1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package types 4 5import ( 6 smithydocument "github.com/aws/smithy-go/document" 7 "time" 8) 9 10// A single action condition for a Condition in a logging filter. 11type ActionCondition struct { 12 13 // The action setting that a log record must contain in order to meet the 14 // condition. 15 // 16 // This member is required. 17 Action ActionValue 18 19 noSmithyDocumentSerde 20} 21 22// Inspect all of the elements that WAF has parsed and extracted from the web 23// request JSON body that are within the JsonBodyMatchScope. This is used with the 24// FieldToMatch option JsonBody. This is used only to indicate the web request 25// component for WAF to inspect, in the FieldToMatch specification. JSON 26// specification: "All": {} 27type All struct { 28 noSmithyDocumentSerde 29} 30 31// Specifies that WAF should allow the request and optionally defines additional 32// custom handling for the request. This is used in the context of other settings, 33// for example to specify values for RuleAction and web ACL DefaultAction. 34type AllowAction struct { 35 36 // Defines custom handling for the web request. For information about customizing 37 // web requests and responses, see Customizing web requests and responses in WAF 38 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 39 // in the WAF Developer Guide 40 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 41 CustomRequestHandling *CustomRequestHandling 42 43 noSmithyDocumentSerde 44} 45 46// All query arguments of a web request. This is used only to indicate the web 47// request component for WAF to inspect, in the FieldToMatch specification. JSON 48// specification: "AllQueryArguments": {} 49type AllQueryArguments struct { 50 noSmithyDocumentSerde 51} 52 53// A logical rule statement used to combine other rule statements with AND logic. 54// You provide more than one Statement within the AndStatement. 55type AndStatement struct { 56 57 // The statements to combine with AND logic. You can use any statements that can be 58 // nested. 59 // 60 // This member is required. 61 Statements []Statement 62 63 noSmithyDocumentSerde 64} 65 66// Specifies that WAF should block the request and optionally defines additional 67// custom handling for the response to the web request. This is used in the context 68// of other settings, for example to specify values for RuleAction and web ACL 69// DefaultAction. 70type BlockAction struct { 71 72 // Defines a custom response for the web request. For information about customizing 73 // web requests and responses, see Customizing web requests and responses in WAF 74 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 75 // in the WAF Developer Guide 76 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 77 CustomResponse *CustomResponse 78 79 noSmithyDocumentSerde 80} 81 82// The body of a web request. This immediately follows the request headers. This is 83// used only to indicate the web request component for WAF to inspect, in the 84// FieldToMatch specification. JSON specification: "Body": {} 85type Body struct { 86 noSmithyDocumentSerde 87} 88 89// A rule statement that defines a string match search for WAF to apply to web 90// requests. The byte match statement provides the bytes to search for, the 91// location in requests that you want WAF to search, and other settings. The bytes 92// to search for are typically a string that corresponds with ASCII characters. In 93// the WAF console and the developer guide, this is refered to as a string match 94// statement. 95type ByteMatchStatement struct { 96 97 // The part of a web request that you want WAF to inspect. For more information, 98 // see FieldToMatch. 99 // 100 // This member is required. 101 FieldToMatch *FieldToMatch 102 103 // The area within the portion of a web request that you want WAF to search for 104 // SearchString. Valid values include the following: CONTAINS The specified part of 105 // the web request must include the value of SearchString, but the location doesn't 106 // matter. CONTAINS_WORD The specified part of the web request must include the 107 // value of SearchString, and SearchString must contain only alphanumeric 108 // characters or underscore (A-Z, a-z, 0-9, or _). In addition, SearchString must 109 // be a word, which means that both of the following are true: 110 // 111 // * SearchString is 112 // at the beginning of the specified part of the web request or is preceded by a 113 // character other than an alphanumeric character or underscore (_). Examples 114 // include the value of a header and ;BadBot. 115 // 116 // * SearchString is at the end of the 117 // specified part of the web request or is followed by a character other than an 118 // alphanumeric character or underscore (_), for example, BadBot; and 119 // -BadBot;. 120 // 121 // EXACTLY The value of the specified part of the web request must 122 // exactly match the value of SearchString. STARTS_WITH The value of SearchString 123 // must appear at the beginning of the specified part of the web request. ENDS_WITH 124 // The value of SearchString must appear at the end of the specified part of the 125 // web request. 126 // 127 // This member is required. 128 PositionalConstraint PositionalConstraint 129 130 // A string value that you want WAF to search for. WAF searches only in the part of 131 // web requests that you designate for inspection in FieldToMatch. The maximum 132 // length of the value is 50 bytes. Valid values depend on the component that you 133 // specify for inspection in FieldToMatch: 134 // 135 // * Method: The HTTP method that you want 136 // WAF to search for. This indicates the type of operation specified in the 137 // request. 138 // 139 // * UriPath: The value that you want WAF to search for in the URI path, 140 // for example, /images/daily-ad.jpg. 141 // 142 // If SearchString includes alphabetic 143 // characters A-Z and a-z, note that the value is case sensitive. If you're using 144 // the WAF API Specify a base64-encoded version of the value. The maximum length of 145 // the value before you base64-encode it is 50 bytes. For example, suppose the 146 // value of Type is HEADER and the value of Data is User-Agent. If you want to 147 // search the User-Agent header for the value BadBot, you base64-encode BadBot 148 // using MIME base64-encoding and include the resulting value, QmFkQm90, in the 149 // value of SearchString. If you're using the CLI or one of the Amazon Web Services 150 // SDKs The value that you want WAF to search for. The SDK automatically base64 151 // encodes the value. 152 // 153 // This member is required. 154 SearchString []byte 155 156 // Text transformations eliminate some of the unusual formatting that attackers use 157 // in web requests in an effort to bypass detection. If you specify one or more 158 // transformations in a rule statement, WAF performs all transformations on the 159 // content of the request component identified by FieldToMatch, starting from the 160 // lowest priority setting, before inspecting the content for a match. 161 // 162 // This member is required. 163 TextTransformations []TextTransformation 164 165 noSmithyDocumentSerde 166} 167 168// A single match condition for a Filter. 169type Condition struct { 170 171 // A single action condition. 172 ActionCondition *ActionCondition 173 174 // A single label name condition. 175 LabelNameCondition *LabelNameCondition 176 177 noSmithyDocumentSerde 178} 179 180// Specifies that WAF should count the request. Optionally defines additional 181// custom handling for the request. This is used in the context of other settings, 182// for example to specify values for RuleAction and web ACL DefaultAction. 183type CountAction struct { 184 185 // Defines custom handling for the web request. For information about customizing 186 // web requests and responses, see Customizing web requests and responses in WAF 187 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 188 // in the WAF Developer Guide 189 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 190 CustomRequestHandling *CustomRequestHandling 191 192 noSmithyDocumentSerde 193} 194 195// A custom header for custom request and response handling. This is used in 196// CustomResponse and CustomRequestHandling. 197type CustomHTTPHeader struct { 198 199 // The name of the custom header. For custom request header insertion, when WAF 200 // inserts the header into the request, it prefixes this name x-amzn-waf-, to avoid 201 // confusion with the headers that are already in the request. For example, for the 202 // header name sample, WAF inserts the header x-amzn-waf-sample. 203 // 204 // This member is required. 205 Name *string 206 207 // The value of the custom header. 208 // 209 // This member is required. 210 Value *string 211 212 noSmithyDocumentSerde 213} 214 215// Custom request handling behavior that inserts custom headers into a web request. 216// You can add custom request handling for the rule actions allow and count. For 217// information about customizing web requests and responses, see Customizing web 218// requests and responses in WAF 219// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 220// in the WAF Developer Guide 221// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 222type CustomRequestHandling struct { 223 224 // The HTTP headers to insert into the request. Duplicate header names are not 225 // allowed. For information about the limits on count and size for custom request 226 // and response settings, see WAF quotas 227 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF 228 // Developer Guide 229 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 230 // 231 // This member is required. 232 InsertHeaders []CustomHTTPHeader 233 234 noSmithyDocumentSerde 235} 236 237// A custom response to send to the client. You can define a custom response for 238// rule actions and default web ACL actions that are set to BlockAction. For 239// information about customizing web requests and responses, see Customizing web 240// requests and responses in WAF 241// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 242// in the WAF Developer Guide 243// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 244type CustomResponse struct { 245 246 // The HTTP status code to return to the client. For a list of status codes that 247 // you can use in your custom reqponses, see Supported status codes for custom 248 // response 249 // (https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) 250 // in the WAF Developer Guide 251 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 252 // 253 // This member is required. 254 ResponseCode *int32 255 256 // References the response body that you want WAF to return to the web request 257 // client. You can define a custom response for a rule action or a default web ACL 258 // action that is set to block. To do this, you first define the response body key 259 // and value in the CustomResponseBodies setting for the WebACL or RuleGroup where 260 // you want to use it. Then, in the rule action or web ACL default action 261 // BlockAction setting, you reference the response body using this key. 262 CustomResponseBodyKey *string 263 264 // The HTTP headers to use in the response. Duplicate header names are not allowed. 265 // For information about the limits on count and size for custom request and 266 // response settings, see WAF quotas 267 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF 268 // Developer Guide 269 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 270 ResponseHeaders []CustomHTTPHeader 271 272 noSmithyDocumentSerde 273} 274 275// The response body to use in a custom response to a web request. This is 276// referenced by key from CustomResponseCustomResponseBodyKey. 277type CustomResponseBody struct { 278 279 // The payload of the custom response. You can use JSON escape strings in JSON 280 // content. To do this, you must specify JSON content in the ContentType setting. 281 // For information about the limits on count and size for custom request and 282 // response settings, see WAF quotas 283 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF 284 // Developer Guide 285 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 286 // 287 // This member is required. 288 Content *string 289 290 // The type of content in the payload that you are defining in the Content string. 291 // 292 // This member is required. 293 ContentType ResponseContentType 294 295 noSmithyDocumentSerde 296} 297 298// In a WebACL, this is the action that you want WAF to perform when a web request 299// doesn't match any of the rules in the WebACL. The default action must be a 300// terminating action, so you can't use count. 301type DefaultAction struct { 302 303 // Specifies that WAF should allow requests by default. 304 Allow *AllowAction 305 306 // Specifies that WAF should block requests by default. 307 Block *BlockAction 308 309 noSmithyDocumentSerde 310} 311 312// Specifies a single rule to exclude from the rule group. Excluding a rule 313// overrides its action setting for the rule group in the web ACL, setting it to 314// COUNT. This effectively excludes the rule from acting on web requests. 315type ExcludedRule struct { 316 317 // The name of the rule to exclude. 318 // 319 // This member is required. 320 Name *string 321 322 noSmithyDocumentSerde 323} 324 325// The part of a web request that you want WAF to inspect. Include the single 326// FieldToMatch type that you want to inspect, with additional specifications as 327// needed, according to the type. You specify a single request component in 328// FieldToMatch for each rule statement that requires it. To inspect more than one 329// component of a web request, create a separate rule statement for each component. 