1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package types 4 5import ( 6 "time" 7) 8 9// A single action condition for a Condition in a logging filter. 10type ActionCondition struct { 11 12 // The action setting that a log record must contain in order to meet the 13 // condition. 14 // 15 // This member is required. 16 Action ActionValue 17} 18 19// Inspect all of the elements that AWS WAF has parsed and extracted from the web 20// request JSON body that are within the JsonBodyMatchScope. This is used with the 21// FieldToMatch option JsonBody. This is used only to indicate the web request 22// component for AWS WAF to inspect, in the FieldToMatch specification. 23type All struct { 24} 25 26// Specifies that AWS WAF should allow the request and optionally defines 27// additional custom handling for the request. This is used in the context of other 28// settings, for example to specify values for RuleAction and web ACL 29// DefaultAction. 30type AllowAction struct { 31 32 // Defines custom handling for the web request. For information about customizing 33 // web requests and responses, see Customizing web requests and responses in AWS 34 // WAF 35 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 36 // in the AWS WAF Developer Guide 37 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 38 CustomRequestHandling *CustomRequestHandling 39} 40 41// All query arguments of a web request. This is used only to indicate the web 42// request component for AWS WAF to inspect, in the FieldToMatch specification. 43type AllQueryArguments struct { 44} 45 46// A logical rule statement used to combine other rule statements with AND logic. 47// You provide more than one Statement within the AndStatement. 48type AndStatement struct { 49 50 // The statements to combine with AND logic. You can use any statements that can be 51 // nested. 52 // 53 // This member is required. 54 Statements []Statement 55} 56 57// Specifies that AWS WAF should block the request and optionally defines 58// additional custom handling for the response to the web request. This is used in 59// the context of other settings, for example to specify values for RuleAction and 60// web ACL DefaultAction. 61type BlockAction struct { 62 63 // Defines a custom response for the web request. For information about customizing 64 // web requests and responses, see Customizing web requests and responses in AWS 65 // WAF 66 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 67 // in the AWS WAF Developer Guide 68 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 69 CustomResponse *CustomResponse 70} 71 72// The body of a web request. This immediately follows the request headers. This is 73// used only to indicate the web request component for AWS WAF to inspect, in the 74// FieldToMatch specification. 75type Body struct { 76} 77 78// A rule statement that defines a string match search for AWS WAF to apply to web 79// requests. The byte match statement provides the bytes to search for, the 80// location in requests that you want AWS WAF to search, and other settings. The 81// bytes to search for are typically a string that corresponds with ASCII 82// characters. In the AWS WAF console and the developer guide, this is refered to 83// as a string match statement. 84type ByteMatchStatement struct { 85 86 // The part of a web request that you want AWS WAF to inspect. For more 87 // information, see FieldToMatch. 88 // 89 // This member is required. 90 FieldToMatch *FieldToMatch 91 92 // The area within the portion of a web request that you want AWS WAF to search for 93 // SearchString. Valid values include the following: CONTAINS The specified part of 94 // the web request must include the value of SearchString, but the location doesn't 95 // matter. CONTAINS_WORD The specified part of the web request must include the 96 // value of SearchString, and SearchString must contain only alphanumeric 97 // characters or underscore (A-Z, a-z, 0-9, or _). In addition, SearchString must 98 // be a word, which means that both of the following are true: 99 // 100 // * SearchString is 101 // at the beginning of the specified part of the web request or is preceded by a 102 // character other than an alphanumeric character or underscore (_). Examples 103 // include the value of a header and ;BadBot. 104 // 105 // * SearchString is at the end of the 106 // specified part of the web request or is followed by a character other than an 107 // alphanumeric character or underscore (_), for example, BadBot; and 108 // -BadBot;. 109 // 110 // EXACTLY The value of the specified part of the web request must 111 // exactly match the value of SearchString. STARTS_WITH The value of SearchString 112 // must appear at the beginning of the specified part of the web request. ENDS_WITH 113 // The value of SearchString must appear at the end of the specified part of the 114 // web request. 115 // 116 // This member is required. 117 PositionalConstraint PositionalConstraint 118 119 // A string value that you want AWS WAF to search for. AWS WAF searches only in the 120 // part of web requests that you designate for inspection in FieldToMatch. The 121 // maximum length of the value is 50 bytes. Valid values depend on the component 122 // that you specify for inspection in FieldToMatch: 123 // 124 // * Method: The HTTP method that 125 // you want AWS WAF to search for. This indicates the type of operation specified 126 // in the request. 127 // 128 // * UriPath: The value that you want AWS WAF to search for in the 129 // URI path, for example, /images/daily-ad.jpg. 130 // 131 // If SearchString includes 132 // alphabetic characters A-Z and a-z, note that the value is case sensitive. If 133 // you're using the AWS WAF API Specify a base64-encoded version of the value. The 134 // maximum length of the value before you base64-encode it is 50 bytes. For 135 // example, suppose the value of Type is HEADER and the value of Data is 136 // User-Agent. If you want to search the User-Agent header for the value BadBot, 137 // you base64-encode BadBot using MIME base64-encoding and include the resulting 138 // value, QmFkQm90, in the value of SearchString. If you're using the AWS CLI or 139 // one of the AWS SDKs The value that you want AWS WAF to search for. The SDK 140 // automatically base64 encodes the value. 141 // 142 // This member is required. 143 SearchString []byte 144 145 // Text transformations eliminate some of the unusual formatting that attackers use 146 // in web requests in an effort to bypass detection. If you specify one or more 147 // transformations in a rule statement, AWS WAF performs all transformations on the 148 // content of the request component identified by FieldToMatch, starting from the 149 // lowest priority setting, before inspecting the content for a match. 150 // 151 // This member is required. 152 TextTransformations []TextTransformation 153} 154 155// A single match condition for a Filter. 156type Condition struct { 157 158 // A single action condition. 159 ActionCondition *ActionCondition 160 161 // A single label name condition. 162 LabelNameCondition *LabelNameCondition 163} 164 165// Specifies that AWS WAF should count the request. Optionally defines additional 166// custom handling for the request. This is used in the context of other settings, 167// for example to specify values for RuleAction and web ACL DefaultAction. 