aws_waf_condition - create and delete WAF Conditions
New in version 2.5.
Synopsis
- Read the AWS documentation for WAF https://aws.amazon.com/documentation/waf/
Requirements
The below requirements are needed on the host that executes this module.
- python >= 2.6
- boto
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
aws_access_key | Default: None | AWS access key. If not set then the value of the AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variable is used. aliases: ec2_access_key, access_key |
aws_secret_key | Default: None | AWS secret key. If not set then the value of the AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variable is used. aliases: ec2_secret_key, secret_key |
ec2_url | Default: None | Url to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used. |
filters | A list of the filters against which to match For type= byte , valid keys are field_to_match , position , header , transformation
For type= geo , the only valid key is country
For type= ip , the only valid key is ip_address
For type= regex , valid keys are field_to_match , transformation and regex_pattern
For type= size , valid keys are field_to_match , transformation , comparison and size
For type= sql , valid keys are field_to_match and transformation
For type= xss , valid keys are field_to_match and transformation
field_to_match can be one of uri , query_string , header method and body
If field_to_match is header , then header must also be specified
transformation can be one of none , compress_white_space , html_entity_decode , lowercase , cmd_line , url_decode
position, can be one of exactly , starts_with , ends_with , contains , contains_word ,
comparison can be one of EQ , NE , LE , LT , GE , GT ,
target_string is a maximum of 50 bytes
regex_pattern is a dict with a name key and regex_strings list of strings to match | |
name required | Name of the Web Application Firewall condition to manage | |
profile (added in 1.6) | Default: None | Uses a boto profile. Only works with boto >= 2.24.0. |
purge_filters | Whether to remove existing filters from a condition if not passed in filters. Defaults to false | |
region | The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region
aliases: aws_region, ec2_region | |
security_token (added in 1.6) | Default: None | AWS STS security token. If not set then the value of the AWS_SECURITY_TOKEN or EC2_SECURITY_TOKEN environment variable is used. aliases: access_token |
state |
| Whether the condition should be present or absent
|
type |
| the type of matching to perform |
validate_certs (added in 1.5) |
| When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. |
Notes
Note
- If parameters are not set within the module, the following environment variables can be used in decreasing order of precedence
AWS_URL
orEC2_URL
,AWS_ACCESS_KEY_ID
orAWS_ACCESS_KEY
orEC2_ACCESS_KEY
,AWS_SECRET_ACCESS_KEY
orAWS_SECRET_KEY
orEC2_SECRET_KEY
,AWS_SECURITY_TOKEN
orEC2_SECURITY_TOKEN
,AWS_REGION
orEC2_REGION
- Ansible uses the boto configuration file (typically ~/.boto) if no credentials are provided. See http://boto.readthedocs.org/en/latest/boto_config_tut.html
-
AWS_REGION
orEC2_REGION
can be typically be used to specify the AWS region, when required, but this can also be configured in the boto config file
Examples
- name: create WAF byte condition aws_waf_condition: name: my_byte_condition filters: - field_to_match: header position: STARTS_WITH target_string: Hello header: Content-type type: byte - name: create WAF geo condition aws_waf_condition: name: my_geo_condition filters: - country: US - country: AU - country: AT type: geo - name: create IP address condition aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "10.0.0.0/8" - ip_address: "192.168.0.0/24" type: ip - name: create WAF regex condition aws_waf_condition: name: my_regex_condition filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex - name: create WAF size condition aws_waf_condition: name: my_size_condition filters: - field_to_match: query_string size: 300 comparison: GT type: size - name: create WAF sql injection condition aws_waf_condition: name: my_sql_condition filters: - field_to_match: query_string transformation: url_decode type: sql - name: create WAF xss condition aws_waf_condition: name: my_xss_condition filters: - field_to_match: query_string transformation: url_decode type: xss
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |||
---|---|---|---|---|---|
condition complex | always | condition returned by operation | |||
size_constraint_set_id string | when type is size and state is present | ID of the size constraint set Sample: de84b4b3-578b-447e-a9a0-0db35c995656 | |||
ip_set_id string | when type is ip and state is present | ID of condition Sample: 78ad334a-3535-4036-85e6-8e11e745217b | |||
condition_id string | when state is present | type-agnostic ID for the condition Sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 | |||
ip_set_descriptors complex | when type is ip and state is present | list of IP address filters | |||
type string | always | Type of IP address (IPV4 or IPV6) Sample: IPV4 | |||
value string | always | IP address Sample: 10.0.0.0/8 | |||
geo_match_constraints complex | when type is geo and state is present | List of geographical constraints | |||
type string | Type of geo constraint Sample: Country | ||||
value string | Value of geo constraint (typically a country code) Sample: AT | ||||
byte_match_tuples complex | always | list of byte match tuples | |||
text_transformation string | Transformation to apply to the field before matching Sample: NONE | ||||
field_to_match complex | always | Field to match | |||
data string | Which specific header (if type is header) Sample: content-type | ||||
type string | Type of field Sample: HEADER | ||||
target_string string | String to look for Sample: Hello | ||||
positional_constraint string | Position in the field to match Sample: STARTS_WITH | ||||
name string | when state is present | Name of condition Sample: my_waf_condition | |||
geo_match_set_id string | when type is geo and state is present | ID of the geo match set Sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 | |||
size_constraints complex | when type is size and state is present | List of size constraints to apply | |||
text_transformation string | transformation applied to the text before matching Sample: NONE | ||||
field_to_match complex | Field on which the size constraint is applied | ||||
type string | Field name Sample: QUERY_STRING | ||||
comparison_operator string | Comparison operator to apply Sample: GT | ||||
size int | size to compare against the field Sample: 300 | ||||
regex_match_tuples complex | when type is regex and state is present | List of regex matches | |||
text_transformation string | transformation applied to the text before matching Sample: NONE | ||||
field_to_match complex | Field on which the regex match is applied | ||||
type string | when type is regex and state is present | The field name Sample: QUERY_STRING | |||
regex_pattern_set_id string | ID of the regex pattern Sample: 6fdf7f2d-9091-445c-aef2-98f3c051ac9e | ||||
byte_match_set_id string | always | ID for byte match set Sample: c4882c96-837b-44a2-a762-4ea87dbf812b | |||
regex_match_set_id string | when type is regex and state is present | ID of the regex match set Sample: 5ea3f6a8-3cd3-488b-b637-17b79ce7089c | |||
sql_injection_match_set_id string | when type is sql and state is present | ID of the SQL injection match set Sample: de84b4b3-578b-447e-a9a0-0db35c995656 | |||
sql_injection_match_tuples complex | when type is sql and state is present | List of SQL injection match sets | |||
text_transformation string | transformation applied to the text before matching Sample: URL_DECODE | ||||
field_to_match complex | Field on which the SQL injection match is applied | ||||
type string | Field name Sample: QUERY_STRING | ||||
xss_match_tuples complex | when type is xss and state is present | List of XSS match sets | |||
text_transformation string | transformation applied to the text before matching Sample: URL_DECODE | ||||
field_to_match complex | Field on which the XSS match is applied | ||||
type string | Field name Sample: QUERY_STRING | ||||
xss_match_set_id string | when type is xss and state is present | ID of the XSS match set Sample: de84b4b3-578b-447e-a9a0-0db35c995656 |
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Author
- Will Thames (@willthames)
- Mike Mochan (@mmochan)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/modules/aws_waf_condition_module.html