» Data Source: oci_waas_waas_policies
This data source provides the list of Waas Policies in Oracle Cloud Infrastructure Waas service.
Gets a list of WAAS policies.
» Example Usage
data "oci_waas_waas_policies" "test_waas_policies" {
#Required
compartment_id = "${var.compartment_id}"
#Optional
display_names = "${var.waas_policy_display_names}"
ids = "${var.waas_policy_ids}"
states = "${var.waas_policy_states}"
time_created_greater_than_or_equal_to = "${var.waas_policy_time_created_greater_than_or_equal_to}"
time_created_less_than = "${var.waas_policy_time_created_less_than}"
}
» Argument Reference
The following arguments are supported:
-
compartment_id
- (Required) The OCID of the compartment. This number is generated when the compartment is created. -
display_names
- (Optional) Filter policies using a list of display names. -
ids
- (Optional) Filter policies using a list of policy OCIDs. -
states
- (Optional) Filter policies using a list of lifecycle states. -
time_created_greater_than_or_equal_to
- (Optional) A filter that matches policies created on or after the specified date and time. -
time_created_less_than
- (Optional) A filter that matches policies created before the specified date-time.
» Attributes Reference
The following attributes are exported:
-
waas_policies
- The list of waas_policies.
» WaasPolicy Reference
The following attributes are exported:
-
additional_domains
- An array of additional domains for this web application. -
cname
- The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF. -
compartment_id
- The OCID of the WAAS policy's compartment. -
defined_tags
- A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces. -
display_name
- The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique. -
domain
- The web application domain that the WAAS policy protects. -
freeform_tags
- A simple key-value pair without any defined schema. -
id
- The OCID of the WAAS policy. -
origins
- A map of host servers (origins) and their keys for the web application. Origin keys are used to associate origins to specific protection rules. The key should be a user-friendly name for the host. Examples:primary
orsecondary
.-
custom_headers
- A list of HTTP headers to forward to your origin. -
http_port
- The HTTP port on the origin that the web application listens on. If unspecified, defaults to80
. -
https_port
- The HTTPS port on the origin that the web application listens on. If unspecified, defaults to443
. -
uri
- The URI of the origin. Does not support paths. Port numbers should be specified in thehttpPort
andhttpsPort
fields.
-
-
policy_config
--
certificate_id
- The OCID of the SSL certificate to use if HTTPS is supported. -
is_https_enabled
- Enable or disable HTTPS support. If true, acertificateId
is required. If unspecified, defaults tofalse
. -
is_https_forced
- Force HTTP to HTTPS redirection. If unspecified, defaults tofalse
.
-
-
state
- The current lifecycle state of the WAAS policy. -
time_created
- The date and time the policy was created, expressed in RFC 3339 timestamp format. -
-
access_rules
- The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination ofALLOW
,DETECT
, andBLOCK
rules, based on different criteria.-
action
- The action to take when the access criteria are met for a rule. If unspecified, defaults toALLOW
. -
block_action
- The method used to block requests ifaction
is set toBLOCK
and the access criteria are met. If unspecified, defaults toSET_RESPONSE_CODE
. -
block_error_page_code
- The error code to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access rules'. -
block_error_page_description
- The description text to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.' -
block_error_page_message
- The message to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.' -
block_response_code
- The response status code to return whenaction
is set toBLOCK
,blockAction
is set toSET_RESPONSE_CODE
, and the access criteria are met. If unspecified, defaults to403
. -
criteria
- The list of access rule criteria.-
condition
- The criteria the access rule uses to determine if action should be taken on a request.-
URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the
value
field. -
URL_IS_NOT: Matches if the concatenation of request URL path and query is not identical to the contents of the
value
field. -
URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the
value
field. -
URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the
value
field. -
URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the
value
field. -
URL_REGEX: Matches if the request is described by the regular expression in the
value
field. -
IP_IS: Matches if the request originates from an IP address in the
value
field. -
IP_IS_NOT: Matches if the request does not originate from an IP address in the
value
field. -
HTTP_HEADER_CONTAINS: The HTTP_HEADER_CONTAINS criteria is defined using a compound value separated by a colon: a header field name and a header field value.
host:test.example.com
is an example of a criteria value wherehost
is the header field name andtest.example.com
is the header field value. A request matches when the header field name is a case insensitive match and the header field value is a case insensitive, substring match. Example: With a criteria value ofhost:test.example.com
, wherehost
is the name of the field andtest.example.com
is the value of the host field, a request with the header values,Host: www.test.example.com
will match, where as a request with header values ofhost: www.example.com
orhost: test.sub.example.com
will not match. -
COUNTRY_IS: Matches if the request originates from a country in the
value
field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see . -
COUNTRY_IS_NOT: Matches if the request does not originate from a country in the
value
field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see . -
USER_AGENT_IS: Matches if the requesting user agent is identical to the contents of the
value
field. Example:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
-
USER_AGENT_IS_NOT: Matches if the requesting user agent is not identical to the contents of the
value
field. Example:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
-
URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the
-
value
- The criteria value.