168type CountAction struct { 169 170 // Defines custom handling for the web request. For information about customizing 171 // web requests and responses, see Customizing web requests and responses in AWS 172 // WAF 173 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 174 // in the AWS WAF Developer Guide 175 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 176 CustomRequestHandling *CustomRequestHandling 177} 178 179// A custom header for custom request and response handling. This is used in 180// CustomResponse and CustomRequestHandling. 181type CustomHTTPHeader struct { 182 183 // The name of the custom header. For custom request header insertion, when AWS WAF 184 // inserts the header into the request, it prefixes this name x-amzn-waf-, to avoid 185 // confusion with the headers that are already in the request. For example, for the 186 // header name sample, AWS WAF inserts the header x-amzn-waf-sample. 187 // 188 // This member is required. 189 Name *string 190 191 // The value of the custom header. 192 // 193 // This member is required. 194 Value *string 195} 196 197// Custom request handling behavior that inserts custom headers into a web request. 198// You can add custom request handling for the rule actions allow and count. For 199// information about customizing web requests and responses, see Customizing web 200// requests and responses in AWS WAF 201// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 202// in the AWS WAF Developer Guide 203// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 204type CustomRequestHandling struct { 205 206 // The HTTP headers to insert into the request. Duplicate header names are not 207 // allowed. For information about the limits on count and size for custom request 208 // and response settings, see AWS WAF quotas 209 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS 210 // WAF Developer Guide 211 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 212 // 213 // This member is required. 214 InsertHeaders []CustomHTTPHeader 215} 216 217// A custom response to send to the client. You can define a custom response for 218// rule actions and default web ACL actions that are set to BlockAction. For 219// information about customizing web requests and responses, see Customizing web 220// requests and responses in AWS WAF 221// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 222// in the AWS WAF Developer Guide 223// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 224type CustomResponse struct { 225 226 // The HTTP status code to return to the client. For a list of status codes that 227 // you can use in your custom reqponses, see Supported status codes for custom 228 // response 229 // (https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) 230 // in the AWS WAF Developer Guide 231 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 232 // 233 // This member is required. 234 ResponseCode *int32 235 236 // References the response body that you want AWS WAF to return to the web request 237 // client. You can define a custom response for a rule action or a default web ACL 238 // action that is set to block. To do this, you first define the response body key 239 // and value in the CustomResponseBodies setting for the WebACL or RuleGroup where 240 // you want to use it. Then, in the rule action or web ACL default action 241 // BlockAction setting, you reference the response body using this key. 242 CustomResponseBodyKey *string 243 244 // The HTTP headers to use in the response. Duplicate header names are not allowed. 245 // For information about the limits on count and size for custom request and 246 // response settings, see AWS WAF quotas 247 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS 248 // WAF Developer Guide 249 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 250 ResponseHeaders []CustomHTTPHeader 251} 252 253// The response body to use in a custom response to a web request. This is 254// referenced by key from CustomResponseCustomResponseBodyKey. 255type CustomResponseBody struct { 256 257 // The payload of the custom response. You can use JSON escape strings in JSON 258 // content. To do this, you must specify JSON content in the ContentType setting. 259 // For information about the limits on count and size for custom request and 260 // response settings, see AWS WAF quotas 261 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS 262 // WAF Developer Guide 263 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 264 // 265 // This member is required. 266 Content *string 267 268 // The type of content in the payload that you are defining in the Content string. 269 // 270 // This member is required. 271 ContentType ResponseContentType 272} 273 274// In a WebACL, this is the action that you want AWS WAF to perform when a web 275// request doesn't match any of the rules in the WebACL. The default action must be 276// a terminating action, so you can't use count. 277type DefaultAction struct { 278 279 // Specifies that AWS WAF should allow requests by default. 280 Allow *AllowAction 281 282 // Specifies that AWS WAF should block requests by default. 283 Block *BlockAction 284} 285 286// Specifies a single rule to exclude from the rule group. Excluding a rule 287// overrides its action setting for the rule group in the web ACL, setting it to 288// COUNT. This effectively excludes the rule from acting on web requests. 289type ExcludedRule struct { 290 291 // The name of the rule to exclude. 292 // 293 // This member is required. 294 Name *string 295} 296 297// The part of a web request that you want AWS WAF to inspect. Include the single 298// FieldToMatch type that you want to inspect, with additional specifications as 299// needed, according to the type. You specify a single request component in 300// FieldToMatch for each rule statement that requires it. To inspect more than one 301// component of a web request, create a separate rule statement for each component. 302type FieldToMatch struct { 303 304 // Inspect all query arguments. 305 AllQueryArguments *AllQueryArguments 306 307 // Inspect the request body as plain text. The request body immediately follows the 308 // request headers. This is the part of a request that contains any additional data 309 // that you want to send to your web server as the HTTP request body, such as data 310 // from a form. Note that only the first 8 KB (8192 bytes) of the request body are 311 // forwarded to AWS WAF for inspection by the underlying host service. If you don't 312 // need to inspect more than 8 KB, you can guarantee that you don't allow 313 // additional bytes in by combining a statement that inspects the body of the web 314 // request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a 315 // SizeConstraintStatement that enforces an 8 KB size limit on the body of the 316 // request. AWS WAF doesn't support inspecting the entire contents of web requests 317 // whose bodies exceed the 8 KB limit. 318 Body *Body 319 320 // Inspect the request body as JSON. The request body immediately follows the 321 // request headers. This is the part of a request that contains any additional data 322 // that you want to send to your web server as the HTTP request body, such as data 323 // from a form. Note that only the first 8 KB (8192 bytes) of the request body are 324 // forwarded to AWS WAF for inspection by the underlying host service. If you don't 325 // need to inspect more than 8 KB, you can guarantee that you don't allow 326 // additional bytes in by combining a statement that inspects the body of the web 327 // request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a 328 // SizeConstraintStatement that enforces an 8 KB size limit on the body of the 329 // request. AWS WAF doesn't support inspecting the entire contents of web requests 330 // whose bodies exceed the 8 KB limit. 