oci_waas_policy - Manage WAAS policies in OCI

New in version 2.5.

Synopsis

  • This module allows the user to create, delete and update WAAS policies in OCI.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
additional_domains
list
An array of additional domains for the specified web application.
api_user
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_fingerprint
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_key_file
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided.
api_user_key_pass_phrase
Passphrase used by the key referenced in api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location).
auth_type
    Choices:
  • api_key ←
  • instance_principal
The type of authentication to use for making API requests. By default auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance.
compartment_id
str
The OCID of the compartment.
config_file_location
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
config_profile_name
The profile to load from the config file referenced by config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location.
defined_tags
Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/resourcetags.htm.
display_name
str
A user-friendly name for the WAAS policy. The name is can be changed and does not need to be unique.

aliases: name
domain
str
The web application domain that the WAAS policy protects.
force_create
bool
    Choices:
  • no ←
  • yes
Whether to attempt non-idempotent creation of a resource. By default, create resource is an idempotent operation, and doesn't create the resource if it already exists. Setting this option to true, forcefully creates a copy of the resource, even if it already exists.This option is mutually exclusive with key_by.
freeform_tags
Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/resourcetags.htm.
key_by
The list of comma-separated attributes of this resource which should be used to uniquely identify an instance of the resource. By default, all the attributes of a resource except freeform_tags are used to uniquely identify a resource.
origins
dict
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.
http_port
The HTTP port on the origin that the web application listens on. If unspecified, defaults to 80.
custom_headers
A list of HTTP headers to forward to your origin.
name
The name of the header.
value
The value of the header.
https_port
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to 443.
uri
The URI of the origin. Does not support paths. Port numbers should be specified in the http_port and https_port fields.
policy_config
dict
Config for the WAAS policy.
certificate_id
The OCID of the SSL certificate to use if HTTPS is supported.
is_https_enabled Default:
no
Enable or disable HTTPS support. If true, a certificateId is required.
is_https_forced Default:
no
Force HTTP to HTTPS redirection.
region
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions.
state
    Choices:
  • present ←
  • absent
Create or update a WAAS policy with state=present. Use state=absent to delete a WAAS policy.
tenancy
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm
waas_policy_id
The OCID of the WAAS policy. Required when deleting a WAAS policy with state=absent or updating a WAAS policy with state=present. This option is mutually exclusive with compartment_id.