330// JSON specification for a QueryString field to match: "FieldToMatch": { 331// "QueryString": {} } Example JSON for a Method field to match specification: 332// "FieldToMatch": { "Method": { "Name": "DELETE" } } 333type FieldToMatch struct { 334 335 // Inspect all query arguments. 336 AllQueryArguments *AllQueryArguments 337 338 // Inspect the request body as plain text. The request body immediately follows the 339 // request headers. This is the part of a request that contains any additional data 340 // that you want to send to your web server as the HTTP request body, such as data 341 // from a form. Note that only the first 8 KB (8192 bytes) of the request body are 342 // forwarded to WAF for inspection by the underlying host service. If you don't 343 // need to inspect more than 8 KB, you can guarantee that you don't allow 344 // additional bytes in by combining a statement that inspects the body of the web 345 // request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a 346 // SizeConstraintStatement that enforces an 8 KB size limit on the body of the 347 // request. WAF doesn't support inspecting the entire contents of web requests 348 // whose bodies exceed the 8 KB limit. 349 Body *Body 350 351 // Inspect the request body as JSON. The request body immediately follows the 352 // request headers. This is the part of a request that contains any additional data 353 // that you want to send to your web server as the HTTP request body, such as data 354 // from a form. Note that only the first 8 KB (8192 bytes) of the request body are 355 // forwarded to WAF for inspection by the underlying host service. If you don't 356 // need to inspect more than 8 KB, you can guarantee that you don't allow 357 // additional bytes in by combining a statement that inspects the body of the web 358 // request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a 359 // SizeConstraintStatement that enforces an 8 KB size limit on the body of the 360 // request. WAF doesn't support inspecting the entire contents of web requests 361 // whose bodies exceed the 8 KB limit. 362 JsonBody *JsonBody 363 364 // Inspect the HTTP method. The method indicates the type of operation that the 365 // request is asking the origin to perform. 366 Method *Method 367 368 // Inspect the query string. This is the part of a URL that appears after a ? 369 // character, if any. 370 QueryString *QueryString 371 372 // Inspect a single header. Provide the name of the header to inspect, for example, 373 // User-Agent or Referer. This setting isn't case sensitive. Example JSON: 374 // "SingleHeader": { "Name": "haystack" } 375 SingleHeader *SingleHeader 376 377 // Inspect a single query argument. Provide the name of the query argument to 378 // inspect, such as UserName or SalesRegion. The name can be up to 30 characters 379 // long and isn't case sensitive. This is used only to indicate the web request 380 // component for WAF to inspect, in the FieldToMatch specification. Example JSON: 381 // "SingleQueryArgument": { "Name": "myArgument" } 382 SingleQueryArgument *SingleQueryArgument 383 384 // Inspect the request URI path. This is the part of a web request that identifies 385 // a resource, for example, /images/daily-ad.jpg. 386 UriPath *UriPath 387 388 noSmithyDocumentSerde 389} 390 391// A single logging filter, used in LoggingFilter. 392type Filter struct { 393 394 // How to handle logs that satisfy the filter's conditions and requirement. 395 // 396 // This member is required. 397 Behavior FilterBehavior 398 399 // Match conditions for the filter. 400 // 401 // This member is required. 402 Conditions []Condition 403 404 // Logic to apply to the filtering conditions. You can specify that, in order to 405 // satisfy the filter, a log must match all conditions or must match at least one 406 // condition. 407 // 408 // This member is required. 409 Requirement FilterRequirement 410 411 noSmithyDocumentSerde 412} 413 414// A rule group that's defined for an Firewall Manager WAF policy. 415type FirewallManagerRuleGroup struct { 416 417 // The processing guidance for an Firewall Manager rule. This is like a regular 418 // rule Statement, but it can only contain a rule group reference. 419 // 420 // This member is required. 421 FirewallManagerStatement *FirewallManagerStatement 422 423 // The name of the rule group. You cannot change the name of a rule group after you 424 // create it. 425 // 426 // This member is required. 427 Name *string 428 429 // The override action to apply to the rules in a rule group. Used only for rule 430 // statements that reference a rule group, like RuleGroupReferenceStatement and 431 // ManagedRuleGroupStatement. Set the override action to none to leave the rule 432 // actions in effect. Set it to count to only count matches, regardless of the rule 433 // action settings. In a Rule, you must specify either this OverrideAction setting 434 // or the rule Action setting, but not both: 435 // 436 // * If the rule statement references a 437 // rule group, use this override action setting and not the action setting. 438 // 439 // * If 440 // the rule statement does not reference a rule group, use the rule action setting 441 // and not this rule override action setting. 442 // 443 // This member is required. 444 OverrideAction *OverrideAction 445 446 // If you define more than one rule group in the first or last Firewall Manager 447 // rule groups, WAF evaluates each request against the rule groups in order, 448 // starting from the lowest priority setting. The priorities don't need to be 449 // consecutive, but they must all be different. 450 // 451 // This member is required. 452 Priority int32 453 454 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 455 // 456 // This member is required. 457 VisibilityConfig *VisibilityConfig 458 459 noSmithyDocumentSerde 460} 461 462// The processing guidance for an Firewall Manager rule. This is like a regular 463// rule Statement, but it can only contain a rule group reference. 464type FirewallManagerStatement struct { 465 466 // A rule statement used to run the rules that are defined in a managed rule group. 467 // To use this, provide the vendor name and the name of the rule group in this 468 // statement. You can retrieve the required names by calling 469 // ListAvailableManagedRuleGroups. You cannot nest a ManagedRuleGroupStatement, for 470 // example for use inside a NotStatement or OrStatement. It can only be referenced 471 // as a top-level statement within a rule. 472 ManagedRuleGroupStatement *ManagedRuleGroupStatement 473 474 // A rule statement used to run the rules that are defined in a RuleGroup. To use 475 // this, create a rule group with your rules, then provide the ARN of the rule 476 // group in this statement. You cannot nest a RuleGroupReferenceStatement, for 477 // example for use inside a NotStatement or OrStatement. You can only use a rule 478 // group reference statement at the top level inside a web ACL. 479 RuleGroupReferenceStatement *RuleGroupReferenceStatement 480 481 noSmithyDocumentSerde 482} 483 484// The configuration for inspecting IP addresses in an HTTP header that you 485// specify, instead of using the IP address that's reported by the web request 486// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 487// any header name. If the specified header isn't present in the request, WAF 488// doesn't apply the rule to the web request at all. This configuration is used for 489// GeoMatchStatement and RateBasedStatement. For IPSetReferenceStatement, use 490// IPSetForwardedIPConfig instead. WAF only evaluates the first IP address found in 491// the specified HTTP header. 492type ForwardedIPConfig struct { 493 494 // The match status to assign to the web request if the request doesn't have a 495 // valid IP address in the specified position. If the specified header isn't 496 // present in the request, WAF doesn't apply the rule to the web request at all. 497 // You can specify the following fallback behaviors: 498 // 499 // * MATCH - Treat the web 500 // request as matching the rule statement. WAF applies the rule action to the 501 // request. 502 // 503 // * NO_MATCH - Treat the web request as not matching the rule statement. 504 // 505 // This member is required. 506 FallbackBehavior FallbackBehavior 507 508 // The name of the HTTP header to use for the IP address. For example, to use the 509 // X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified 510 // header isn't present in the request, WAF doesn't apply the rule to the web 511 // request at all. 512 // 513 // This member is required. 514 HeaderName *string 515 516 noSmithyDocumentSerde 517} 518 519// A rule statement used to identify web requests based on country of origin. 520type GeoMatchStatement struct { 521 522 // An array of two-character country codes, for example, [ "US", "CN" ], from the 523 // alpha-2 country ISO codes of the ISO 3166 international standard. 524 CountryCodes []CountryCode 525 526 // The configuration for inspecting IP addresses in an HTTP header that you 527 // specify, instead of using the IP address that's reported by the web request 528 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 529 // any header name. If the specified header isn't present in the request, WAF 530 // doesn't apply the rule to the web request at all. 531 ForwardedIPConfig *ForwardedIPConfig 532 533 noSmithyDocumentSerde 534} 535 536// Part of the response from GetSampledRequests. This is a complex type that 537// appears as Headers in the response syntax. HTTPHeader contains the names and 538// values of all of the headers that appear in one of the web requests. 539type HTTPHeader struct { 540 541 // The name of the HTTP header. 542 Name *string 543 544 // The value of the HTTP header. 545 Value *string 546 547 noSmithyDocumentSerde 548} 549 550// Part of the response from GetSampledRequests. This is a complex type that 551// appears as Request in the response syntax. HTTPRequest contains information 552// about one of the web requests. 553type HTTPRequest struct { 554 555 // The IP address that the request originated from. If the web ACL is associated 556 // with a CloudFront distribution, this is the value of one of the following fields 557 // in CloudFront access logs: 558 // 559 // * c-ip, if the viewer did not use an HTTP proxy or a 560 // load balancer to send the request 561 // 562 // * x-forwarded-for, if the viewer did use an 563 // HTTP proxy or a load balancer to send the request 564 ClientIP *string 565 566 // The two-letter country code for the country that the request originated from. 567 // For a current list of country codes, see the Wikipedia entry ISO 3166-1 alpha-2 568 // (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). 569 Country *string 570 571 // The HTTP version specified in the sampled web request, for example, HTTP/1.1. 572 HTTPVersion *string 573 574 // A complex type that contains the name and value for each header in the sampled 575 // web request. 576 Headers []HTTPHeader 577 578 // The HTTP method specified in the sampled web request. 579 Method *string 580 581 // The URI path of the request, which identifies the resource, for example, 582 // /images/daily-ad.jpg. 583 URI *string 584 585 noSmithyDocumentSerde 586} 587 588// Contains one or more IP addresses or blocks of IP addresses specified in 589// Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 590// CIDR ranges except for /0. For information about CIDR notation, see the 591// Wikipedia entry Classless Inter-Domain Routing 592// (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). WAF assigns an 593// ARN to each IPSet that you create. To use an IP set in a rule, you provide the 594// ARN to the Rule statement IPSetReferenceStatement. 595type IPSet struct { 596 597 // The Amazon Resource Name (ARN) of the entity. 598 // 599 // This member is required. 600 ARN *string 601 602 // Contains an array of strings that specify one or more IP addresses or blocks of 603 // IP addresses in Classless Inter-Domain Routing (CIDR) notation. WAF supports all 604 // IPv4 and IPv6 CIDR ranges except for /0. Examples: 605 // 606 // * To configure WAF to allow, 607 // block, or count requests that originated from the IP address 192.0.2.44, specify 608 // 192.0.2.44/32. 609 // 610 // * To configure WAF to allow, block, or count requests that 611 // originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 612 // 192.0.2.0/24. 613 // 614 // * To configure WAF to allow, block, or count requests that 615 // originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 616 // 1111:0000:0000:0000:0000:0000:0000:0111/128. 617 // 618 // * To configure WAF to allow, 619 // block, or count requests that originated from IP addresses 620 // 1111:0000:0000:0000:0000:0000:0000:0000 to 621 // 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 622 // 1111:0000:0000:0000:0000:0000:0000:0000/64. 623 // 624 // For more information about CIDR 625 // notation, see the Wikipedia entry Classless Inter-Domain Routing 626 // (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). 627 // 628 // This member is required. 629 Addresses []string 630 631 // The version of the IP addresses, either IPV4 or IPV6. 632 // 633 // This member is required. 634 IPAddressVersion IPAddressVersion 635 636 // A unique identifier for the set. This ID is returned in the responses to create 637 // and list commands. You provide it to operations like update and delete. 638 // 639 // This member is required. 640 Id *string 641 642 // The name of the IP set. You cannot change the name of an IPSet after you create 643 // it. 644 // 645 // This member is required. 646 Name *string 647 648 // A description of the IP set that helps with identification. 649 Description *string 650 651 noSmithyDocumentSerde 652} 653 654// The configuration for inspecting IP addresses in an HTTP header that you 655// specify, instead of using the IP address that's reported by the web request 656// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 657// any header name. If the specified header isn't present in the request, WAF 658// doesn't apply the rule to the web request at all. This configuration is used 659// only for IPSetReferenceStatement. For GeoMatchStatement and RateBasedStatement, 660// use ForwardedIPConfig instead. 