331 JsonBody *JsonBody 332 333 // Inspect the HTTP method. The method indicates the type of operation that the 334 // request is asking the origin to perform. 335 Method *Method 336 337 // Inspect the query string. This is the part of a URL that appears after a ? 338 // character, if any. 339 QueryString *QueryString 340 341 // Inspect a single header. Provide the name of the header to inspect, for example, 342 // User-Agent or Referer. This setting isn't case sensitive. Example JSON: 343 // "SingleHeader": { "Name": "haystack" } 344 SingleHeader *SingleHeader 345 346 // Inspect a single query argument. Provide the name of the query argument to 347 // inspect, such as UserName or SalesRegion. The name can be up to 30 characters 348 // long and isn't case sensitive. This is used only to indicate the web request 349 // component for AWS WAF to inspect, in the FieldToMatch specification. Example 350 // JSON: "SingleQueryArgument": { "Name": "myArgument" } 351 SingleQueryArgument *SingleQueryArgument 352 353 // Inspect the request URI path. This is the part of a web request that identifies 354 // a resource, for example, /images/daily-ad.jpg. 355 UriPath *UriPath 356} 357 358// A single logging filter, used in LoggingFilter. 359type Filter struct { 360 361 // How to handle logs that satisfy the filter's conditions and requirement. 362 // 363 // This member is required. 364 Behavior FilterBehavior 365 366 // Match conditions for the filter. 367 // 368 // This member is required. 369 Conditions []Condition 370 371 // Logic to apply to the filtering conditions. You can specify that, in order to 372 // satisfy the filter, a log must match all conditions or must match at least one 373 // condition. 374 // 375 // This member is required. 376 Requirement FilterRequirement 377} 378 379// A rule group that's defined for an AWS Firewall Manager WAF policy. 380type FirewallManagerRuleGroup struct { 381 382 // The processing guidance for an AWS Firewall Manager rule. This is like a regular 383 // rule Statement, but it can only contain a rule group reference. 384 // 385 // This member is required. 386 FirewallManagerStatement *FirewallManagerStatement 387 388 // The name of the rule group. You cannot change the name of a rule group after you 389 // create it. 390 // 391 // This member is required. 392 Name *string 393 394 // The override action to apply to the rules in a rule group. Used only for rule 395 // statements that reference a rule group, like RuleGroupReferenceStatement and 396 // ManagedRuleGroupStatement. Set the override action to none to leave the rule 397 // actions in effect. Set it to count to only count matches, regardless of the rule 398 // action settings. In a Rule, you must specify either this OverrideAction setting 399 // or the rule Action setting, but not both: 400 // 401 // * If the rule statement references a 402 // rule group, use this override action setting and not the action setting. 403 // 404 // * If 405 // the rule statement does not reference a rule group, use the rule action setting 406 // and not this rule override action setting. 407 // 408 // This member is required. 409 OverrideAction *OverrideAction 410 411 // If you define more than one rule group in the first or last Firewall Manager 412 // rule groups, AWS WAF evaluates each request against the rule groups in order, 413 // starting from the lowest priority setting. The priorities don't need to be 414 // consecutive, but they must all be different. 415 // 416 // This member is required. 417 Priority int32 418 419 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 420 // 421 // This member is required. 422 VisibilityConfig *VisibilityConfig 423} 424 425// The processing guidance for an AWS Firewall Manager rule. This is like a regular 426// rule Statement, but it can only contain a rule group reference. 427type FirewallManagerStatement struct { 428 429 // A rule statement used to run the rules that are defined in a managed rule group. 430 // To use this, provide the vendor name and the name of the rule group in this 431 // statement. You can retrieve the required names by calling 432 // ListAvailableManagedRuleGroups. You can't nest a ManagedRuleGroupStatement, for 433 // example for use inside a NotStatement or OrStatement. It can only be referenced 434 // as a top-level statement within a rule. 435 ManagedRuleGroupStatement *ManagedRuleGroupStatement 436 437 // A rule statement used to run the rules that are defined in a RuleGroup. To use 438 // this, create a rule group with your rules, then provide the ARN of the rule 439 // group in this statement. You cannot nest a RuleGroupReferenceStatement, for 440 // example for use inside a NotStatement or OrStatement. It can only be referenced 441 // as a top-level statement within a rule. 442 RuleGroupReferenceStatement *RuleGroupReferenceStatement 443} 444 445// The configuration for inspecting IP addresses in an HTTP header that you 446// specify, instead of using the IP address that's reported by the web request 447// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 448// any header name. If the specified header isn't present in the request, AWS WAF 449// doesn't apply the rule to the web request at all. This configuration is used for 450// GeoMatchStatement and RateBasedStatement. For IPSetReferenceStatement, use 451// IPSetForwardedIPConfig instead. AWS WAF only evaluates the first IP address 452// found in the specified HTTP header. 453type ForwardedIPConfig struct { 454 455 // The match status to assign to the web request if the request doesn't have a 456 // valid IP address in the specified position. If the specified header isn't 457 // present in the request, AWS WAF doesn't apply the rule to the web request at 458 // all. You can specify the following fallback behaviors: 459 // 460 // * MATCH - Treat the web 461 // request as matching the rule statement. AWS WAF applies the rule action to the 462 // request. 463 // 464 // * NO_MATCH - Treat the web request as not matching the rule statement. 465 // 466 // This member is required. 467 FallbackBehavior FallbackBehavior 468 469 // The name of the HTTP header to use for the IP address. For example, to use the 470 // X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified 471 // header isn't present in the request, AWS WAF doesn't apply the rule to the web 472 // request at all. 473 // 474 // This member is required. 475 HeaderName *string 476} 477 478// A rule statement used to identify web requests based on country of origin. 479type GeoMatchStatement struct { 480 481 // An array of two-character country codes, for example, [ "US", "CN" ], from the 482 // alpha-2 country ISO codes of the ISO 3166 international standard. 483 CountryCodes []CountryCode 484 485 // The configuration for inspecting IP addresses in an HTTP header that you 486 // specify, instead of using the IP address that's reported by the web request 487 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 488 // any header name. If the specified header isn't present in the request, AWS WAF 489 // doesn't apply the rule to the web request at all. 490 ForwardedIPConfig *ForwardedIPConfig 491} 492 493// Part of the response from GetSampledRequests. This is a complex type that 494// appears as Headers in the response syntax. HTTPHeader contains the names and 495// values of all of the headers that appear in one of the web requests. 