aliases: id
waf_config
dict
The WAF config for the WAAS policy.
origin
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins. Required when creating the WafConfig resource, but not on update.
protection_rules
A list of the protection rules and their details.
action Default:
no
The action to take when the traffic is detected as malicious.
description
The description of the protection rule.
key
The unique key of the protection rule.
mod_security_rule_ids
The list of the ModSecurity rule IDs that apply to this protection rule.
labels
The list of labels for the protection rule.
exclusions
The exclusions of this ProtectionRule.
exclusions
The exclusions of this ProtectionRuleExclusion.
target
    Choices:
  • REQUEST_COOKIES
  • REQUEST_COOKIE_NAMES
  • ARGS
  • ARGS_NAMES
The target of the exclusion.
name
The name of the protection rule.
address_rate_limiting
The IP address rate limiting settings used to limit the number of requests from an address.
allowed_rate_per_address Default:
1
The number of allowed requests per second from one IP address.
is_enabled
Enables or disables the address rate limiting Web Application Firewall feature.
block_response_code Default:
503
The response status code returned when a request is blocked.
max_delayed_count_per_address Default:
10
The maximum number of requests allowed to be queued before subsequent requests are dropped.
js_challenge
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.
is_enabled
required
Enables or disables the JavaScript challenge Web Application Firewall feature.
set_http_header
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when action=DETECT.
name
The name of the header.
value
The value of the header.
failure_threshold Default:
10
The number of failed requests before taking action.
action
    Choices:
  • DETECT ←
  • BLOCK
The action to take against requests from detected bots.
action_expiration_in_seconds Default:
60
The number of seconds between challenges from the same IP address.
challenge_settings
The challenge settings.
block_error_page_message Default:
Access to the website is blocked.
The message to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_footer Default:
Enter the letters and numbers as they are shown in image above.
The text to show in the footer when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_error_page_code Default:
403
The error code to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
block_action
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE ←
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge if action=BLOCK.
captcha_title Default:
Are you human?
The title used when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
captcha_header Default:
We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
The text to show in the header when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_response_code Default:
403
The response status code to return when action=BLOCK, block_action=SET_RESPONSE_CODE, and the request is blocked.
block_error_page_description Default:
Access blocked by website owner. Please contact support.
The description text to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_submit_label Default:
Yes, I am human.
The text to show on the label of the CAPTCHA challenge submit button when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
device_fingerprint_challenge
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.
is_enabled
Enables or disables the device fingerprint challenge Web Application Firewall feature.
failure_threshold_expiration_in_seconds Default:
60
The number of seconds before the failure threshold resets.
action_expiration_in_seconds Default:
60
The number of seconds between challenges for the same IP address.
max_address_count_expiration_in_seconds Default:
60
The number of seconds before the maximum addresses count resets.
failure_threshold Default:
10
The number of failed requests allowed before taking action.
action
    Choices:
  • DETECT ←
  • BLOCK
The action to take on requests from detected bots.
max_address_count Default:
20
The maximum number of IP addresses permitted with the same device fingerprint.
challenge_settings
The challenge settings.
block_error_page_message Default:
Access to the website is blocked.
The message to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_footer Default:
Enter the letters and numbers as they are shown in image above.
The text to show in the footer when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_error_page_code Default:
403
The error code to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
block_action
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE ←
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge if action=BLOCK.
captcha_title Default:
Are you human?
The title used when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
captcha_header Default:
We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
The text to show in the header when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_response_code Default:
403
The response status code to return when action=BLOCK, block_action=SET_RESPONSE_CODE, and the request is blocked.
block_error_page_description Default:
Access blocked by website owner. Please contact support.
The description text to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_submit_label Default:
Yes, I am human.
The text to show on the label of the CAPTCHA challenge submit button when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
whitelists
A list of IP addresses that bypass the Web Application Firewall.
addresses
required
A set of IP addresses or CIDR notations to include in the whitelist.
name
required
The unique name of the whitelist.
human_interaction_challenge
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.
is_enabled
Enables or disables the human interaction challenge Web Application Firewall feature.
set_http_header
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when action=DETECT.
name
The name of the header.
value
The value of the header.
recording_period_in_seconds Default:
15
The number of seconds to record the interactions from the user.
failure_threshold_expiration_in_seconds Default:
60
The number of seconds before the failure threshold resets.
action_expiration_in_seconds Default:
60
The number of seconds between challenges for the same IP address.
failure_threshold Default:
10
The number of failed requests allowed before taking action.
action
    Choices:
  • DETECT ←
  • BLOCK
The action to take on requests from detected bots.
interaction_threshold Default:
3
The number of interactions required to pass the challenge.
challenge_settings
The challenge settings.
block_error_page_message Default:
Access to the website is blocked.