661type IPSetForwardedIPConfig struct { 662 663 // The match status to assign to the web request if the request doesn't have a 664 // valid IP address in the specified position. If the specified header isn't 665 // present in the request, WAF doesn't apply the rule to the web request at all. 666 // You can specify the following fallback behaviors: 667 // 668 // * MATCH - Treat the web 669 // request as matching the rule statement. WAF applies the rule action to the 670 // request. 671 // 672 // * NO_MATCH - Treat the web request as not matching the rule statement. 673 // 674 // This member is required. 675 FallbackBehavior FallbackBehavior 676 677 // The name of the HTTP header to use for the IP address. For example, to use the 678 // X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified 679 // header isn't present in the request, WAF doesn't apply the rule to the web 680 // request at all. 681 // 682 // This member is required. 683 HeaderName *string 684 685 // The position in the header to search for the IP address. The header can contain 686 // IP addresses of the original client and also of proxies. For example, the header 687 // value could be 10.1.1.1, 127.0.0.0, 10.10.10.10 where the first IP address 688 // identifies the original client and the rest identify proxies that the request 689 // went through. The options for this setting are the following: 690 // 691 // * FIRST - Inspect 692 // the first IP address in the list of IP addresses in the header. This is usually 693 // the client's original IP. 694 // 695 // * LAST - Inspect the last IP address in the list of 696 // IP addresses in the header. 697 // 698 // * ANY - Inspect all IP addresses in the header for 699 // a match. If the header contains more than 10 IP addresses, WAF inspects the last 700 // 10. 701 // 702 // This member is required. 703 Position ForwardedIPPosition 704 705 noSmithyDocumentSerde 706} 707 708// A rule statement used to detect web requests coming from particular IP addresses 709// or address ranges. To use this, create an IPSet that specifies the addresses you 710// want to detect, then use the ARN of that set in this statement. To create an IP 711// set, see CreateIPSet. Each IP set rule statement references an IP set. You 712// create and maintain the set independent of your rules. This allows you to use 713// the single set in multiple rules. When you update the referenced set, WAF 714// automatically updates all rules that reference it. 715type IPSetReferenceStatement struct { 716 717 // The Amazon Resource Name (ARN) of the IPSet that this statement references. 718 // 719 // This member is required. 720 ARN *string 721 722 // The configuration for inspecting IP addresses in an HTTP header that you 723 // specify, instead of using the IP address that's reported by the web request 724 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 725 // any header name. If the specified header isn't present in the request, WAF 726 // doesn't apply the rule to the web request at all. 727 IPSetForwardedIPConfig *IPSetForwardedIPConfig 728 729 noSmithyDocumentSerde 730} 731 732// High-level information about an IPSet, returned by operations like create and 733// list. This provides information like the ID, that you can use to retrieve and 734// manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to 735// use the address set in a Rule. 736type IPSetSummary struct { 737 738 // The Amazon Resource Name (ARN) of the entity. 739 ARN *string 740 741 // A description of the IP set that helps with identification. 742 Description *string 743 744 // A unique identifier for the set. This ID is returned in the responses to create 745 // and list commands. You provide it to operations like update and delete. 746 Id *string 747 748 // A token used for optimistic locking. WAF returns a token to your get and list 749 // requests, to mark the state of the entity at the time of the request. To make 750 // changes to the entity associated with the token, you provide the token to 751 // operations like update and delete. WAF uses the token to ensure that no changes 752 // have been made to the entity since you last retrieved it. If a change has been 753 // made, the update fails with a WAFOptimisticLockException. If this happens, 754 // perform another get, and use the new token returned by that operation. 755 LockToken *string 756 757 // The name of the IP set. You cannot change the name of an IPSet after you create 758 // it. 759 Name *string 760 761 noSmithyDocumentSerde 762} 763 764// The body of a web request, inspected as JSON. The body immediately follows the 765// request headers. This is used in the FieldToMatch specification. Use the 766// specifications in this object to indicate which parts of the JSON body to 767// inspect using the rule's inspection criteria. WAF inspects only the parts of the 768// JSON that result from the matches that you indicate. Example JSON: "JsonBody": { 769// "MatchPattern": { "All": {} }, "MatchScope": "ALL" } 770type JsonBody struct { 771 772 // The patterns to look for in the JSON body. WAF inspects the results of these 773 // pattern matches against the rule inspection criteria. 774 // 775 // This member is required. 776 MatchPattern *JsonMatchPattern 777 778 // The parts of the JSON to match against using the MatchPattern. If you specify 779 // All, WAF matches against keys and values. 780 // 781 // This member is required. 782 MatchScope JsonMatchScope 783 784 // What WAF should do if it fails to completely parse the JSON body. The options 785 // are the following: 786 // 787 // * EVALUATE_AS_STRING - Inspect the body as plain text. WAF 788 // applies the text transformations and inspection criteria that you defined for 789 // the JSON inspection to the body text string. 790 // 791 // * MATCH - Treat the web request as 792 // matching the rule statement. WAF applies the rule action to the request. 793 // 794 // * 795 // NO_MATCH - Treat the web request as not matching the rule statement. 796 // 797 // If you 798 // don't provide this setting, WAF parses and evaluates the content only up to the 799 // first parsing failure that it encounters. WAF does its best to parse the entire 800 // JSON body, but might be forced to stop for reasons such as invalid characters, 801 // duplicate keys, truncation, and any content whose root node isn't an object or 802 // an array. WAF parses the JSON in the following examples as two valid key, value 803 // pairs: 804 // 805 // * Missing comma: {"key1":"value1""key2":"value2"} 806 // 807 // * Missing colon: 808 // {"key1":"value1","key2""value2"} 809 // 810 // * Extra colons: 811 // {"key1"::"value1","key2""value2"} 812 InvalidFallbackBehavior BodyParsingFallbackBehavior 813 814 noSmithyDocumentSerde 815} 816 817// The patterns to look for in the JSON body. WAF inspects the results of these 818// pattern matches against the rule inspection criteria. This is used with the 819// FieldToMatch option JsonBody. 820type JsonMatchPattern struct { 821 822 // Match all of the elements. See also MatchScope in JsonBody. You must specify 823 // either this setting or the IncludedPaths setting, but not both. 824 All *All 825 826 // Match only the specified include paths. See also MatchScope in JsonBody. Provide 827 // the include paths using JSON Pointer syntax. For example, "IncludedPaths": 828 // ["/dogs/0/name", "/dogs/1/name"]. For information about this syntax, see the 829 // Internet Engineering Task Force (IETF) documentation JavaScript Object Notation 830 // (JSON) Pointer (https://tools.ietf.org/html/rfc6901). You must specify either 831 // this setting or the All setting, but not both. Don't use this option to include 832 // all paths. Instead, use the All setting. 833 IncludedPaths []string 834 835 noSmithyDocumentSerde 836} 837 838// A single label container. This is used as an element of a label array in 839// multiple contexts, for example, in RuleLabels inside a Rule and in Labels inside 840// a SampledHTTPRequest. 841type Label struct { 842 843 // The label string. 844 // 845 // This member is required. 846 Name *string 847 848 noSmithyDocumentSerde 849} 850 851// A rule statement that defines a string match search against labels that have 852// been added to the web request by rules that have already run in the web ACL. The 853// label match statement provides the label or namespace string to search for. The 854// label string can represent a part or all of the fully qualified label name that 855// had been added to the web request. Fully qualified labels have a prefix, 856// optional namespaces, and label name. The prefix identifies the rule group or web 857// ACL context of the rule that added the label. If you do not provide the fully 858// qualified name in your label match string, WAF performs the search for labels 859// that were added in the same context as the label match statement. 860type LabelMatchStatement struct { 861 862 // The string to match against. The setting you provide for this depends on the 863 // match statement's Scope setting: 864 // 865 // * If the Scope indicates LABEL, then this 866 // specification must include the name and can include any number of preceding 867 // namespace specifications and prefix up to providing the fully qualified label 868 // name. 869 // 870 // * If the Scope indicates NAMESPACE, then this specification can include 871 // any number of contiguous namespace strings, and can include the entire label 872 // namespace prefix from the rule group or web ACL where the label 873 // originates. 874 // 875 // Labels are case sensitive and components of a label must be 876 // separated by colon, for example NS1:NS2:name. 877 // 878 // This member is required. 879 Key *string 880 881 // Specify whether you want to match using the label name or just the namespace. 882 // 883 // This member is required. 884 Scope LabelMatchScope 885 886 noSmithyDocumentSerde 887} 888 889// A single label name condition for a Condition in a logging filter. 890type LabelNameCondition struct { 891 892 // The label name that a log record must contain in order to meet the condition. 893 // This must be a fully qualified label name. Fully qualified labels have a prefix, 894 // optional namespaces, and label name. The prefix identifies the rule group or web 895 // ACL context of the rule that added the label. 896 // 897 // This member is required. 898 LabelName *string 899 900 noSmithyDocumentSerde 901} 902 903// List of labels used by one or more of the rules of a RuleGroup. This summary 904// object is used for the following rule group lists: 905// 906// * AvailableLabels - Labels 907// that rules add to matching requests. These labels are defined in the RuleLabels 908// for a Rule. 909// 910// * ConsumedLabels - Labels that rules match against. These labels 911// are defined in a LabelMatchStatement specification, in the Statement definition 912// of a rule. 913type LabelSummary struct { 914 915 // An individual label specification. 916 Name *string 917 918 noSmithyDocumentSerde 919} 920 921// Defines an association between Amazon Kinesis Data Firehose destinations and a 922// web ACL resource, for logging from WAF. As part of the association, you can 923// specify parts of the standard logging fields to keep out of the logs and you can 924// specify filters so that you log only a subset of the logging records. 925type LoggingConfiguration struct { 926 927 // The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to 928 // associate with the web ACL. 929 // 930 // This member is required. 931 LogDestinationConfigs []string 932 933 // The Amazon Resource Name (ARN) of the web ACL that you want to associate with 934 // LogDestinationConfigs. 935 // 936 // This member is required. 937 ResourceArn *string 938 939 // Filtering that specifies which web requests are kept in the logs and which are 940 // dropped. You can filter on the rule action and on the web request labels that 941 // were applied by matching rules during web ACL evaluation. 942 LoggingFilter *LoggingFilter 943 944 // Indicates whether the logging configuration was created by Firewall Manager, as 945 // part of an WAF policy configuration. If true, only Firewall Manager can modify 946 // or delete the configuration. 947 ManagedByFirewallManager bool 948 949 // The parts of the request that you want to keep out of the logs. For example, if 950 // you redact the SingleHeader field, the HEADER field in the firehose will be xxx. 951 // You can specify only the following fields for redaction: UriPath, QueryString, 952 // SingleHeader, Method, and JsonBody. 953 RedactedFields []FieldToMatch 954 955 noSmithyDocumentSerde 956} 957 958// Filtering that specifies which web requests are kept in the logs and which are 959// dropped, defined for a web ACL's LoggingConfiguration. You can filter on the 960// rule action and on the web request labels that were applied by matching rules 961// during web ACL evaluation. 962type LoggingFilter struct { 963 964 // Default handling for logs that don't match any of the specified filtering 965 // conditions. 966 // 967 // This member is required. 968 DefaultBehavior FilterBehavior 969 970 // The filters that you want to apply to the logs. 971 // 972 // This member is required. 973 Filters []Filter 974 975 noSmithyDocumentSerde 976} 977 978// A rule statement used to run the rules that are defined in a managed rule group. 979// To use this, provide the vendor name and the name of the rule group in this 980// statement. You can retrieve the required names by calling 981// ListAvailableManagedRuleGroups. You cannot nest a ManagedRuleGroupStatement, for 982// example for use inside a NotStatement or OrStatement. It can only be referenced 983// as a top-level statement within a rule. 984type ManagedRuleGroupStatement struct { 985 986 // The name of the managed rule group. You use this, along with the vendor name, to 987 // identify the rule group. 