496type HTTPHeader struct { 497 498 // The name of the HTTP header. 499 Name *string 500 501 // The value of the HTTP header. 502 Value *string 503} 504 505// Part of the response from GetSampledRequests. This is a complex type that 506// appears as Request in the response syntax. HTTPRequest contains information 507// about one of the web requests. 508type HTTPRequest struct { 509 510 // The IP address that the request originated from. If the web ACL is associated 511 // with a CloudFront distribution, this is the value of one of the following fields 512 // in CloudFront access logs: 513 // 514 // * c-ip, if the viewer did not use an HTTP proxy or a 515 // load balancer to send the request 516 // 517 // * x-forwarded-for, if the viewer did use an 518 // HTTP proxy or a load balancer to send the request 519 ClientIP *string 520 521 // The two-letter country code for the country that the request originated from. 522 // For a current list of country codes, see the Wikipedia entry ISO 3166-1 alpha-2 523 // (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). 524 Country *string 525 526 // The HTTP version specified in the sampled web request, for example, HTTP/1.1. 527 HTTPVersion *string 528 529 // A complex type that contains the name and value for each header in the sampled 530 // web request. 531 Headers []HTTPHeader 532 533 // The HTTP method specified in the sampled web request. 534 Method *string 535 536 // The URI path of the request, which identifies the resource, for example, 537 // /images/daily-ad.jpg. 538 URI *string 539} 540 541// Contains one or more IP addresses or blocks of IP addresses specified in 542// Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and 543// IPv6 CIDR ranges except for /0. For information about CIDR notation, see the 544// Wikipedia entry Classless Inter-Domain Routing 545// (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). AWS WAF assigns 546// an ARN to each IPSet that you create. To use an IP set in a rule, you provide 547// the ARN to the Rule statement IPSetReferenceStatement. 548type IPSet struct { 549 550 // The Amazon Resource Name (ARN) of the entity. 551 // 552 // This member is required. 553 ARN *string 554 555 // Contains an array of strings that specify one or more IP addresses or blocks of 556 // IP addresses in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports 557 // all IPv4 and IPv6 CIDR ranges except for /0. Examples: 558 // 559 // * To configure AWS WAF 560 // to allow, block, or count requests that originated from the IP address 561 // 192.0.2.44, specify 192.0.2.44/32. 562 // 563 // * To configure AWS WAF to allow, block, or 564 // count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, 565 // specify 192.0.2.0/24. 566 // 567 // * To configure AWS WAF to allow, block, or count requests 568 // that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, 569 // specify 1111:0000:0000:0000:0000:0000:0000:0111/128. 570 // 571 // * To configure AWS WAF to 572 // allow, block, or count requests that originated from IP addresses 573 // 1111:0000:0000:0000:0000:0000:0000:0000 to 574 // 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 575 // 1111:0000:0000:0000:0000:0000:0000:0000/64. 576 // 577 // For more information about CIDR 578 // notation, see the Wikipedia entry Classless Inter-Domain Routing 579 // (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). 580 // 581 // This member is required. 582 Addresses []string 583 584 // Specify IPV4 or IPV6. 585 // 586 // This member is required. 587 IPAddressVersion IPAddressVersion 588 589 // A unique identifier for the set. This ID is returned in the responses to create 590 // and list commands. You provide it to operations like update and delete. 591 // 592 // This member is required. 593 Id *string 594 595 // The name of the IP set. You cannot change the name of an IPSet after you create 596 // it. 597 // 598 // This member is required. 599 Name *string 600 601 // A description of the IP set that helps with identification. 602 Description *string 603} 604 605// The configuration for inspecting IP addresses in an HTTP header that you 606// specify, instead of using the IP address that's reported by the web request 607// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 608// any header name. If the specified header isn't present in the request, AWS WAF 609// doesn't apply the rule to the web request at all. This configuration is used 610// only for IPSetReferenceStatement. For GeoMatchStatement and RateBasedStatement, 611// use ForwardedIPConfig instead. 612type IPSetForwardedIPConfig struct { 613 614 // The match status to assign to the web request if the request doesn't have a 615 // valid IP address in the specified position. If the specified header isn't 616 // present in the request, AWS WAF doesn't apply the rule to the web request at 617 // all. You can specify the following fallback behaviors: 618 // 619 // * MATCH - Treat the web 620 // request as matching the rule statement. AWS WAF applies the rule action to the 621 // request. 622 // 623 // * NO_MATCH - Treat the web request as not matching the rule statement. 624 // 625 // This member is required. 626 FallbackBehavior FallbackBehavior 627 628 // The name of the HTTP header to use for the IP address. For example, to use the 629 // X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified 630 // header isn't present in the request, AWS WAF doesn't apply the rule to the web 631 // request at all. 632 // 633 // This member is required. 634 HeaderName *string 635 636 // The position in the header to search for the IP address. The header can contain 637 // IP addresses of the original client and also of proxies. For example, the header 638 // value could be 10.1.1.1, 127.0.0.0, 10.10.10.10 where the first IP address 639 // identifies the original client and the rest identify proxies that the request 640 // went through. The options for this setting are the following: 641 // 642 // * FIRST - Inspect 643 // the first IP address in the list of IP addresses in the header. This is usually 644 // the client's original IP. 645 // 646 // * LAST - Inspect the last IP address in the list of 647 // IP addresses in the header. 648 // 649 // * ANY - Inspect all IP addresses in the header for 650 // a match. If the header contains more than 10 IP addresses, AWS WAF inspects the 651 // last 10. 652 // 653 // This member is required. 654 Position ForwardedIPPosition 655} 656 657// A rule statement used to detect web requests coming from particular IP addresses 658// or address ranges. To use this, create an IPSet that specifies the addresses you 659// want to detect, then use the ARN of that set in this statement. To create an IP 660// set, see CreateIPSet. Each IP set rule statement references an IP set. You 661// create and maintain the set independent of your rules. This allows you to use 662// the single set in multiple rules. When you update the referenced set, AWS WAF 663// automatically updates all rules that reference it. 664type IPSetReferenceStatement struct { 665 666 // The Amazon Resource Name (ARN) of the IPSet that this statement references. 667 // 668 // This member is required. 