The message to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_footer Default:
Enter the letters and numbers as they are shown in image above.
The text to show in the footer when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_error_page_code Default:
403
The error code to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
block_action
    Choices:
  • SET_RESPONSE_CODE
  • SHOW_ERROR_PAGE ←
  • SHOW_CAPTCHA
The method used to block requests that fail the challenge if action=BLOCK.
captcha_title Default:
Are you human?
The title used when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
captcha_header Default:
We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
The text to show in the header when showing a CAPTCHA challenge when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
block_response_code Default:
403
The response status code to return when action=BLOCK, block_action=SET_RESPONSE_CODE, and the request is blocked.
block_error_page_description Default:
Access blocked by website owner. Please contact support.
The description text to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the request is blocked.
captcha_submit_label Default:
Yes, I am human.
The text to show on the label of the CAPTCHA challenge submit button when action=BLOCK, block_action=SHOW_CAPTCHA, and the request is blocked.
good_bots
A list of bots allowed to access the web application.
is_enabled
Enables or disables the bot.
description
The description of the bot.
key
The unique key for the bot.
name
The bot name.
access_rules
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of ALLOW, DETECT, and BLOCK rules, based on different criteria.
block_error_page_message Default:
Access to the website is blocked.
The message to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the access criteria are met.
name
The unique name of the access rule.
block_error_page_code Default:
Access rules
The error code to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the access criteria are met.
block_action
    Choices:
  • SET_RESPONSE_CODE ←
  • SHOW_ERROR_PAGE
The method used to block requests if action=BLOCK and the access criteria are met.
criteria
The list of access rule criteria.
condition
required
The criteria the access rule uses to determine if action should be taken on a request.
value
required
    Choices:
  • URL_IS
  • URL_IS_NOT
  • URL_STARTS_WITH
  • URL_PART_ENDS_WITH
  • URL_PART_CONTAINS
  • URL_REGEX
  • IP_IS
  • IP_IS_NOT
  • HTTP_HEADER_CONTAINS
  • COUNTRY_IS
  • COUNTRY_IS_NOT
  • USER_AGENT_IS
  • USER_AGENT_IS_NOT
The criteria value.
action Default:
ALLOW
The action to take when the access criteria are met for a rule.
block_response_code Default:
403
The response status code to return when action=BLOCK, block_action=SET_RESPONSE_CODE, and the access criteria are met.
block_error_page_description Default:
Access blocked by website owner. Please contact support.
The description text to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the access criteria are met.
protection_settings
The settings to apply to protection rules.
media_types Default:
[u'text/html', u'text/plain', u'text/xml']
The list of media types to allow for inspection, if is_response_inspected=True. Only responses with MIME types in this list will be inspected.
block_error_page_message Default:
Access to the website is blocked.
The message to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule.
max_total_name_length_of_arguments Default:
64000
The maximum length allowed for the sum of all argument names, in characters.
recommendations_period_in_days Default:
10
The length of time to analyze traffic, in days. After the analysis period, WafRecommendations will be populated.
block_error_page_code Default:
403
The error code to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule.
max_response_size_in_ki_b Default:
1024
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected.
block_action
    Choices:
  • SHOW_ERROR_PAGE
  • SET_RESPONSE_CODE ←
If action=BLOCK, this specifies how the traffic is blocked when detected as malicious by a protection rule.
max_argument_count Default:
255
The maximum number of arguments allowed to be passed to your application before an action is taken.
max_name_length_per_argument Default:
400
The maximum length allowed for each argument name, in characters.
is_response_inspected Default:
no
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data.
block_response_code Default:
403
The response code returned when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule.
allowed_http_methods
    Choices:
  • OPTIONS ←
  • GET ←
  • HEAD ←
  • POST ←
  • PUT
  • DELETE
  • TRACE
  • CONNECT
  • PATCH
  • PROPFIND
Default:
[u'OPTIONS', u'GET', u'HEAD', u'POST']
The list of allowed HTTP methods. If unspecified, default to [OPTIONS, GET, HEAD, POST].
block_error_page_description Default:
Access blocked by website owner. Please contact support.
The description text to show on the error page when action=BLOCK, block_action=SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule.
captchas
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.
submit_label
required
The text to show on the label of the CAPTCHA challenge submit button.
header_text Default:
We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.
The text to show in the header when showing a CAPTCHA challenge.
title
required
The title used when displaying a CAPTCHA challenge.
url
required
The unique URL path at which to show the CAPTCHA challenge.
session_expiration_in_seconds
required
The amount of time before the CAPTCHA expires, in seconds.
footer_text Default:
Enter the letters and numbers as they are shown in the image above.
The text to show in the footer when showing a CAPTCHA challenge.
failure_message
required
The text to show when incorrect CAPTCHA text is entered.
threat_feeds
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.
action
    Choices:
  • no ←
  • DETECT
  • BLOCK
Default:
no
The action to take when traffic is flagged as malicious by data from the threat intelligence feed.
description
The description of the threat intelligence feed.
key
The unique key of the threat intelligence feed.
name
The name of the threat intelligence feed.
wait
bool
    Choices:
  • no
  • yes ←
Whether to wait for create or delete operation to complete.
wait_timeout Default:
1200
Time, in seconds, to wait when wait=yes.
wait_until
The lifecycle state to wait for the resource to transition into when wait=yes. By default, when wait=yes, we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/ RUNNING applicable lifecycle state during create operation & to get into DELETED/DETACHED/ TERMINATED lifecycle state during delete operation.