988 // 989 // This member is required. 990 Name *string 991 992 // The name of the managed rule group vendor. You use this, along with the rule 993 // group name, to identify the rule group. 994 // 995 // This member is required. 996 VendorName *string 997 998 // The rules whose actions are set to COUNT by the web ACL, regardless of the 999 // action that is set on the rule. This effectively excludes the rule from acting 1000 // on web requests. 1001 ExcludedRules []ExcludedRule 1002 1003 // An optional nested statement that narrows the scope of the web requests that are 1004 // evaluated by the managed rule group. Requests are only evaluated by the rule 1005 // group if they match the scope-down statement. You can use any nestable Statement 1006 // in the scope-down statement, and you can nest statements at any level, the same 1007 // as you can for a rule statement. 1008 ScopeDownStatement *Statement 1009 1010 // The version of the managed rule group to use. If you specify this, the version 1011 // setting is fixed until you change it. If you don't specify this, WAF uses the 1012 // vendor's default version, and then keeps the version at the vendor's default 1013 // when the vendor updates the managed rule group settings. 1014 Version *string 1015 1016 noSmithyDocumentSerde 1017} 1018 1019// High-level information about a managed rule group, returned by 1020// ListAvailableManagedRuleGroups. This provides information like the name and 1021// vendor name, that you provide when you add a ManagedRuleGroupStatement to a web 1022// ACL. Managed rule groups include Amazon Web Services Managed Rules rule groups, 1023// which are free of charge to WAF customers, and Amazon Web Services Marketplace 1024// managed rule groups, which you can subscribe to through Amazon Web Services 1025// Marketplace. 1026type ManagedRuleGroupSummary struct { 1027 1028 // The description of the managed rule group, provided by Amazon Web Services 1029 // Managed Rules or the Amazon Web Services Marketplace seller who manages it. 1030 Description *string 1031 1032 // The name of the managed rule group. You use this, along with the vendor name, to 1033 // identify the rule group. 1034 Name *string 1035 1036 // The name of the managed rule group vendor. You use this, along with the rule 1037 // group name, to identify the rule group. 1038 VendorName *string 1039 1040 noSmithyDocumentSerde 1041} 1042 1043// Describes a single version of a managed rule group. 1044type ManagedRuleGroupVersion struct { 1045 1046 // The date and time that the managed rule group owner updated the rule group 1047 // version information. 1048 LastUpdateTimestamp *time.Time 1049 1050 // The version name. 1051 Name *string 1052 1053 noSmithyDocumentSerde 1054} 1055 1056// A set of rules that is managed by Amazon Web Services and Amazon Web Services 1057// Marketplace sellers to provide versioned managed rule groups for customers of 1058// WAF. This is intended for use only by vendors of managed rule sets. Vendors are 1059// Amazon Web Services and Amazon Web Services Marketplace sellers. Vendors, you 1060// can use the managed rule set APIs to provide controlled rollout of your 1061// versioned managed rule group offerings for your customers. The APIs are 1062// ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and 1063// UpdateManagedRuleSetVersionExpiryDate. 1064type ManagedRuleSet struct { 1065 1066 // The Amazon Resource Name (ARN) of the entity. 1067 // 1068 // This member is required. 1069 ARN *string 1070 1071 // A unique identifier for the managed rule set. The ID is returned in the 1072 // responses to commands like list. You provide it to operations like get and 1073 // update. 1074 // 1075 // This member is required. 1076 Id *string 1077 1078 // The name of the managed rule set. You use this, along with the rule set ID, to 1079 // identify the rule set. This name is assigned to the corresponding managed rule 1080 // group, which your customers can access and use. 1081 // 1082 // This member is required. 1083 Name *string 1084 1085 // A description of the set that helps with identification. 1086 Description *string 1087 1088 // The label namespace prefix for the managed rule groups that are offered to 1089 // customers from this managed rule set. All labels that are added by rules in the 1090 // managed rule group have this prefix. 1091 // 1092 // * The syntax for the label namespace 1093 // prefix for a managed rule group is the following: awswaf:managed::: 1094 // 1095 // * When a 1096 // rule with a label matches a web request, WAF adds the fully qualified label to 1097 // the request. A fully qualified label is made up of the label namespace from the 1098 // rule group or web ACL where the rule is defined and the label from the rule, 1099 // separated by a colon: : 1100 LabelNamespace *string 1101 1102 // The versions of this managed rule set that are available for use by customers. 1103 PublishedVersions map[string]ManagedRuleSetVersion 1104 1105 // The version that you would like your customers to use. 1106 RecommendedVersion *string 1107 1108 noSmithyDocumentSerde 1109} 1110 1111// High-level information for a managed rule set. This is intended for use only by 1112// vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web 1113// Services Marketplace sellers. Vendors, you can use the managed rule set APIs to 1114// provide controlled rollout of your versioned managed rule group offerings for 1115// your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, 1116// PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate. 1117type ManagedRuleSetSummary struct { 1118 1119 // The Amazon Resource Name (ARN) of the entity. 1120 ARN *string 1121 1122 // A description of the set that helps with identification. 1123 Description *string 1124 1125 // A unique identifier for the managed rule set. The ID is returned in the 1126 // responses to commands like list. You provide it to operations like get and 1127 // update. 1128 Id *string 1129 1130 // The label namespace prefix for the managed rule groups that are offered to 1131 // customers from this managed rule set. All labels that are added by rules in the 1132 // managed rule group have this prefix. 1133 // 1134 // * The syntax for the label namespace 1135 // prefix for a managed rule group is the following: awswaf:managed::: 1136 // 1137 // * When a 1138 // rule with a label matches a web request, WAF adds the fully qualified label to 1139 // the request. A fully qualified label is made up of the label namespace from the 1140 // rule group or web ACL where the rule is defined and the label from the rule, 1141 // separated by a colon: : 1142 LabelNamespace *string 1143 1144 // A token used for optimistic locking. WAF returns a token to your get and list 1145 // requests, to mark the state of the entity at the time of the request. To make 1146 // changes to the entity associated with the token, you provide the token to 1147 // operations like update and delete. WAF uses the token to ensure that no changes 1148 // have been made to the entity since you last retrieved it. If a change has been 1149 // made, the update fails with a WAFOptimisticLockException. If this happens, 1150 // perform another get, and use the new token returned by that operation. 1151 LockToken *string 1152 1153 // The name of the managed rule set. You use this, along with the rule set ID, to 1154 // identify the rule set. This name is assigned to the corresponding managed rule 1155 // group, which your customers can access and use. 1156 Name *string 1157 1158 noSmithyDocumentSerde 1159} 1160 1161// Information for a single version of a managed rule set. This is intended for use 1162// only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon 1163// Web Services Marketplace sellers. Vendors, you can use the managed rule set APIs 1164// to provide controlled rollout of your versioned managed rule group offerings for 1165// your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, 1166// PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate. 1167type ManagedRuleSetVersion struct { 1168 1169 // The Amazon Resource Name (ARN) of the vendor rule group that's used to define 1170 // the published version of your managed rule group. 1171 AssociatedRuleGroupArn *string 1172 1173 // The web ACL capacity units (WCUs) required for this rule group. WAF uses WCUs to 1174 // calculate and control the operating resources that are used to run your rules, 1175 // rule groups, and web ACLs. WAF calculates capacity differently for each rule 1176 // type, to reflect the relative cost of each rule. Simple rules that cost little 1177 // to run use fewer WCUs than more complex rules that use more processing power. 1178 // Rule group capacity is fixed at creation, which helps users plan their web ACL 1179 // WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500. 1180 Capacity int64 1181 1182 // The time that this version is set to expire. Times are in Coordinated Universal 1183 // Time (UTC) format. UTC format includes the special designator, Z. For example, 1184 // "2016-09-27T14:50Z". 1185 ExpiryTimestamp *time.Time 1186 1187 // The amount of time you expect this version of your managed rule group to last, 1188 // in days. 1189 ForecastedLifetime *int32 1190 1191 // The last time that you updated this version. Times are in Coordinated Universal 1192 // Time (UTC) format. UTC format includes the special designator, Z. For example, 1193 // "2016-09-27T14:50Z". 1194 LastUpdateTimestamp *time.Time 1195 1196 // The time that you first published this version. Times are in Coordinated 1197 // Universal Time (UTC) format. UTC format includes the special designator, Z. For 1198 // example, "2016-09-27T14:50Z". 1199 PublishTimestamp *time.Time 1200 1201 noSmithyDocumentSerde 1202} 1203 1204// The HTTP method of a web request. The method indicates the type of operation 1205// that the request is asking the origin to perform. This is used only to indicate 1206// the web request component for WAF to inspect, in the FieldToMatch specification. 1207// JSON specification: "Method": {} 1208type Method struct { 1209 noSmithyDocumentSerde 1210} 1211 1212// Specifies that WAF should do nothing. This is generally used to try out a rule 1213// without performing any actions. You set the OverrideAction on the Rule. This is 1214// used in the context of other settings, for example to specify values for 1215// RuleAction and web ACL DefaultAction. JSON specification: "None": {} 1216type NoneAction struct { 1217 noSmithyDocumentSerde 1218} 1219 1220// A logical rule statement used to negate the results of another rule statement. 1221// You provide one Statement within the NotStatement. 1222type NotStatement struct { 1223 1224 // The statement to negate. You can use any statement that can be nested. 1225 // 1226 // This member is required. 1227 Statement *Statement 1228 1229 noSmithyDocumentSerde 1230} 1231 1232// A logical rule statement used to combine other rule statements with OR logic. 1233// You provide more than one Statement within the OrStatement. 1234type OrStatement struct { 1235 1236 // The statements to combine with OR logic. You can use any statements that can be 1237 // nested. 1238 // 1239 // This member is required. 1240 Statements []Statement 1241 1242 noSmithyDocumentSerde 1243} 1244 1245// The override action to apply to the rules in a rule group. Used only for rule 1246// statements that reference a rule group, like RuleGroupReferenceStatement and 1247// ManagedRuleGroupStatement. Set the override action to none to leave the rule 1248// actions in effect. Set it to count to only count matches, regardless of the rule 1249// action settings. In a Rule, you must specify either this OverrideAction setting 1250// or the rule Action setting, but not both: 1251// 1252// * If the rule statement references a 1253// rule group, use this override action setting and not the action setting. 1254// 1255// * If 1256// the rule statement does not reference a rule group, use the rule action setting 1257// and not this rule override action setting. 1258type OverrideAction struct { 1259 1260 // Override the rule action setting to count. 1261 Count *CountAction 1262 1263 // Don't override the rule action setting. 1264 None *NoneAction 1265 1266 noSmithyDocumentSerde 1267} 1268 1269// The query string of a web request. This is the part of a URL that appears after 1270// a ? character, if any. This is used only to indicate the web request component 1271// for WAF to inspect, in the FieldToMatch specification. JSON specification: 1272// "QueryString": {} 1273type QueryString struct { 1274 noSmithyDocumentSerde 1275} 1276 1277// A rate-based rule tracks the rate of requests for each originating IP address, 1278// and triggers the rule action when the rate exceeds a limit that you specify on 1279// the number of requests in any 5-minute time span. You can use this to put a 1280// temporary block on requests from an IP address that is sending excessive 1281// requests. WAF tracks and manages web requests separately for each instance of a 1282// rate-based rule that you use. For example, if you provide the same rate-based 1283// rule settings in two web ACLs, each of the two rule statements represents a 1284// separate instance of the rate-based rule and gets its own tracking and 1285// management by WAF. If you define a rate-based rule inside a rule group, and then 1286// use that rule group in multiple places, each use creates a separate instance of 1287// the rate-based rule that gets its own tracking and management by WAF. When the 1288// rule action triggers, WAF blocks additional requests from the IP address until 1289// the request rate falls below the limit. You can optionally nest another 1290// statement inside the rate-based statement, to narrow the scope of the rule so 1291// that it only counts requests that match the nested statement. For example, based 1292// on recent requests that you have seen from an attacker, you might create a 1293// rate-based rule with a nested AND rule statement that contains the following 1294// nested statements: 1295// 1296// * An IP match statement with an IP set that specified the 1297// address 192.0.2.44. 