669 ARN *string 670 671 // The configuration for inspecting IP addresses in an HTTP header that you 672 // specify, instead of using the IP address that's reported by the web request 673 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 674 // any header name. If the specified header isn't present in the request, AWS WAF 675 // doesn't apply the rule to the web request at all. 676 IPSetForwardedIPConfig *IPSetForwardedIPConfig 677} 678 679// High-level information about an IPSet, returned by operations like create and 680// list. This provides information like the ID, that you can use to retrieve and 681// manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to 682// use the address set in a Rule. 683type IPSetSummary struct { 684 685 // The Amazon Resource Name (ARN) of the entity. 686 ARN *string 687 688 // A description of the IP set that helps with identification. 689 Description *string 690 691 // A unique identifier for the set. This ID is returned in the responses to create 692 // and list commands. You provide it to operations like update and delete. 693 Id *string 694 695 // A token used for optimistic locking. AWS WAF returns a token to your get and 696 // list requests, to mark the state of the entity at the time of the request. To 697 // make changes to the entity associated with the token, you provide the token to 698 // operations like update and delete. AWS WAF uses the token to ensure that no 699 // changes have been made to the entity since you last retrieved it. If a change 700 // has been made, the update fails with a WAFOptimisticLockException. If this 701 // happens, perform another get, and use the new token returned by that operation. 702 LockToken *string 703 704 // The name of the IP set. You cannot change the name of an IPSet after you create 705 // it. 706 Name *string 707} 708 709// The body of a web request, inspected as JSON. The body immediately follows the 710// request headers. This is used in the FieldToMatch specification. Use the 711// specifications in this object to indicate which parts of the JSON body to 712// inspect using the rule's inspection criteria. AWS WAF inspects only the parts of 713// the JSON that result from the matches that you indicate. 714type JsonBody struct { 715 716 // The patterns to look for in the JSON body. AWS WAF inspects the results of these 717 // pattern matches against the rule inspection criteria. 718 // 719 // This member is required. 720 MatchPattern *JsonMatchPattern 721 722 // The parts of the JSON to match against using the MatchPattern. If you specify 723 // All, AWS WAF matches against keys and values. 724 // 725 // This member is required. 726 MatchScope JsonMatchScope 727 728 // What AWS WAF should do if it fails to completely parse the JSON body. The 729 // options are the following: 730 // 731 // * EVALUATE_AS_STRING - Inspect the body as plain 732 // text. AWS WAF applies the text transformations and inspection criteria that you 733 // defined for the JSON inspection to the body text string. 734 // 735 // * MATCH - Treat the 736 // web request as matching the rule statement. AWS WAF applies the rule action to 737 // the request. 738 // 739 // * NO_MATCH - Treat the web request as not matching the rule 740 // statement. 741 // 742 // If you don't provide this setting, AWS WAF parses and evaluates the 743 // content only up to the first parsing failure that it encounters. AWS WAF does 744 // its best to parse the entire JSON body, but might be forced to stop for reasons 745 // such as invalid characters, duplicate keys, truncation, and any content whose 746 // root node isn't an object or an array. AWS WAF parses the JSON in the following 747 // examples as two valid key, value pairs: 748 // 749 // * Missing comma: 750 // {"key1":"value1""key2":"value2"} 751 // 752 // * Missing colon: 753 // {"key1":"value1","key2""value2"} 754 // 755 // * Extra colons: 756 // {"key1"::"value1","key2""value2"} 757 InvalidFallbackBehavior BodyParsingFallbackBehavior 758} 759 760// The patterns to look for in the JSON body. AWS WAF inspects the results of these 761// pattern matches against the rule inspection criteria. This is used with the 762// FieldToMatch option JsonBody. 763type JsonMatchPattern struct { 764 765 // Match all of the elements. See also MatchScope in JsonBody. You must specify 766 // either this setting or the IncludedPaths setting, but not both. 767 All *All 768 769 // Match only the specified include paths. See also MatchScope in JsonBody. Provide 770 // the include paths using JSON Pointer syntax. For example, "IncludedPaths": 771 // ["/dogs/0/name", "/dogs/1/name"]. For information about this syntax, see the 772 // Internet Engineering Task Force (IETF) documentation JavaScript Object Notation 773 // (JSON) Pointer (https://tools.ietf.org/html/rfc6901). You must specify either 774 // this setting or the All setting, but not both. Don't use this option to include 775 // all paths. Instead, use the All setting. 776 IncludedPaths []string 777} 778 779// A single label container. This is used as an element of a label array in 780// multiple contexts, for example, in RuleLabels inside a Rule and in Labels inside 781// a SampledHTTPRequest. 782type Label struct { 783 784 // The label string. 785 // 786 // This member is required. 787 Name *string 788} 789 790// A rule statement that defines a string match search against labels that have 791// been added to the web request by rules that have already run in the web ACL. The 792// label match statement provides the label or namespace string to search for. The 793// label string can represent a part or all of the fully qualified label name that 794// had been added to the web request. Fully qualified labels have a prefix, 795// optional namespaces, and label name. The prefix identifies the rule group or web 796// ACL context of the rule that added the label. If you do not provide the fully 797// qualified name in your label match string, AWS WAF performs the search for 798// labels that were added in the same context as the label match statement. 799type LabelMatchStatement struct { 800 801 // The string to match against. The setting you provide for this depends on the 802 // match statement's Scope settings: 803 // 804 // * If the Scope indicates LABEL, then this 805 // specification must include the name and can include any number of preceding 806 // namespace specifications and prefix up to providing the fully qualified label 807 // name. 808 // 809 // * If the Scope indicates NAMESPACE, then this specification can include 810 // any number of contiguous namespace strings, and can include the entire label 811 // namespace prefix from the rule group or web ACL where the label 812 // originates. 813 // 814 // Labels are case sensitive and components of a label must be 815 // separated by colon, for example NS1:NS2:name. 816 // 817 // This member is required. 818 Key *string 819 820 // Specify whether you want to match using the label name or just the namespace. 821 // 822 // This member is required. 823 Scope LabelMatchScope 824} 825 826// A single label name condition for a Condition in a logging filter. 827type LabelNameCondition struct { 828 829 // The label name that a log record must contain in order to meet the condition. 830 // This must be a fully qualified label name. Fully qualified labels have a prefix, 831 // optional namespaces, and label name. The prefix identifies the rule group or web 832 // ACL context of the rule that added the label. 833 // 834 // This member is required. 835 LabelName *string 836} 837 838// List of labels used by one or more of the rules of a RuleGroup. This summary 839// object is used for the following rule group lists: 840// 841// * AvailableLabels - Labels 842// that rules add to matching requests. These labels are defined in the RuleLabels 843// for a Rule. 844// 845// * ConsumedLabels - Labels that rules match against. These labels 846// are defined in a LabelMatchStatement specification, in the Statement definition 847// of a rule. 848type LabelSummary struct { 849 850 // An individual label specification. 