified, defaults to `10`.

Sample:
56
      is_enabled
boolean
on success
Enables or disables the JavaScript challenge Web Application Firewall feature.

Sample:
True
      set_http_header
complex
on success
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.

        name
string
on success
The name of the header.

Sample:
name_example
        value
string
on success
The value of the header.

Sample:
value_example
    origin
string
on success
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in `Origins`. Required when creating the `WafConfig` resource, but not on update.

Sample:
origin_example
    protection_rules
complex
on success
A list of the protection rules and their details.

      action
string
on success
The action to take when the traffic is detected as malicious. If unspecified, defaults to `OFF`.

      description
string
on success
The description of the protection rule.

Sample:
description_example
      exclusions
complex
on success

        exclusions
list
on success

        target
string
on success
The target of the exclusion.

Sample:
REQUEST_COOKIES
      key
string
on success
The unique key of the protection rule.

Sample:
key_example
      labels
list
on success
The list of labels for the protection rule.
**Note:** Protection rules with a `ResponseBody` label will have no effect unless `isResponseInspected` is true.

      mod_security_rule_ids
list
on success
The list of the ModSecurity rule IDs that apply to this protection rule. For more information about ModSecurity's open source WAF rules, see Mod Security's documentation.

      name
string
on success
The name of the protection rule.

Sample:
name_example
    protection_settings
complex
on success
The settings to apply to protection rules.

      allowed_http_methods
list
on success
The list of allowed HTTP methods. If unspecified, default to `[OPTIONS, GET, HEAD, POST]`.

      block_action
string
on success
If `action` is set to `BLOCK`, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to `SET_RESPONSE_CODE`.

Sample:
SHOW_ERROR_PAGE
      block_error_page_code
string
on success
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.

Sample:
block_error_page_code_example
      block_error_page_description
string
on success
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `Access blocked by website owner. Please contact support.`

Sample:
block_error_page_description_example
      block_error_page_message
string
on success
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'

Sample:
block_error_page_message_example
      block_response_code
integer
on success
The response code returned when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.

Sample:
56
      is_response_inspected
boolean
on success
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to `false`.
**Note:** Only origin responses with a Content-Type matching a value in `mediaTypes` will be inspected.

Sample:
True
      max_argument_count
integer
on success
The maximum number of arguments allowed to be passed to your application before an action is taken. If unspecified, defaults to `255`.

Sample:
56
      max_name_length_per_argument
integer
on success
The maximum length allowed for each argument name, in characters. If unspecified, defaults to `400`.

Sample:
56
      max_response_size_in_ki_b
integer
on success
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to `1024`.

Sample:
56
      max_total_name_length_of_arguments
integer
on success
The maximum length allowed for the sum of all argument names, in characters. If unspecified, defaults to `64000`.

Sample:
56
      media_types
list
on success
The list of media types to allow for inspection, if `isResponseInspected` is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to `[`text/html`, `text/plain`, `text/xml`]`.
Supported MIME types include:
- text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml

      recommendations_period_in_days
integer
on success
The length of time to analyze traffic traffic, in days. After the analysis period, `WafRecommendations` will be populated. If unspecified, defaults to `10`.
Use `GET /waasPolicies/{waasPolicyId}/wafRecommendations` to view WAF recommendations.

Sample:
56
    threat_feeds
complex
on success
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.

      action
string
on success
The action to take when traffic is flagged as malicious by data from the threat intelligence feed. If unspecified, defaults to `OFF`.

      description
string
on success
The description of the threat intelligence feed.

Sample:
description_example
      key
string
on success
The unique key of the threat intelligence feed.

Sample:
key_example
      name
string
on success
The name of the threat intelligence feed.

Sample:
name_example
    whitelists
complex
on success
A list of IP addresses that bypass the Web Application Firewall.

      addresses
list
on success
A set of IP addresses or CIDR notations to include in the whitelist.

      name
string
on success
The unique name of the whitelist.

Sample:
name_example


Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]
  • This module is maintained by the Ansible Community. [community]

Authors

  • Manoj Meda (@manojmeda)
  • Mike Ross (@mross22)
  • Nabeel Al-Saber (@nalsaber)

Hint

If you notice any issues in this documentation you can edit this document to improve it.