1298// 1299// * A string match statement that searches in the User-Agent 1300// header for the string BadBot. 1301// 1302// In this rate-based rule, you also define a rate 1303// limit. For this example, the rate limit is 1,000. Requests that meet both of the 1304// conditions in the statements are counted. If the count exceeds 1,000 requests 1305// per five minutes, the rule action triggers. Requests that do not meet both 1306// conditions are not counted towards the rate limit and are not affected by this 1307// rule. You cannot nest a RateBasedStatement inside another statement, for example 1308// inside a NotStatement or OrStatement. You can define a RateBasedStatement inside 1309// a web ACL and inside a rule group. 1310type RateBasedStatement struct { 1311 1312 // Setting that indicates how to aggregate the request counts. The options are the 1313 // following: 1314 // 1315 // * IP - Aggregate the request counts on the IP address from the web 1316 // request origin. 1317 // 1318 // * FORWARDED_IP - Aggregate the request counts on the first IP 1319 // address in an HTTP header. If you use this, configure the ForwardedIPConfig, to 1320 // specify the header to use. 1321 // 1322 // This member is required. 1323 AggregateKeyType RateBasedStatementAggregateKeyType 1324 1325 // The limit on requests per 5-minute period for a single originating IP address. 1326 // If the statement includes a ScopeDownStatement, this limit is applied only to 1327 // the requests that match the statement. 1328 // 1329 // This member is required. 1330 Limit int64 1331 1332 // The configuration for inspecting IP addresses in an HTTP header that you 1333 // specify, instead of using the IP address that's reported by the web request 1334 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 1335 // any header name. If the specified header isn't present in the request, WAF 1336 // doesn't apply the rule to the web request at all. This is required if 1337 // AggregateKeyType is set to FORWARDED_IP. 1338 ForwardedIPConfig *ForwardedIPConfig 1339 1340 // An optional nested statement that narrows the scope of the web requests that are 1341 // evaluated by the rate-based statement. Requests are only tracked by the 1342 // rate-based statement if they match the scope-down statement. You can use any 1343 // nestable Statement in the scope-down statement, and you can nest statements at 1344 // any level, the same as you can for a rule statement. 1345 ScopeDownStatement *Statement 1346 1347 noSmithyDocumentSerde 1348} 1349 1350// The set of IP addresses that are currently blocked for a RateBasedStatement. 1351type RateBasedStatementManagedKeysIPSet struct { 1352 1353 // The IP addresses that are currently blocked. 1354 Addresses []string 1355 1356 // The version of the IP addresses, either IPV4 or IPV6. 1357 IPAddressVersion IPAddressVersion 1358 1359 noSmithyDocumentSerde 1360} 1361 1362// A single regular expression. This is used in a RegexPatternSet. 1363type Regex struct { 1364 1365 // The string representing the regular expression. 1366 RegexString *string 1367 1368 noSmithyDocumentSerde 1369} 1370 1371// Contains one or more regular expressions. WAF assigns an ARN to each 1372// RegexPatternSet that you create. To use a set in a rule, you provide the ARN to 1373// the Rule statement RegexPatternSetReferenceStatement. 1374type RegexPatternSet struct { 1375 1376 // The Amazon Resource Name (ARN) of the entity. 1377 ARN *string 1378 1379 // A description of the set that helps with identification. 1380 Description *string 1381 1382 // A unique identifier for the set. This ID is returned in the responses to create 1383 // and list commands. You provide it to operations like update and delete. 1384 Id *string 1385 1386 // The name of the set. You cannot change the name after you create the set. 1387 Name *string 1388 1389 // The regular expression patterns in the set. 1390 RegularExpressionList []Regex 1391 1392 noSmithyDocumentSerde 1393} 1394 1395// A rule statement used to search web request components for matches with regular 1396// expressions. To use this, create a RegexPatternSet that specifies the 1397// expressions that you want to detect, then use the ARN of that set in this 1398// statement. A web request matches the pattern set rule statement if the request 1399// component matches any of the patterns in the set. To create a regex pattern set, 1400// see CreateRegexPatternSet. Each regex pattern set rule statement references a 1401// regex pattern set. You create and maintain the set independent of your rules. 1402// This allows you to use the single set in multiple rules. When you update the 1403// referenced set, WAF automatically updates all rules that reference it. 1404type RegexPatternSetReferenceStatement struct { 1405 1406 // The Amazon Resource Name (ARN) of the RegexPatternSet that this statement 1407 // references. 1408 // 1409 // This member is required. 1410 ARN *string 1411 1412 // The part of a web request that you want WAF to inspect. For more information, 1413 // see FieldToMatch. 1414 // 1415 // This member is required. 1416 FieldToMatch *FieldToMatch 1417 1418 // Text transformations eliminate some of the unusual formatting that attackers use 1419 // in web requests in an effort to bypass detection. If you specify one or more 1420 // transformations in a rule statement, WAF performs all transformations on the 1421 // content of the request component identified by FieldToMatch, starting from the 1422 // lowest priority setting, before inspecting the content for a match. 1423 // 1424 // This member is required. 1425 TextTransformations []TextTransformation 1426 1427 noSmithyDocumentSerde 1428} 1429 1430// High-level information about a RegexPatternSet, returned by operations like 1431// create and list. This provides information like the ID, that you can use to 1432// retrieve and manage a RegexPatternSet, and the ARN, that you provide to the 1433// RegexPatternSetReferenceStatement to use the pattern set in a Rule. 1434type RegexPatternSetSummary struct { 1435 1436 // The Amazon Resource Name (ARN) of the entity. 1437 ARN *string 1438 1439 // A description of the set that helps with identification. 1440 Description *string 1441 1442 // A unique identifier for the set. This ID is returned in the responses to create 1443 // and list commands. You provide it to operations like update and delete. 1444 Id *string 1445 1446 // A token used for optimistic locking. WAF returns a token to your get and list 1447 // requests, to mark the state of the entity at the time of the request. To make 1448 // changes to the entity associated with the token, you provide the token to 1449 // operations like update and delete. WAF uses the token to ensure that no changes 1450 // have been made to the entity since you last retrieved it. If a change has been 1451 // made, the update fails with a WAFOptimisticLockException. If this happens, 1452 // perform another get, and use the new token returned by that operation. 1453 LockToken *string 1454 1455 // The name of the data type instance. You cannot change the name after you create 1456 // the instance. 1457 Name *string 1458 1459 noSmithyDocumentSerde 1460} 1461 1462// A single rule, which you can use in a WebACL or RuleGroup to identify web 1463// requests that you want to allow, block, or count. Each rule includes one 1464// top-level Statement that WAF uses to identify matching web requests, and 1465// parameters that govern how WAF handles them. 1466type Rule struct { 1467 1468 // The name of the rule. You can't change the name of a Rule after you create it. 1469 // 1470 // This member is required. 1471 Name *string 1472 1473 // If you define more than one Rule in a WebACL, WAF evaluates each request against 1474 // the Rules in order based on the value of Priority. WAF processes rules with 1475 // lower priority first. The priorities don't need to be consecutive, but they must 1476 // all be different. 1477 // 1478 // This member is required. 1479 Priority int32 1480 1481 // The WAF processing statement for the rule, for example ByteMatchStatement or 1482 // SizeConstraintStatement. 1483 // 1484 // This member is required. 1485 Statement *Statement 1486 1487 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 1488 // 1489 // This member is required. 1490 VisibilityConfig *VisibilityConfig 1491 1492 // The action that WAF should take on a web request when it matches the rule 1493 // statement. Settings at the web ACL level can override the rule action setting. 1494 // This is used only for rules whose statements do not reference a rule group. Rule 1495 // statements that reference a rule group include RuleGroupReferenceStatement and 1496 // ManagedRuleGroupStatement. You must specify either this Action setting or the 1497 // rule OverrideAction setting, but not both: 1498 // 1499 // * If the rule statement does not 1500 // reference a rule group, use this rule action setting and not the rule override 1501 // action setting. 1502 // 1503 // * If the rule statement references a rule group, use the 1504 // override action setting and not this action setting. 1505 Action *RuleAction 1506 1507 // The override action to apply to the rules in a rule group. Used only for rule 1508 // statements that reference a rule group, like RuleGroupReferenceStatement and 1509 // ManagedRuleGroupStatement. Set the override action to none to leave the rule 1510 // actions in effect. Set it to count to only count matches, regardless of the rule 1511 // action settings. In a Rule, you must specify either this OverrideAction setting 1512 // or the rule Action setting, but not both: 1513 // 1514 // * If the rule statement references a 1515 // rule group, use this override action setting and not the action setting. 1516 // 1517 // * If 1518 // the rule statement does not reference a rule group, use the rule action setting 1519 // and not this rule override action setting. 1520 OverrideAction *OverrideAction 1521 1522 // Labels to apply to web requests that match the rule match statement. WAF applies 1523 // fully qualified labels to matching web requests. A fully qualified label is the 1524 // concatenation of a label namespace and a rule label. The rule's rule group or 1525 // web ACL defines the label namespace. Rules that run after this rule in the web 1526 // ACL can match against these labels using a LabelMatchStatement. For each label, 1527 // provide a case-sensitive string containing optional namespaces and a label name, 1528 // according to the following guidelines: 1529 // 1530 // * Separate each component of the label 1531 // with a colon. 1532 // 1533 // * Each namespace or name can have up to 128 characters. 1534 // 1535 // * You 1536 // can specify up to 5 namespaces in a label. 1537 // 1538 // * Don't use the following reserved 1539 // words in your label specification: aws, waf, managed, rulegroup, webacl, 1540 // regexpatternset, or ipset. 1541 // 1542 // For example, myLabelName or 1543 // nameSpace1:nameSpace2:myLabelName. 1544 RuleLabels []Label 1545 1546 noSmithyDocumentSerde 1547} 1548 1549// The action that WAF should take on a web request when it matches a rule's 1550// statement. Settings at the web ACL level can override the rule action setting. 1551type RuleAction struct { 1552 1553 // Instructs WAF to allow the web request. 1554 Allow *AllowAction 1555 1556 // Instructs WAF to block the web request. 1557 Block *BlockAction 1558 1559 // Instructs WAF to count the web request and allow it. 1560 Count *CountAction 1561 1562 noSmithyDocumentSerde 1563} 1564 1565// A rule group defines a collection of rules to inspect and control web requests 1566// that you can use in a WebACL. When you create a rule group, you define an 1567// immutable capacity limit. If you update a rule group, you must stay within the 1568// capacity. This allows others to reuse the rule group with confidence in its 1569// capacity requirements. 1570type RuleGroup struct { 1571 1572 // The Amazon Resource Name (ARN) of the entity. 1573 // 1574 // This member is required. 1575 ARN *string 1576 1577 // The web ACL capacity units (WCUs) required for this rule group. When you create 1578 // your own rule group, you define this, and you cannot change it after creation. 1579 // When you add or modify the rules in a rule group, WAF enforces this limit. You 1580 // can check the capacity for a set of rules using CheckCapacity. WAF uses WCUs to 1581 // calculate and control the operating resources that are used to run your rules, 1582 // rule groups, and web ACLs. WAF calculates capacity differently for each rule 1583 // type, to reflect the relative cost of each rule. Simple rules that cost little 1584 // to run use fewer WCUs than more complex rules that use more processing power. 1585 // Rule group capacity is fixed at creation, which helps users plan their web ACL 1586 // WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500. 1587 // 1588 // This member is required. 1589 Capacity int64 1590 1591 // A unique identifier for the rule group. This ID is returned in the responses to 1592 // create and list commands. You provide it to operations like update and delete. 1593 // 1594 // This member is required. 1595 Id *string 1596 1597 // The name of the rule group. You cannot change the name of a rule group after you 1598 // create it. 1599 // 1600 // This member is required. 