851 Name *string 852} 853 854// Defines an association between Amazon Kinesis Data Firehose destinations and a 855// web ACL resource, for logging from AWS WAF. As part of the association, you can 856// specify parts of the standard logging fields to keep out of the logs and you can 857// specify filters so that you log only a subset of the logging records. 858type LoggingConfiguration struct { 859 860 // The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to 861 // associate with the web ACL. 862 // 863 // This member is required. 864 LogDestinationConfigs []string 865 866 // The Amazon Resource Name (ARN) of the web ACL that you want to associate with 867 // LogDestinationConfigs. 868 // 869 // This member is required. 870 ResourceArn *string 871 872 // Filtering that specifies which web requests are kept in the logs and which are 873 // dropped. You can filter on the rule action and on the web request labels that 874 // were applied by matching rules during web ACL evaluation. 875 LoggingFilter *LoggingFilter 876 877 // Indicates whether the logging configuration was created by AWS Firewall Manager, 878 // as part of an AWS WAF policy configuration. If true, only Firewall Manager can 879 // modify or delete the configuration. 880 ManagedByFirewallManager bool 881 882 // The parts of the request that you want to keep out of the logs. For example, if 883 // you redact the HEADER field, the HEADER field in the firehose will be xxx. You 884 // must use one of the following values: URI, QUERY_STRING, HEADER, or METHOD. 885 RedactedFields []FieldToMatch 886} 887 888// Filtering that specifies which web requests are kept in the logs and which are 889// dropped, defined for a web ACL's LoggingConfiguration. You can filter on the 890// rule action and on the web request labels that were applied by matching rules 891// during web ACL evaluation. 892type LoggingFilter struct { 893 894 // Default handling for logs that don't match any of the specified filtering 895 // conditions. 896 // 897 // This member is required. 898 DefaultBehavior FilterBehavior 899 900 // The filters that you want to apply to the logs. 901 // 902 // This member is required. 903 Filters []Filter 904} 905 906// A rule statement used to run the rules that are defined in a managed rule group. 907// To use this, provide the vendor name and the name of the rule group in this 908// statement. You can retrieve the required names by calling 909// ListAvailableManagedRuleGroups. You can't nest a ManagedRuleGroupStatement, for 910// example for use inside a NotStatement or OrStatement. It can only be referenced 911// as a top-level statement within a rule. 912type ManagedRuleGroupStatement struct { 913 914 // The name of the managed rule group. You use this, along with the vendor name, to 915 // identify the rule group. 916 // 917 // This member is required. 918 Name *string 919 920 // The name of the managed rule group vendor. You use this, along with the rule 921 // group name, to identify the rule group. 922 // 923 // This member is required. 924 VendorName *string 925 926 // The rules whose actions are set to COUNT by the web ACL, regardless of the 927 // action that is set on the rule. This effectively excludes the rule from acting 928 // on web requests. 929 ExcludedRules []ExcludedRule 930 931 // The processing guidance for a Rule, used by AWS WAF to determine whether a web 932 // request matches the rule. 933 ScopeDownStatement *Statement 934} 935 936// High-level information about a managed rule group, returned by 937// ListAvailableManagedRuleGroups. This provides information like the name and 938// vendor name, that you provide when you add a ManagedRuleGroupStatement to a web 939// ACL. Managed rule groups include AWS Managed Rules rule groups, which are free 940// of charge to AWS WAF customers, and AWS Marketplace managed rule groups, which 941// you can subscribe to through AWS Marketplace. 942type ManagedRuleGroupSummary struct { 943 944 // The description of the managed rule group, provided by AWS Managed Rules or the 945 // AWS Marketplace seller who manages it. 946 Description *string 947 948 // The name of the managed rule group. You use this, along with the vendor name, to 949 // identify the rule group. 950 Name *string 951 952 // The name of the managed rule group vendor. You use this, along with the rule 953 // group name, to identify the rule group. 954 VendorName *string 955} 956 957// The HTTP method of a web request. The method indicates the type of operation 958// that the request is asking the origin to perform. This is used only to indicate 959// the web request component for AWS WAF to inspect, in the FieldToMatch 960// specification. 961type Method struct { 962} 963 964// Specifies that AWS WAF should do nothing. This is generally used to try out a 965// rule without performing any actions. You set the OverrideAction on the Rule. 966// This is used in the context of other settings, for example to specify values for 967// RuleAction and web ACL DefaultAction. 968type NoneAction struct { 969} 970 971// A logical rule statement used to negate the results of another rule statement. 972// You provide one Statement within the NotStatement. 973type NotStatement struct { 974 975 // The statement to negate. You can use any statement that can be nested. 976 // 977 // This member is required. 978 Statement *Statement 979} 980 981// A logical rule statement used to combine other rule statements with OR logic. 982// You provide more than one Statement within the OrStatement. 983type OrStatement struct { 984 985 // The statements to combine with OR logic. You can use any statements that can be 986 // nested. 987 // 988 // This member is required. 989 Statements []Statement 990} 991 992// The override action to apply to the rules in a rule group. Used only for rule 993// statements that reference a rule group, like RuleGroupReferenceStatement and 994// ManagedRuleGroupStatement. Set the override action to none to leave the rule 995// actions in effect. Set it to count to only count matches, regardless of the rule 996// action settings. In a Rule, you must specify either this OverrideAction setting 997// or the rule Action setting, but not both: 998// 999// * If the rule statement references a 1000// rule group, use this override action setting and not the action setting. 1001// 1002// * If 1003// the rule statement does not reference a rule group, use the rule action setting 1004// and not this rule override action setting. 1005type OverrideAction struct { 1006 1007 // Override the rule action setting to count. 1008 Count *CountAction 1009 1010 // Don't override the rule action setting. 1011 None *NoneAction 1012} 1013 1014// The query string of a web request. This is the part of a URL that appears after 1015// a ? character, if any. This is used only to indicate the web request component 1016// for AWS WAF to inspect, in the FieldToMatch specification. 