-
-
name
- The unique name of the access rule.
-
-
address_rate_limiting
- The IP address rate limiting settings used to limit the number of requests from an address.-
allowed_rate_per_address
- The number of allowed requests per second from one IP address. If unspecified, defaults to1
. -
block_response_code
- The response status code returned when a request is blocked. If unspecified, defaults to503
. -
is_enabled
- Enables or disables the address rate limiting Web Application Firewall feature. -
max_delayed_count_per_address
- The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to10
.
-
-
captchas
- A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.-
failure_message
- The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults toThe CAPTCHA was incorrect. Try again.
-
footer_text
- The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.' -
header_text
- The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.' -
session_expiration_in_seconds
- The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to300
. -
submit_label
- The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults toYes, I am human
. -
title
- The title used when displaying a CAPTCHA challenge. If unspecified, defaults toAre you human?
-
url
- The unique URL path at which to show the CAPTCHA challenge.
-
-
device_fingerprint_challenge
- The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.-
action
- The action to take on requests from detected bots. If unspecified, defaults toDETECT
. -
action_expiration_in_seconds
- The number of seconds between challenges for the same IP address. If unspecified, defaults to60
. -
challenge_settings
--
block_action
- The method used to block requests that fail the challenge, ifaction
is set toBLOCK
. If unspecified, defaults toSHOW_ERROR_PAGE
. -
block_error_page_code
- The error code to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
and the request is blocked. If unspecified, defaults to403
. -
block_error_page_description
- The description text to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess blocked by website owner. Please contact support.
-
block_error_page_message
- The message to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess to the website is blocked
. -
block_response_code
- The response status code to return whenaction
is set toBLOCK
,blockAction
is set toSET_RESPONSE_CODE
orSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults to403
. -
captcha_footer
- The text to show in the footer when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, default toEnter the letters and numbers as they are shown in image above
. -
captcha_header
- The text to show in the header when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toWe have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
-
captcha_submit_label
- The text to show on the label of the CAPTCHA challenge submit button whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toYes, I am human
. -
captcha_title
- The title used when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toAre you human?
-
-
failure_threshold
- The number of failed requests allowed before taking action. If unspecified, defaults to10
. -
failure_threshold_expiration_in_seconds
- The number of seconds before the failure threshold resets. If unspecified, defaults to60
. -
is_enabled
- Enables or disables the device fingerprint challenge Web Application Firewall feature. -
max_address_count
- The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to20
. -
max_address_count_expiration_in_seconds
- The number of seconds before the maximum addresses count resets. If unspecified, defaults to60
.
-
-
human_interaction_challenge
- The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.-
action
- The action to take against requests from detected bots. If unspecified, defaults toDETECT
. -
action_expiration_in_seconds
- The number of seconds between challenges for the same IP address. If unspecified, defaults to60
. -
challenge_settings
--
block_action
- The method used to block requests that fail the challenge, ifaction
is set toBLOCK
. If unspecified, defaults toSHOW_ERROR_PAGE
. -
block_error_page_code
- The error code to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
and the request is blocked. If unspecified, defaults to403
. -
block_error_page_description
- The description text to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess blocked by website owner. Please contact support.
-
block_error_page_message
- The message to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess to the website is blocked
. -
block_response_code
- The response status code to return whenaction
is set toBLOCK
,blockAction
is set toSET_RESPONSE_CODE
orSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults to403
. -
captcha_footer
- The text to show in the footer when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, default toEnter the letters and numbers as they are shown in image above
. -
captcha_header
- The text to show in the header when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toWe have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
-
captcha_submit_label
- The text to show on the label of the CAPTCHA challenge submit button whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toYes, I am human
. -
captcha_title
- The title used when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toAre you human?
-
-
failure_threshold
- The number of failed requests before taking action. If unspecified, defaults to10
. -
failure_threshold_expiration_in_seconds
- The number of seconds before the failure threshold resets. If unspecified, defaults to60
. -
interaction_threshold
- The number of interactions required to pass the challenge. If unspecified, defaults to3
. -
is_enabled
- Enables or disables the human interaction challenge Web Application Firewall feature. -
recording_period_in_seconds
- The number of seconds to record the interactions from the user. If unspecified, defaults to15
. -
set_http_header
- Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when theaction
is set toDETECT
.