1601 Name *string 1602 1603 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 1604 // 1605 // This member is required. 1606 VisibilityConfig *VisibilityConfig 1607 1608 // The labels that one or more rules in this rule group add to matching web 1609 // requests. These labels are defined in the RuleLabels for a Rule. 1610 AvailableLabels []LabelSummary 1611 1612 // The labels that one or more rules in this rule group match against in label 1613 // match statements. These labels are defined in a LabelMatchStatement 1614 // specification, in the Statement definition of a rule. 1615 ConsumedLabels []LabelSummary 1616 1617 // A map of custom response keys and content bodies. When you create a rule with a 1618 // block action, you can send a custom response to the web request. You define 1619 // these for the rule group, and then use them in the rules that you define in the 1620 // rule group. For information about customizing web requests and responses, see 1621 // Customizing web requests and responses in WAF 1622 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 1623 // in the WAF Developer Guide 1624 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). For 1625 // information about the limits on count and size for custom request and response 1626 // settings, see WAF quotas 1627 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF 1628 // Developer Guide 1629 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 1630 CustomResponseBodies map[string]CustomResponseBody 1631 1632 // A description of the rule group that helps with identification. 1633 Description *string 1634 1635 // The label namespace prefix for this rule group. All labels added by rules in 1636 // this rule group have this prefix. 1637 // 1638 // * The syntax for the label namespace prefix 1639 // for your rule groups is the following: awswaf::rulegroup:: 1640 // 1641 // * When a rule with a 1642 // label matches a web request, WAF adds the fully qualified label to the request. 1643 // A fully qualified label is made up of the label namespace from the rule group or 1644 // web ACL where the rule is defined and the label from the rule, separated by a 1645 // colon: : 1646 LabelNamespace *string 1647 1648 // The Rule statements used to identify the web requests that you want to allow, 1649 // block, or count. Each rule includes one top-level statement that WAF uses to 1650 // identify matching web requests, and parameters that govern how WAF handles them. 1651 Rules []Rule 1652 1653 noSmithyDocumentSerde 1654} 1655 1656// A rule statement used to run the rules that are defined in a RuleGroup. To use 1657// this, create a rule group with your rules, then provide the ARN of the rule 1658// group in this statement. You cannot nest a RuleGroupReferenceStatement, for 1659// example for use inside a NotStatement or OrStatement. You can only use a rule 1660// group reference statement at the top level inside a web ACL. 1661type RuleGroupReferenceStatement struct { 1662 1663 // The Amazon Resource Name (ARN) of the entity. 1664 // 1665 // This member is required. 1666 ARN *string 1667 1668 // The names of rules that are in the referenced rule group, but that you want WAF 1669 // to exclude from processing for this rule statement. 1670 ExcludedRules []ExcludedRule 1671 1672 noSmithyDocumentSerde 1673} 1674 1675// High-level information about a RuleGroup, returned by operations like create and 1676// list. This provides information like the ID, that you can use to retrieve and 1677// manage a RuleGroup, and the ARN, that you provide to the 1678// RuleGroupReferenceStatement to use the rule group in a Rule. 1679type RuleGroupSummary struct { 1680 1681 // The Amazon Resource Name (ARN) of the entity. 1682 ARN *string 1683 1684 // A description of the rule group that helps with identification. 1685 Description *string 1686 1687 // A unique identifier for the rule group. This ID is returned in the responses to 1688 // create and list commands. You provide it to operations like update and delete. 1689 Id *string 1690 1691 // A token used for optimistic locking. WAF returns a token to your get and list 1692 // requests, to mark the state of the entity at the time of the request. To make 1693 // changes to the entity associated with the token, you provide the token to 1694 // operations like update and delete. WAF uses the token to ensure that no changes 1695 // have been made to the entity since you last retrieved it. If a change has been 1696 // made, the update fails with a WAFOptimisticLockException. If this happens, 1697 // perform another get, and use the new token returned by that operation. 1698 LockToken *string 1699 1700 // The name of the data type instance. You cannot change the name after you create 1701 // the instance. 1702 Name *string 1703 1704 noSmithyDocumentSerde 1705} 1706 1707// High-level information about a Rule, returned by operations like 1708// DescribeManagedRuleGroup. This provides information like the ID, that you can 1709// use to retrieve and manage a RuleGroup, and the ARN, that you provide to the 1710// RuleGroupReferenceStatement to use the rule group in a Rule. 1711type RuleSummary struct { 1712 1713 // The action that WAF should take on a web request when it matches a rule's 1714 // statement. Settings at the web ACL level can override the rule action setting. 1715 Action *RuleAction 1716 1717 // The name of the rule. 1718 Name *string 1719 1720 noSmithyDocumentSerde 1721} 1722 1723// Represents a single sampled web request. The response from GetSampledRequests 1724// includes a SampledHTTPRequests complex type that appears as SampledRequests in 1725// the response syntax. SampledHTTPRequests contains an array of SampledHTTPRequest 1726// objects. 1727type SampledHTTPRequest struct { 1728 1729 // A complex type that contains detailed information about the request. 1730 // 1731 // This member is required. 1732 Request *HTTPRequest 1733 1734 // A value that indicates how one result in the response relates proportionally to 1735 // other results in the response. For example, a result that has a weight of 2 1736 // represents roughly twice as many web requests as a result that has a weight of 1737 // 1. 1738 // 1739 // This member is required. 1740 Weight int64 1741 1742 // The action for the Rule that the request matched: ALLOW, BLOCK, or COUNT. 1743 Action *string 1744 1745 // Labels applied to the web request by matching rules. WAF applies fully qualified 1746 // labels to matching web requests. A fully qualified label is the concatenation of 1747 // a label namespace and a rule label. The rule's rule group or web ACL defines the 1748 // label namespace. For example, 1749 // awswaf:111122223333:myRuleGroup:testRules:testNS1:testNS2:labelNameA or 1750 // awswaf:managed:aws:managed-rule-set:header:encoding:utf8. 1751 Labels []Label 1752 1753 // Custom request headers inserted by WAF into the request, according to the custom 1754 // request configuration for the matching rule action. 1755 RequestHeadersInserted []HTTPHeader 1756 1757 // The response code that was sent for the request. 1758 ResponseCodeSent *int32 1759 1760 // The name of the Rule that the request matched. For managed rule groups, the 1761 // format for this name is ##. For your own rule groups, the format for this name 1762 // is #. If the rule is not in a rule group, this field is absent. 1763 RuleNameWithinRuleGroup *string 1764 1765 // The time at which WAF received the request from your Amazon Web Services 1766 // resource, in Unix time format (in seconds). 1767 Timestamp *time.Time 1768 1769 noSmithyDocumentSerde 1770} 1771 1772// One of the headers in a web request, identified by name, for example, User-Agent 1773// or Referer. This setting isn't case sensitive. This is used only to indicate the 1774// web request component for WAF to inspect, in the FieldToMatch specification. 1775// Example JSON: "SingleHeader": { "Name": "haystack" } 1776type SingleHeader struct { 1777 1778 // The name of the query header to inspect. 1779 // 1780 // This member is required. 1781 Name *string 1782 1783 noSmithyDocumentSerde 1784} 1785 1786// One query argument in a web request, identified by name, for example UserName or 1787// SalesRegion. The name can be up to 30 characters long and isn't case sensitive. 1788// Example JSON: "SingleQueryArgument": { "Name": "myArgument" } 1789type SingleQueryArgument struct { 1790 1791 // The name of the query argument to inspect. 1792 // 1793 // This member is required. 1794 Name *string 1795 1796 noSmithyDocumentSerde 1797} 1798 1799// A rule statement that compares a number of bytes against the size of a request 1800// component, using a comparison operator, such as greater than (>) or less than 1801// (<). For example, you can use a size constraint statement to look for query 1802// strings that are longer than 100 bytes. If you configure WAF to inspect the 1803// request body, WAF inspects only the first 8192 bytes (8 KB). If the request body 1804// for your web requests never exceeds 8192 bytes, you can create a size constraint 1805// condition and block requests that have a request body greater than 8192 bytes. 1806// If you choose URI for the value of Part of the request to filter on, the slash 1807// (/) in the URI counts as one character. For example, the URI /logo.jpg is nine 1808// characters long. 1809type SizeConstraintStatement struct { 1810 1811 // The operator to use to compare the request part to the size setting. 1812 // 1813 // This member is required. 1814 ComparisonOperator ComparisonOperator 1815 1816 // The part of a web request that you want WAF to inspect. For more information, 1817 // see FieldToMatch. 1818 // 1819 // This member is required. 1820 FieldToMatch *FieldToMatch 1821 1822 // The size, in byte, to compare to the request part, after any transformations. 1823 // 1824 // This member is required. 1825 Size int64 1826 1827 // Text transformations eliminate some of the unusual formatting that attackers use 1828 // in web requests in an effort to bypass detection. If you specify one or more 1829 // transformations in a rule statement, WAF performs all transformations on the 1830 // content of the request component identified by FieldToMatch, starting from the 1831 // lowest priority setting, before inspecting the content for a match. 1832 // 1833 // This member is required. 1834 TextTransformations []TextTransformation 1835 1836 noSmithyDocumentSerde 1837} 1838 1839// Attackers sometimes insert malicious SQL code into web requests in an effort to 1840// extract data from your database. To allow or block web requests that appear to 1841// contain malicious SQL code, create one or more SQL injection match conditions. 1842// An SQL injection match condition identifies the part of web requests, such as 1843// the URI or the query string, that you want WAF to inspect. Later in the process, 1844// when you create a web ACL, you specify whether to allow or block requests that 1845// appear to contain malicious SQL code. 1846type SqliMatchStatement struct { 1847 1848 // The part of a web request that you want WAF to inspect. For more information, 1849 // see FieldToMatch. 1850 // 1851 // This member is required. 1852 FieldToMatch *FieldToMatch 1853 1854 // Text transformations eliminate some of the unusual formatting that attackers use 1855 // in web requests in an effort to bypass detection. If you specify one or more 1856 // transformations in a rule statement, WAF performs all transformations on the 1857 // content of the request component identified by FieldToMatch, starting from the 1858 // lowest priority setting, before inspecting the content for a match. 1859 // 1860 // This member is required. 1861 TextTransformations []TextTransformation 1862 1863 noSmithyDocumentSerde 1864} 1865 1866// The processing guidance for a Rule, used by WAF to determine whether a web 1867// request matches the rule. 1868type Statement struct { 1869 1870 // A logical rule statement used to combine other rule statements with AND logic. 1871 // You provide more than one Statement within the AndStatement. 1872 AndStatement *AndStatement 1873 1874 // A rule statement that defines a string match search for WAF to apply to web 1875 // requests. The byte match statement provides the bytes to search for, the 1876 // location in requests that you want WAF to search, and other settings. The bytes 1877 // to search for are typically a string that corresponds with ASCII characters. In 1878 // the WAF console and the developer guide, this is refered to as a string match 1879 // statement. 1880 ByteMatchStatement *ByteMatchStatement 1881 1882 // A rule statement used to identify web requests based on country of origin. 1883 GeoMatchStatement *GeoMatchStatement 1884 1885 // A rule statement used to detect web requests coming from particular IP addresses 1886 // or address ranges. To use this, create an IPSet that specifies the addresses you 1887 // want to detect, then use the ARN of that set in this statement. To create an IP 1888 // set, see CreateIPSet. Each IP set rule statement references an IP set. You 1889 // create and maintain the set independent of your rules. This allows you to use 1890 // the single set in multiple rules. When you update the referenced set, WAF 1891 // automatically updates all rules that reference it. 1892 IPSetReferenceStatement *IPSetReferenceStatement 1893 1894 // A rule statement that defines a string match search against labels that have 1895 // been added to the web request by rules that have already run in the web ACL. The 1896 // label match statement provides the label or namespace string to search for. The 1897 // label string can represent a part or all of the fully qualified label name that 1898 // had been added to the web request. Fully qualified labels have a prefix, 1899 // optional namespaces, and label name. The prefix identifies the rule group or web 1900 // ACL context of the rule that added the label. If you do not provide the fully 1901 // qualified name in your label match string, WAF performs the search for labels 1902 // that were added in the same context as the label match statement. 