Examples

- name: Create a WAAS policy
  oci_waas_policy:
    cidr_block: '10.0.0.0/16'
    compartment_id: 'ocid1.compartment.oc1..xxxxxEXAMPLExxxxx'
    display_name: my_vcn
    dns_label: ansiblevcn

- name: Updates the specified VCN's display name
  oci_vcn:
    vcn_id: ocid1.vcn.oc1.phx.xxxxxEXAMPLExxxxx
    display_name: ansible_vcn

- name: Delete the specified VCN
  oci_vcn:
    vcn_id: ocid1.vcn.oc1.phx.xxxxxEXAMPLExxxxx
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
waas_policy
complex
on success
List of waas policies

Sample:
[{'lifecycle_state': 'ACTIVE', 'domain': 'www.example.com', 'display_name': 'ansible_test_waas_policy', 'compartment_id': 'ocid1.compartment.oc1..xxxxxEXAMPLExxxxx', 'origins': {'LBaaS': {'http_port': 80, 'custom_headers': [], 'https_port': 443, 'uri': '1.2.3.4'}}, 'waf_config': {'origin': 'LBaaS', 'protection_rules': [{'action': 'OFF', 'description': 'Cross-Site Scripting (XSS) Attempt: XSS Filters from IE', 'key': '941340', 'mod_security_rule_ids': ['941340'], 'labels': ['OWASP', 'OWASP-2017', 'CRS3', 'WASCTC', 'PCI', 'HTTP', 'A2', 'A2-2017', 'XSS', 'Cross-Site Scripting'], 'exclusions': [], 'name': 'Cross-Site Scripting (XSS) Attempt: XSS Filters from Internet Explorer'}], 'address_rate_limiting': {'allowed_rate_per_address': 1, 'is_enabled': False, 'block_response_code': 503, 'max_delayed_count_per_address': 10}, 'js_challenge': {'is_enabled': False, 'set_http_header': {'name': 'x-jsc-alerts', 'value': '{failed_amount}'}, 'failure_threshold': 10, 'action': 'DETECT', 'action_expiration_in_seconds': 60, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'JSC-403', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'device_fingerprint_challenge': {'is_enabled': False, 'failure_threshold_expiration_in_seconds': 60, 'action_expiration_in_seconds': 60, 'max_address_count_expiration_in_seconds': 60, 'failure_threshold': 10, 'action': 'DETECT', 'max_address_count': 20, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'DFC', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'whitelists': [], 'human_interaction_challenge': {'is_enabled': False, 'set_http_header': None, 'recording_period_in_seconds': 15, 'failure_threshold_expiration_in_seconds': 60, 'action_expiration_in_seconds': 60, 'failure_threshold': 10, 'action': 'DETECT', 'interaction_threshold': 3, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'HIC', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'good_bots': [{'is_enabled': False, 'description': 'Googlebot is the search bot software used by Google.', 'key': '4a4c6e7b-4d89-4141-8555-ec3b22b90a73', 'name': 'Googlebot '}], 'access_rules': [], 'captchas': []}, 'defined_tags': {'example_namespace': {'example_key': 'example_value'}}, 'freeform_tags': {'example_freeform_key': 'example_freeform_value'}, 'time_created': '2019-03-22T13:02:55.563000+00:00', 'policy_config': {'certificate_id': None, 'is_https_enabled': False, 'is_https_forced': False}, 'cname': 'www-exampledomain-com.b.waas.oci.oraclecloud.net', 'additional_domains': ['www.exampledomain1.com', 'www.exampledomain2.com'], 'id': 'ocid1.waaspolicy.oc1..xxxxxEXAMPLExxxxx'}]
  lifecycle_state
str
success
The current lifecycle state of the WAAS policy.

Sample:
ACTIVE
  domain
str
success
The web application domain that the WAAS policy protects.