-
-
js_challenge
- The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.-
action
- The action to take against requests from detected bots. If unspecified, defaults toDETECT
. -
action_expiration_in_seconds
- The number of seconds between challenges from the same IP address. If unspecified, defaults to60
. -
challenge_settings
--
block_action
- The method used to block requests that fail the challenge, ifaction
is set toBLOCK
. If unspecified, defaults toSHOW_ERROR_PAGE
. -
block_error_page_code
- The error code to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
and the request is blocked. If unspecified, defaults to403
. -
block_error_page_description
- The description text to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess blocked by website owner. Please contact support.
-
block_error_page_message
- The message to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults toAccess to the website is blocked
. -
block_response_code
- The response status code to return whenaction
is set toBLOCK
,blockAction
is set toSET_RESPONSE_CODE
orSHOW_ERROR_PAGE
, and the request is blocked. If unspecified, defaults to403
. -
captcha_footer
- The text to show in the footer when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, default toEnter the letters and numbers as they are shown in image above
. -
captcha_header
- The text to show in the header when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toWe have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.
-
captcha_submit_label
- The text to show on the label of the CAPTCHA challenge submit button whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toYes, I am human
. -
captcha_title
- The title used when showing a CAPTCHA challenge whenaction
is set toBLOCK
,blockAction
is set toSHOW_CAPTCHA
, and the request is blocked. If unspecified, defaults toAre you human?
-
-
failure_threshold
- The number of failed requests before taking action. If unspecified, defaults to10
. -
is_enabled
- Enables or disables the JavaScript challenge Web Application Firewall feature. -
set_http_header
- Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when theaction
is set toDETECT
.
-
-
origin
- The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included inOrigins
. Required when creating theWafConfig
resource, but not on update. -
protection_settings
- The settings to apply to protection rules.-
allowed_http_methods
- The list of allowed HTTP methods. If unspecified, default to[OPTIONS, GET, HEAD, POST]
. This setting only applies if a corresponding protection rule is enabled, such as the "Restrict HTTP Request Methods" rule (key: 911100). -
block_action
- Ifaction
is set toBLOCK
, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults toSET_RESPONSE_CODE
. -
block_error_page_code
- The error code to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to403
. -
block_error_page_description
- The description text to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults toAccess blocked by website owner. Please contact support.
-
block_error_page_message
- The message to show on the error page whenaction
is set toBLOCK
,blockAction
is set toSHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.' -
block_response_code
- The response code returned whenaction
is set toBLOCK
,blockAction
is set toSET_RESPONSE_CODE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to403
. -
is_response_inspected
- Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults tofalse
.Note: Only origin responses with a Content-Type matching a value in
mediaTypes
will be inspected. -
max_argument_count
- The maximum number of arguments allowed to be passed to your application before an action is taken. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to255
. This setting only applies if a corresponding protection rule is enabled, such as the "Number of Arguments Limits" rule (key: 960335). Example: IfmaxArgumentCount
to2
for the Max Number of Arguments protection rule (key: 960335), the following requests would be blocked:GET /myapp/path?query=one&query=two&query=three
POST /myapp/path
with Body{"argument1":"one","argument2":"two","argument3":"three"}
-
max_name_length_per_argument
- The maximum length allowed for each argument name, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to400
. This setting only applies if a corresponding protection rule is enabled, such as the "Values Limits" rule (key: 960208). -
max_response_size_in_ki_b
- The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to1024
. -
max_total_name_length_of_arguments
- The maximum length allowed for the sum of the argument name and value, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to64000
. This setting only applies if a corresponding protection rule is enabled, such as the "Total Arguments Limits" rule (key: 960341). -
media_types
- The list of media types to allow for inspection, ifisResponseInspected
is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to["text/html", "text/plain", "text/xml"]
.Supported MIME types include:
- text/html
- text/plain
- text/asp
- text/css
- text/x-script
- application/json
- text/webviewhtml
- text/x-java-source
- application/x-javascript
- application/javascript
- application/ecmascript
- text/javascript
- text/ecmascript
- text/x-script.perl
- text/x-script.phyton
- application/plain
- application/xml
- text/xml
-
recommendations_period_in_days
- The length of time to analyze traffic traffic, in days. After the analysis period,WafRecommendations
will be populated. If unspecified, defaults to10
.Use
GET /waasPolicies/{waasPolicyId}/wafRecommendations
to view WAF recommendations.
-
-
whitelists
- A list of IP addresses that bypass the Web Application Firewall.
-