1903 LabelMatchStatement *LabelMatchStatement 1904 1905 // A rule statement used to run the rules that are defined in a managed rule group. 1906 // To use this, provide the vendor name and the name of the rule group in this 1907 // statement. You can retrieve the required names by calling 1908 // ListAvailableManagedRuleGroups. You cannot nest a ManagedRuleGroupStatement, for 1909 // example for use inside a NotStatement or OrStatement. It can only be referenced 1910 // as a top-level statement within a rule. 1911 ManagedRuleGroupStatement *ManagedRuleGroupStatement 1912 1913 // A logical rule statement used to negate the results of another rule statement. 1914 // You provide one Statement within the NotStatement. 1915 NotStatement *NotStatement 1916 1917 // A logical rule statement used to combine other rule statements with OR logic. 1918 // You provide more than one Statement within the OrStatement. 1919 OrStatement *OrStatement 1920 1921 // A rate-based rule tracks the rate of requests for each originating IP address, 1922 // and triggers the rule action when the rate exceeds a limit that you specify on 1923 // the number of requests in any 5-minute time span. You can use this to put a 1924 // temporary block on requests from an IP address that is sending excessive 1925 // requests. WAF tracks and manages web requests separately for each instance of a 1926 // rate-based rule that you use. For example, if you provide the same rate-based 1927 // rule settings in two web ACLs, each of the two rule statements represents a 1928 // separate instance of the rate-based rule and gets its own tracking and 1929 // management by WAF. If you define a rate-based rule inside a rule group, and then 1930 // use that rule group in multiple places, each use creates a separate instance of 1931 // the rate-based rule that gets its own tracking and management by WAF. When the 1932 // rule action triggers, WAF blocks additional requests from the IP address until 1933 // the request rate falls below the limit. You can optionally nest another 1934 // statement inside the rate-based statement, to narrow the scope of the rule so 1935 // that it only counts requests that match the nested statement. For example, based 1936 // on recent requests that you have seen from an attacker, you might create a 1937 // rate-based rule with a nested AND rule statement that contains the following 1938 // nested statements: 1939 // 1940 // * An IP match statement with an IP set that specified the 1941 // address 192.0.2.44. 1942 // 1943 // * A string match statement that searches in the User-Agent 1944 // header for the string BadBot. 1945 // 1946 // In this rate-based rule, you also define a rate 1947 // limit. For this example, the rate limit is 1,000. Requests that meet both of the 1948 // conditions in the statements are counted. If the count exceeds 1,000 requests 1949 // per five minutes, the rule action triggers. Requests that do not meet both 1950 // conditions are not counted towards the rate limit and are not affected by this 1951 // rule. You cannot nest a RateBasedStatement inside another statement, for example 1952 // inside a NotStatement or OrStatement. You can define a RateBasedStatement inside 1953 // a web ACL and inside a rule group. 1954 RateBasedStatement *RateBasedStatement 1955 1956 // A rule statement used to search web request components for matches with regular 1957 // expressions. To use this, create a RegexPatternSet that specifies the 1958 // expressions that you want to detect, then use the ARN of that set in this 1959 // statement. A web request matches the pattern set rule statement if the request 1960 // component matches any of the patterns in the set. To create a regex pattern set, 1961 // see CreateRegexPatternSet. Each regex pattern set rule statement references a 1962 // regex pattern set. You create and maintain the set independent of your rules. 1963 // This allows you to use the single set in multiple rules. When you update the 1964 // referenced set, WAF automatically updates all rules that reference it. 1965 RegexPatternSetReferenceStatement *RegexPatternSetReferenceStatement 1966 1967 // A rule statement used to run the rules that are defined in a RuleGroup. To use 1968 // this, create a rule group with your rules, then provide the ARN of the rule 1969 // group in this statement. You cannot nest a RuleGroupReferenceStatement, for 1970 // example for use inside a NotStatement or OrStatement. You can only use a rule 1971 // group reference statement at the top level inside a web ACL. 1972 RuleGroupReferenceStatement *RuleGroupReferenceStatement 1973 1974 // A rule statement that compares a number of bytes against the size of a request 1975 // component, using a comparison operator, such as greater than (>) or less than 1976 // (<). For example, you can use a size constraint statement to look for query 1977 // strings that are longer than 100 bytes. If you configure WAF to inspect the 1978 // request body, WAF inspects only the first 8192 bytes (8 KB). If the request body 1979 // for your web requests never exceeds 8192 bytes, you can create a size constraint 1980 // condition and block requests that have a request body greater than 8192 bytes. 1981 // If you choose URI for the value of Part of the request to filter on, the slash 1982 // (/) in the URI counts as one character. For example, the URI /logo.jpg is nine 1983 // characters long. 1984 SizeConstraintStatement *SizeConstraintStatement 1985 1986 // Attackers sometimes insert malicious SQL code into web requests in an effort to 1987 // extract data from your database. To allow or block web requests that appear to 1988 // contain malicious SQL code, create one or more SQL injection match conditions. 1989 // An SQL injection match condition identifies the part of web requests, such as 1990 // the URI or the query string, that you want WAF to inspect. Later in the process, 1991 // when you create a web ACL, you specify whether to allow or block requests that 1992 // appear to contain malicious SQL code. 1993 SqliMatchStatement *SqliMatchStatement 1994 1995 // A rule statement that defines a cross-site scripting (XSS) match search for WAF 1996 // to apply to web requests. XSS attacks are those where the attacker uses 1997 // vulnerabilities in a benign website as a vehicle to inject malicious client-site 1998 // scripts into other legitimate web browsers. The XSS match statement provides the 1999 // location in requests that you want WAF to search and text transformations to use 2000 // on the search area before WAF searches for character sequences that are likely 2001 // to be malicious strings. 2002 XssMatchStatement *XssMatchStatement 2003 2004 noSmithyDocumentSerde 2005} 2006 2007// A tag associated with an Amazon Web Services resource. Tags are key:value pairs 2008// that you can use to categorize and manage your resources, for purposes like 2009// billing or other management. Typically, the tag key represents a category, such 2010// as "environment", and the tag value represents a specific value within that 2011// category, such as "test," "development," or "production". Or you might set the 2012// tag key to "customer" and the value to the customer name or ID. You can specify 2013// one or more tags to add to each Amazon Web Services resource, up to 50 tags for 2014// a resource. You can tag the Amazon Web Services resources that you manage 2015// through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. You can't 2016// manage or view tags through the WAF console. 2017type Tag struct { 2018 2019 // Part of the key:value pair that defines a tag. You can use a tag key to describe 2020 // a category of information, such as "customer." Tag keys are case-sensitive. 2021 // 2022 // This member is required. 2023 Key *string 2024 2025 // Part of the key:value pair that defines a tag. You can use a tag value to 2026 // describe a specific value within a category, such as "companyA" or "companyB." 2027 // Tag values are case-sensitive. 2028 // 2029 // This member is required. 2030 Value *string 2031 2032 noSmithyDocumentSerde 2033} 2034 2035// The collection of tagging definitions for an Amazon Web Services resource. Tags 2036// are key:value pairs that you can use to categorize and manage your resources, 2037// for purposes like billing or other management. Typically, the tag key represents 2038// a category, such as "environment", and the tag value represents a specific value 2039// within that category, such as "test," "development," or "production". Or you 2040// might set the tag key to "customer" and the value to the customer name or ID. 2041// You can specify one or more tags to add to each Amazon Web Services resource, up 2042// to 50 tags for a resource. You can tag the Amazon Web Services resources that 2043// you manage through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. 2044// You can't manage or view tags through the WAF console. 2045type TagInfoForResource struct { 2046 2047 // The Amazon Resource Name (ARN) of the resource. 2048 ResourceARN *string 2049 2050 // The array of Tag objects defined for the resource. 2051 TagList []Tag 2052 2053 noSmithyDocumentSerde 2054} 2055 2056// Text transformations eliminate some of the unusual formatting that attackers use 2057// in web requests in an effort to bypass detection. 2058type TextTransformation struct { 2059 2060 // Sets the relative processing order for multiple transformations that are defined 2061 // for a rule statement. WAF processes all transformations, from lowest priority to 2062 // highest, before inspecting the transformed content. The priorities don't need to 2063 // be consecutive, but they must all be different. 2064 // 2065 // This member is required. 2066 Priority int32 2067 2068 // You can specify the following transformation types: BASE64_DECODE - Decode a 2069 // Base64-encoded string. BASE64_DECODE_EXT - Decode a Base64-encoded string, but 2070 // use a forgiving implementation that ignores characters that aren't valid. 2071 // CMD_LINE - Command-line transformations. These are helpful in reducing 2072 // effectiveness of attackers who inject an operating system command-line command 2073 // and use unusual formatting to disguise some or all of the command. 2074 // 2075 // * Delete the 2076 // following characters: \ " ' ^ 2077 // 2078 // * Delete spaces before the following characters: 2079 // / ( 2080 // 2081 // * Replace the following characters with a space: , ; 2082 // 2083 // * Replace multiple 2084 // spaces with one space 2085 // 2086 // * Convert uppercase letters (A-Z) to lowercase 2087 // (a-z) 2088 // 2089 // COMPRESS_WHITE_SPACE - Replace these characters with a space character 2090 // (decimal 32): 2091 // 2092 // * \f, formfeed, decimal 12 2093 // 2094 // * \t, tab, decimal 9 2095 // 2096 // * \n, newline, 2097 // decimal 10 2098 // 2099 // * \r, carriage return, decimal 13 2100 // 2101 // * \v, vertical tab, decimal 11 2102 // 2103 // * 2104 // Non-breaking space, decimal 160 2105 // 2106 // COMPRESS_WHITE_SPACE also replaces multiple 2107 // spaces with one space. CSS_DECODE - Decode characters that were encoded using 2108 // CSS 2.x escape rules syndata.html#characters. This function uses up to two bytes 2109 // in the decoding process, so it can help to uncover ASCII characters that were 2110 // encoded using CSS encoding that wouldn’t typically be encoded. It's also useful 2111 // in countering evasion, which is a combination of a backslash and non-hexadecimal 2112 // characters. For example, ja\vascript for javascript. ESCAPE_SEQ_DECODE - Decode 2113 // the following ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \, ?, ', ", 2114 // \xHH (hexadecimal), \0OOO (octal). Encodings that aren't valid remain in the 2115 // output. HEX_DECODE - Decode a string of hexadecimal characters into a binary. 2116 // HTML_ENTITY_DECODE - Replace HTML-encoded characters with unencoded characters. 2117 // HTML_ENTITY_DECODE performs these operations: 2118 // 2119 // * Replaces (ampersand)quot; with 2120 // " 2121 // 2122 // * Replaces (ampersand)nbsp; with a non-breaking space, decimal 160 2123 // 2124 // * 2125 // Replaces (ampersand)lt; with a "less than" symbol 2126 // 2127 // * Replaces (ampersand)gt; 2128 // with > 2129 // 2130 // * Replaces characters that are represented in hexadecimal format, 2131 // (ampersand)#xhhhh;, with the corresponding characters 2132 // 2133 // * Replaces characters 2134 // that are represented in decimal format, (ampersand)#nnnn;, with the 2135 // corresponding characters 2136 // 2137 // JS_DECODE - Decode JavaScript escape sequences. If a 2138 // </code> uHHHH code is in the full-width ASCII code range of FF01-FF5E, then the 2139 // higher byte is used to detect and adjust the lower byte. If not, only the lower 2140 // byte is used and the higher byte is zeroed, causing a possible loss of 2141 // information. 2142 // LOWERCASE - Convert uppercase letters (A-Z) to lowercase (a-z). 2143 // MD5 - Calculate an MD5 hash from the data in the input. The computed hash is in 2144 // a raw binary form. NONE - Specify NONE if you don't want any text 2145 // transformations. NORMALIZE_PATH - Remove multiple slashes, directory 2146 // self-references, and directory back-references that are not at the beginning of 2147 // the input from an input string. NORMALIZE_PATH_WIN - This is the same as 2148 // NORMALIZE_PATH, but first converts backslash characters to forward slashes. 