1017type QueryString struct { 1018} 1019 1020// A rate-based rule tracks the rate of requests for each originating IP address, 1021// and triggers the rule action when the rate exceeds a limit that you specify on 1022// the number of requests in any 5-minute time span. You can use this to put a 1023// temporary block on requests from an IP address that is sending excessive 1024// requests. When the rule action triggers, AWS WAF blocks additional requests from 1025// the IP address until the request rate falls below the limit. You can optionally 1026// nest another statement inside the rate-based statement, to narrow the scope of 1027// the rule so that it only counts requests that match the nested statement. For 1028// example, based on recent requests that you have seen from an attacker, you might 1029// create a rate-based rule with a nested AND rule statement that contains the 1030// following nested statements: 1031// 1032// * An IP match statement with an IP set that 1033// specified the address 192.0.2.44. 1034// 1035// * A string match statement that searches in 1036// the User-Agent header for the string BadBot. 1037// 1038// In this rate-based rule, you also 1039// define a rate limit. For this example, the rate limit is 1,000. Requests that 1040// meet both of the conditions in the statements are counted. If the count exceeds 1041// 1,000 requests per five minutes, the rule action triggers. Requests that do not 1042// meet both conditions are not counted towards the rate limit and are not affected 1043// by this rule. You cannot nest a RateBasedStatement, for example for use inside a 1044// NotStatement or OrStatement. It can only be referenced as a top-level statement 1045// within a rule. 1046type RateBasedStatement struct { 1047 1048 // Setting that indicates how to aggregate the request counts. The options are the 1049 // following: 1050 // 1051 // * IP - Aggregate the request counts on the IP address from the web 1052 // request origin. 1053 // 1054 // * FORWARDED_IP - Aggregate the request counts on the first IP 1055 // address in an HTTP header. If you use this, configure the ForwardedIPConfig, to 1056 // specify the header to use. 1057 // 1058 // This member is required. 1059 AggregateKeyType RateBasedStatementAggregateKeyType 1060 1061 // The limit on requests per 5-minute period for a single originating IP address. 1062 // If the statement includes a ScopeDownStatement, this limit is applied only to 1063 // the requests that match the statement. 1064 // 1065 // This member is required. 1066 Limit int64 1067 1068 // The configuration for inspecting IP addresses in an HTTP header that you 1069 // specify, instead of using the IP address that's reported by the web request 1070 // origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify 1071 // any header name. If the specified header isn't present in the request, AWS WAF 1072 // doesn't apply the rule to the web request at all. This is required if 1073 // AggregateKeyType is set to FORWARDED_IP. 1074 ForwardedIPConfig *ForwardedIPConfig 1075 1076 // An optional nested statement that narrows the scope of the rate-based statement 1077 // to matching web requests. This can be any nestable statement, and you can nest 1078 // statements at any level below this scope-down statement. 1079 ScopeDownStatement *Statement 1080} 1081 1082// The set of IP addresses that are currently blocked for a rate-based statement. 1083type RateBasedStatementManagedKeysIPSet struct { 1084 1085 // The IP addresses that are currently blocked. 1086 Addresses []string 1087 1088 IPAddressVersion IPAddressVersion 1089} 1090 1091// A single regular expression. This is used in a RegexPatternSet. 1092type Regex struct { 1093 1094 // The string representing the regular expression. 1095 RegexString *string 1096} 1097 1098// Contains one or more regular expressions. AWS WAF assigns an ARN to each 1099// RegexPatternSet that you create. To use a set in a rule, you provide the ARN to 1100// the Rule statement RegexPatternSetReferenceStatement. 1101type RegexPatternSet struct { 1102 1103 // The Amazon Resource Name (ARN) of the entity. 1104 ARN *string 1105 1106 // A description of the set that helps with identification. 1107 Description *string 1108 1109 // A unique identifier for the set. This ID is returned in the responses to create 1110 // and list commands. You provide it to operations like update and delete. 1111 Id *string 1112 1113 // The name of the set. You cannot change the name after you create the set. 1114 Name *string 1115 1116 // The regular expression patterns in the set. 1117 RegularExpressionList []Regex 1118} 1119 1120// A rule statement used to search web request components for matches with regular 1121// expressions. To use this, create a RegexPatternSet that specifies the 1122// expressions that you want to detect, then use the ARN of that set in this 1123// statement. A web request matches the pattern set rule statement if the request 1124// component matches any of the patterns in the set. To create a regex pattern set, 1125// see CreateRegexPatternSet. Each regex pattern set rule statement references a 1126// regex pattern set. You create and maintain the set independent of your rules. 1127// This allows you to use the single set in multiple rules. When you update the 1128// referenced set, AWS WAF automatically updates all rules that reference it. 1129type RegexPatternSetReferenceStatement struct { 1130 1131 // The Amazon Resource Name (ARN) of the RegexPatternSet that this statement 1132 // references. 1133 // 1134 // This member is required. 1135 ARN *string 1136 1137 // The part of a web request that you want AWS WAF to inspect. For more 1138 // information, see FieldToMatch. 1139 // 1140 // This member is required. 1141 FieldToMatch *FieldToMatch 1142 1143 // Text transformations eliminate some of the unusual formatting that attackers use 1144 // in web requests in an effort to bypass detection. If you specify one or more 1145 // transformations in a rule statement, AWS WAF performs all transformations on the 1146 // content of the request component identified by FieldToMatch, starting from the 1147 // lowest priority setting, before inspecting the content for a match. 1148 // 1149 // This member is required. 1150 TextTransformations []TextTransformation 1151} 1152 1153// High-level information about a RegexPatternSet, returned by operations like 1154// create and list. This provides information like the ID, that you can use to 1155// retrieve and manage a RegexPatternSet, and the ARN, that you provide to the 1156// RegexPatternSetReferenceStatement to use the pattern set in a Rule. 1157type RegexPatternSetSummary struct { 1158 1159 // The Amazon Resource Name (ARN) of the entity. 1160 ARN *string 1161 1162 // A description of the set that helps with identification. 1163 Description *string 1164 1165 // A unique identifier for the set. This ID is returned in the responses to create 1166 // and list commands. You provide it to operations like update and delete. 1167 Id *string 1168 1169 // A token used for optimistic locking. AWS WAF returns a token to your get and 1170 // list requests, to mark the state of the entity at the time of the request. To 1171 // make changes to the entity associated with the token, you provide the token to 1172 // operations like update and delete. AWS WAF uses the token to ensure that no 1173 // changes have been made to the entity since you last retrieved it. If a change 1174 // has been made, the update fails with a WAFOptimisticLockException. If this 1175 // happens, perform another get, and use the new token returned by that operation. 1176 LockToken *string 1177 1178 // The name of the data type instance. You cannot change the name after you create 1179 // the instance. 