Sample:
www.exampledomain.com
  display_name
str
success
The user-friendly name of the WAAS policy.

Sample:
examplewaaspolicy1
  compartment_id
str
success
The OCID of the WAAS policy's compartment.

Sample:
ocid1.compartment.oc1..xxxxxEXAMPLExxxxx
  origins
complex
success
A map of host to origin for the web application.

Sample:
{'LBaaS': {'http_port': 80, 'custom_headers': [], 'https_port': 443, 'uri': '1.2.3.4'}}
  waf_config
complex
success
The waf_config of this WaasPolicy.

Sample:
{'origin': 'LBaaS', 'protection_rules': [{'action': 'OFF', 'description': 'Cross-Site Scripting (XSS) Attempt: XSS Filters from IE', 'key': '941340', 'mod_security_rule_ids': ['941340'], 'labels': ['OWASP', 'OWASP-2017', 'CRS3', 'WASCTC', 'PCI', 'HTTP', 'A2', 'A2-2017', 'XSS', 'Cross-Site Scripting'], 'exclusions': [], 'name': 'Cross-Site Scripting (XSS) Attempt: XSS Filters from Internet Explorer'}], 'address_rate_limiting': {'allowed_rate_per_address': 1, 'is_enabled': False, 'block_response_code': 503, 'max_delayed_count_per_address': 10}, 'js_challenge': {'is_enabled': False, 'set_http_header': {'name': 'x-jsc-alerts', 'value': '{failed_amount}'}, 'failure_threshold': 10, 'action': 'DETECT', 'action_expiration_in_seconds': 60, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'JSC-403', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'device_fingerprint_challenge': {'is_enabled': False, 'failure_threshold_expiration_in_seconds': 60, 'action_expiration_in_seconds': 60, 'max_address_count_expiration_in_seconds': 60, 'failure_threshold': 10, 'action': 'DETECT', 'max_address_count': 20, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'DFC', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'whitelists': [], 'human_interaction_challenge': {'is_enabled': False, 'set_http_header': None, 'recording_period_in_seconds': 15, 'failure_threshold_expiration_in_seconds': 60, 'action_expiration_in_seconds': 60, 'failure_threshold': 10, 'action': 'DETECT', 'interaction_threshold': 3, 'challenge_settings': {'block_error_page_message': 'Access to the website is blocked.', 'captcha_footer': 'Enter the letters and numbers as they are shown in image above.', 'block_error_page_code': 'HIC', 'block_action': 'SHOW_ERROR_PAGE', 'captcha_title': 'Are you human?', 'captcha_header': 'We have detected an increased number of attempts to access this website.', 'block_response_code': 403, 'block_error_page_description': 'Access blocked by website owner. Please contact support.', 'captcha_submit_label': 'Yes, I am human.'}}, 'good_bots': [{'is_enabled': False, 'description': 'Googlebot is the search bot software used by Google', 'key': '4a4c6e7b-4d89-4141-8555-ec3b22b90a73', 'name': 'Googlebot '}], 'access_rules': [], 'captchas': []}
  defined_tags
complex
success
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.

Sample:
{'example_namespace': {'example_key': 'example_value'}}
  freeform_tags
complex
success
A simple key-value pair without any defined schema.

Sample:
{'example_freeform_key': 'example_freeform_value'}
  time_created
str
success
The date and time the policy was created, expressed in RFC 3339 timestamp format.

Sample:
2019-03-22 13:02:55.563000
  policy_config
complex
success
The policy_config of the WaasPolicy.

Sample:
{'certificate_id': None, 'is_https_enabled': False, 'is_https_forced': False}
  cname
str
success
The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF.

Sample:
www-exampledomain-com.b.waas.oci.oraclecloud.net
  additional_domains
list
success
An array of additional domains for this web application.

Sample:
['www.exampledomain1.com', 'www.exampledomain2.com']
  id
str
success
The OCID of the WAAS policy.

Sample:
ocid1.waaspolicy.oc1..xxxxxEXAMPLExxxxx


Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Manoj Meda (@manojmeda)

Hint

If you notice any issues in this documentation you can edit this document to improve it.