2149 // REMOVE_NULLS - Remove all NULL bytes from the input. REPLACE_COMMENTS - Replace 2150 // each occurrence of a C-style comment (/* ... /) with a single space. Multiple 2151 // consecutive occurrences are not compressed. Unterminated comments are also 2152 // replaced with a space (ASCII 0x20). However, a standalone termination of a 2153 // comment (/) is not acted upon. REPLACE_NULLS - Replace NULL bytes in the input 2154 // with space characters (ASCII 0x20). SQL_HEX_DECODE - Decode SQL hex data. 2155 // Example (0x414243) will be decoded to (ABC). URL_DECODE - Decode a URL-encoded 2156 // value. URL_DECODE_UNI - Like URL_DECODE, but with support for Microsoft-specific 2157 // %u encoding. If the code is in the full-width ASCII code range of FF01-FF5E, the 2158 // higher byte is used to detect and adjust the lower byte. Otherwise, only the 2159 // lower byte is used and the higher byte is zeroed. UTF8_TO_UNICODE - Convert all 2160 // UTF-8 character sequences to Unicode. This helps input normalization, and 2161 // minimizing false-positives and false-negatives for non-English languages. 2162 // 2163 // This member is required. 2164 Type TextTransformationType 2165 2166 noSmithyDocumentSerde 2167} 2168 2169// In a GetSampledRequests request, the StartTime and EndTime objects specify the 2170// time range for which you want WAF to return a sample of web requests. You must 2171// specify the times in Coordinated Universal Time (UTC) format. UTC format 2172// includes the special designator, Z. For example, "2016-09-27T14:50Z". You can 2173// specify any time range in the previous three hours. In a GetSampledRequests 2174// response, the StartTime and EndTime objects specify the time range for which WAF 2175// actually returned a sample of web requests. WAF gets the specified number of 2176// requests from among the first 5,000 requests that your Amazon Web Services 2177// resource receives during the specified time period. If your resource receives 2178// more than 5,000 requests during that period, WAF stops sampling after the 2179// 5,000th request. In that case, EndTime is the time that WAF received the 5,000th 2180// request. 2181type TimeWindow struct { 2182 2183 // The end of the time range from which you want GetSampledRequests to return a 2184 // sample of the requests that your Amazon Web Services resource received. You must 2185 // specify the times in Coordinated Universal Time (UTC) format. UTC format 2186 // includes the special designator, Z. For example, "2016-09-27T14:50Z". You can 2187 // specify any time range in the previous three hours. 2188 // 2189 // This member is required. 2190 EndTime *time.Time 2191 2192 // The beginning of the time range from which you want GetSampledRequests to return 2193 // a sample of the requests that your Amazon Web Services resource received. You 2194 // must specify the times in Coordinated Universal Time (UTC) format. UTC format 2195 // includes the special designator, Z. For example, "2016-09-27T14:50Z". You can 2196 // specify any time range in the previous three hours. 2197 // 2198 // This member is required. 2199 StartTime *time.Time 2200 2201 noSmithyDocumentSerde 2202} 2203 2204// The path component of the URI of a web request. This is the part of a web 2205// request that identifies a resource. For example, /images/daily-ad.jpg. This is 2206// used only to indicate the web request component for WAF to inspect, in the 2207// FieldToMatch specification. JSON specification: "UriPath": {} 2208type UriPath struct { 2209 noSmithyDocumentSerde 2210} 2211 2212// A version of the named managed rule group, that the rule group's vendor 2213// publishes for use by customers. This is intended for use only by vendors of 2214// managed rule sets. Vendors are Amazon Web Services and Amazon Web Services 2215// Marketplace sellers. Vendors, you can use the managed rule set APIs to provide 2216// controlled rollout of your versioned managed rule group offerings for your 2217// customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, 2218// PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate. 2219type VersionToPublish struct { 2220 2221 // The Amazon Resource Name (ARN) of the vendor's rule group that's used in the 2222 // published managed rule group version. 2223 AssociatedRuleGroupArn *string 2224 2225 // The amount of time the vendor expects this version of the managed rule group to 2226 // last, in days. 2227 ForecastedLifetime *int32 2228 2229 noSmithyDocumentSerde 2230} 2231 2232// Defines and enables Amazon CloudWatch metrics and web request sample collection. 2233type VisibilityConfig struct { 2234 2235 // A boolean indicating whether the associated resource sends metrics to Amazon 2236 // CloudWatch. For the list of available metrics, see WAF Metrics 2237 // (https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). 2238 // 2239 // This member is required. 2240 CloudWatchMetricsEnabled bool 2241 2242 // A name of the Amazon CloudWatch metric. The name can contain only the 2243 // characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore). The name can be from 2244 // one to 128 characters long. It can't contain whitespace or metric names reserved 2245 // for WAF, for example "All" and "Default_Action." 2246 // 2247 // This member is required. 2248 MetricName *string 2249 2250 // A boolean indicating whether WAF should store a sampling of the web requests 2251 // that match the rules. You can view the sampled requests through the WAF console. 2252 // 2253 // This member is required. 2254 SampledRequestsEnabled bool 2255 2256 noSmithyDocumentSerde 2257} 2258 2259// A web ACL defines a collection of rules to use to inspect and control web 2260// requests. Each rule has an action defined (allow, block, or count) for requests 2261// that match the statement of the rule. In the web ACL, you assign a default 2262// action to take (allow, block) for any request that does not match any of the 2263// rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, 2264// and managed rule group. You can associate a web ACL with one or more Amazon Web 2265// Services resources to protect. The resources can be an Amazon CloudFront 2266// distribution, an Amazon API Gateway REST API, an Application Load Balancer, or 2267// an AppSync GraphQL API. 2268type WebACL struct { 2269 2270 // The Amazon Resource Name (ARN) of the web ACL that you want to associate with 2271 // the resource. 2272 // 2273 // This member is required. 2274 ARN *string 2275 2276 // The action to perform if none of the Rules contained in the WebACL match. 2277 // 2278 // This member is required. 2279 DefaultAction *DefaultAction 2280 2281 // A unique identifier for the WebACL. This ID is returned in the responses to 2282 // create and list commands. You use this ID to do things like get, update, and 2283 // delete a WebACL. 2284 // 2285 // This member is required. 2286 Id *string 2287 2288 // The name of the web ACL. You cannot change the name of a web ACL after you 2289 // create it. 2290 // 2291 // This member is required. 2292 Name *string 2293 2294 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 2295 // 2296 // This member is required. 2297 VisibilityConfig *VisibilityConfig 2298 2299 // The web ACL capacity units (WCUs) currently being used by this web ACL. WAF uses 2300 // WCUs to calculate and control the operating resources that are used to run your 2301 // rules, rule groups, and web ACLs. WAF calculates capacity differently for each 2302 // rule type, to reflect the relative cost of each rule. Simple rules that cost 2303 // little to run use fewer WCUs than more complex rules that use more processing 2304 // power. Rule group capacity is fixed at creation, which helps users plan their 2305 // web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 2306 // 1,500. 2307 Capacity int64 2308 2309 // A map of custom response keys and content bodies. When you create a rule with a 2310 // block action, you can send a custom response to the web request. You define 2311 // these for the web ACL, and then use them in the rules and default actions that 2312 // you define in the web ACL. For information about customizing web requests and 2313 // responses, see Customizing web requests and responses in WAF 2314 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 2315 // in the WAF Developer Guide 2316 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). For 2317 // information about the limits on count and size for custom request and response 2318 // settings, see WAF quotas 2319 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF 2320 // Developer Guide 2321 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 2322 CustomResponseBodies map[string]CustomResponseBody 2323 2324 // A description of the web ACL that helps with identification. 2325 Description *string 2326 2327 // The label namespace prefix for this web ACL. All labels added by rules in this 2328 // web ACL have this prefix. 2329 // 2330 // * The syntax for the label namespace prefix for a web 2331 // ACL is the following: awswaf::webacl:: 2332 // 2333 // * When a rule with a label matches a web 2334 // request, WAF adds the fully qualified label to the request. A fully qualified 2335 // label is made up of the label namespace from the rule group or web ACL where the 2336 // rule is defined and the label from the rule, separated by a colon: : 2337 LabelNamespace *string 2338 2339 // Indicates whether this web ACL is managed by Firewall Manager. If true, then 2340 // only Firewall Manager can delete the web ACL or any Firewall Manager rule groups 2341 // in the web ACL. 2342 ManagedByFirewallManager bool 2343 2344 // The last set of rules for WAF to process in the web ACL. This is defined in an 2345 // Firewall Manager WAF policy and contains only rule group references. You can't 2346 // alter these. Any rules and rule groups that you define for the web ACL are 2347 // prioritized before these. In the Firewall Manager WAF policy, the Firewall 2348 // Manager administrator can define a set of rule groups to run first in the web 2349 // ACL and a set of rule groups to run last. Within each set, the administrator 2350 // prioritizes the rule groups, to determine their relative processing order. 2351 PostProcessFirewallManagerRuleGroups []FirewallManagerRuleGroup 2352 2353 // The first set of rules for WAF to process in the web ACL. This is defined in an 2354 // Firewall Manager WAF policy and contains only rule group references. You can't 2355 // alter these. Any rules and rule groups that you define for the web ACL are 2356 // prioritized after these. In the Firewall Manager WAF policy, the Firewall 2357 // Manager administrator can define a set of rule groups to run first in the web 2358 // ACL and a set of rule groups to run last. Within each set, the administrator 2359 // prioritizes the rule groups, to determine their relative processing order. 2360 PreProcessFirewallManagerRuleGroups []FirewallManagerRuleGroup 2361 2362 // The Rule statements used to identify the web requests that you want to allow, 2363 // block, or count. Each rule includes one top-level statement that WAF uses to 2364 // identify matching web requests, and parameters that govern how WAF handles them. 2365 Rules []Rule 2366 2367 noSmithyDocumentSerde 2368} 2369 2370// High-level information about a WebACL, returned by operations like create and 2371// list. This provides information like the ID, that you can use to retrieve and 2372// manage a WebACL, and the ARN, that you provide to operations like 2373// AssociateWebACL. 2374type WebACLSummary struct { 2375 2376 // The Amazon Resource Name (ARN) of the entity. 2377 ARN *string 2378 2379 // A description of the web ACL that helps with identification. 2380 Description *string 2381 2382 // The unique identifier for the web ACL. This ID is returned in the responses to 2383 // create and list commands. You provide it to operations like update and delete. 2384 Id *string 2385 2386 // A token used for optimistic locking. WAF returns a token to your get and list 2387 // requests, to mark the state of the entity at the time of the request. To make 2388 // changes to the entity associated with the token, you provide the token to 2389 // operations like update and delete. WAF uses the token to ensure that no changes 2390 // have been made to the entity since you last retrieved it. If a change has been 2391 // made, the update fails with a WAFOptimisticLockException. If this happens, 2392 // perform another get, and use the new token returned by that operation. 2393 LockToken *string 2394 2395 // The name of the web ACL. You cannot change the name of a web ACL after you 2396 // create it. 2397 Name *string 2398 2399 noSmithyDocumentSerde 2400} 2401 2402// A rule statement that defines a cross-site scripting (XSS) match search for WAF 2403// to apply to web requests. XSS attacks are those where the attacker uses 2404// vulnerabilities in a benign website as a vehicle to inject malicious client-site 2405// scripts into other legitimate web browsers. The XSS match statement provides the 2406// location in requests that you want WAF to search and text transformations to use 2407// on the search area before WAF searches for character sequences that are likely 2408// to be malicious strings. 2409type XssMatchStatement struct { 2410 2411 // The part of a web request that you want WAF to inspect. For more information, 2412 // see FieldToMatch. 2413 // 2414 // This member is required. 2415 FieldToMatch *FieldToMatch 2416 2417 // Text transformations eliminate some of the unusual formatting that attackers use 2418 // in web requests in an effort to bypass detection. If you specify one or more 2419 // transformations in a rule statement, WAF performs all transformations on the 2420 // content of the request component identified by FieldToMatch, starting from the 2421 // lowest priority setting, before inspecting the content for a match. 2422 // 2423 // This member is required. 2424 TextTransformations []TextTransformation 2425 2426 noSmithyDocumentSerde 2427} 2428 2429type noSmithyDocumentSerde = smithydocument.NoSerde 2430