1180 Name *string 1181} 1182 1183// A single rule, which you can use in a WebACL or RuleGroup to identify web 1184// requests that you want to allow, block, or count. Each rule includes one 1185// top-level Statement that AWS WAF uses to identify matching web requests, and 1186// parameters that govern how AWS WAF handles them. 1187type Rule struct { 1188 1189 // The name of the rule. You can't change the name of a Rule after you create it. 1190 // 1191 // This member is required. 1192 Name *string 1193 1194 // If you define more than one Rule in a WebACL, AWS WAF evaluates each request 1195 // against the Rules in order based on the value of Priority. AWS WAF processes 1196 // rules with lower priority first. The priorities don't need to be consecutive, 1197 // but they must all be different. 1198 // 1199 // This member is required. 1200 Priority int32 1201 1202 // The AWS WAF processing statement for the rule, for example ByteMatchStatement or 1203 // SizeConstraintStatement. 1204 // 1205 // This member is required. 1206 Statement *Statement 1207 1208 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 1209 // 1210 // This member is required. 1211 VisibilityConfig *VisibilityConfig 1212 1213 // The action that AWS WAF should take on a web request when it matches the rule 1214 // statement. Settings at the web ACL level can override the rule action setting. 1215 // This is used only for rules whose statements do not reference a rule group. Rule 1216 // statements that reference a rule group include RuleGroupReferenceStatement and 1217 // ManagedRuleGroupStatement. You must specify either this Action setting or the 1218 // rule OverrideAction setting, but not both: 1219 // 1220 // * If the rule statement does not 1221 // reference a rule group, use this rule action setting and not the rule override 1222 // action setting. 1223 // 1224 // * If the rule statement references a rule group, use the 1225 // override action setting and not this action setting. 1226 Action *RuleAction 1227 1228 // The override action to apply to the rules in a rule group. Used only for rule 1229 // statements that reference a rule group, like RuleGroupReferenceStatement and 1230 // ManagedRuleGroupStatement. Set the override action to none to leave the rule 1231 // actions in effect. Set it to count to only count matches, regardless of the rule 1232 // action settings. In a Rule, you must specify either this OverrideAction setting 1233 // or the rule Action setting, but not both: 1234 // 1235 // * If the rule statement references a 1236 // rule group, use this override action setting and not the action setting. 1237 // 1238 // * If 1239 // the rule statement does not reference a rule group, use the rule action setting 1240 // and not this rule override action setting. 1241 OverrideAction *OverrideAction 1242 1243 // Labels to apply to web requests that match the rule match statement. AWS WAF 1244 // applies fully qualified labels to matching web requests. A fully qualified label 1245 // is the concatenation of a label namespace and a rule label. The rule's rule 1246 // group or web ACL defines the label namespace. Rules that run after this rule in 1247 // the web ACL can match against these labels using a LabelMatchStatement. For each 1248 // label, provide a case-sensitive string containing optional namespaces and a 1249 // label name, according to the following guidelines: 1250 // 1251 // * Separate each component of 1252 // the label with a colon. 1253 // 1254 // * Each namespace or name can have up to 128 1255 // characters. 1256 // 1257 // * You can specify up to 5 namespaces in a label. 1258 // 1259 // * Don't use the 1260 // following reserved words in your label specification: aws, waf, managed, 1261 // rulegroup, webacl, regexpatternset, or ipset. 1262 // 1263 // For example, myLabelName or 1264 // nameSpace1:nameSpace2:myLabelName. 1265 RuleLabels []Label 1266} 1267 1268// The action that AWS WAF should take on a web request when it matches a rule's 1269// statement. Settings at the web ACL level can override the rule action setting. 1270type RuleAction struct { 1271 1272 // Instructs AWS WAF to allow the web request. 1273 Allow *AllowAction 1274 1275 // Instructs AWS WAF to block the web request. 1276 Block *BlockAction 1277 1278 // Instructs AWS WAF to count the web request and allow it. 1279 Count *CountAction 1280} 1281 1282// A rule group defines a collection of rules to inspect and control web requests 1283// that you can use in a WebACL. When you create a rule group, you define an 1284// immutable capacity limit. If you update a rule group, you must stay within the 1285// capacity. This allows others to reuse the rule group with confidence in its 1286// capacity requirements. 1287type RuleGroup struct { 1288 1289 // The Amazon Resource Name (ARN) of the entity. 1290 // 1291 // This member is required. 1292 ARN *string 1293 1294 // The web ACL capacity units (WCUs) required for this rule group. When you create 1295 // your own rule group, you define this, and you cannot change it after creation. 1296 // When you add or modify the rules in a rule group, AWS WAF enforces this limit. 1297 // You can check the capacity for a set of rules using CheckCapacity. AWS WAF uses 1298 // WCUs to calculate and control the operating resources that are used to run your 1299 // rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for 1300 // each rule type, to reflect the relative cost of each rule. Simple rules that 1301 // cost little to run use fewer WCUs than more complex rules that use more 1302 // processing power. Rule group capacity is fixed at creation, which helps users 1303 // plan their web ACL WCU usage when they use a rule group. The WCU limit for web 1304 // ACLs is 1,500. 1305 // 1306 // This member is required. 1307 Capacity int64 1308 1309 // A unique identifier for the rule group. This ID is returned in the responses to 1310 // create and list commands. You provide it to operations like update and delete. 1311 // 1312 // This member is required. 1313 Id *string 1314 1315 // The name of the rule group. You cannot change the name of a rule group after you 1316 // create it. 1317 // 1318 // This member is required. 1319 Name *string 1320 1321 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 1322 // 1323 // This member is required. 1324 VisibilityConfig *VisibilityConfig 1325 1326 // The labels that one or more rules in this rule group add to matching web ACLs. 1327 // These labels are defined in the RuleLabels for a Rule. 1328 AvailableLabels []LabelSummary 1329 1330 // The labels that one or more rules in this rule group match against in label 1331 // match statements. These labels are defined in a LabelMatchStatement 1332 // specification, in the Statement definition of a rule. 1333 ConsumedLabels []LabelSummary 1334 1335 // A map of custom response keys and content bodies. When you create a rule with a 1336 // block action, you can send a custom response to the web request. You define 1337 // these for the rule group, and then use them in the rules that you define in the 1338 // rule group. For information about customizing web requests and responses, see 1339 // Customizing web requests and responses in AWS WAF 1340 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 1341 // in the AWS WAF Developer Guide 1342 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). For 1343 // information about the limits on count and size for custom request and response 1344 // settings, see AWS WAF quotas 1345 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS 1346 // WAF Developer Guide 1347 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 1348 CustomResponseBodies map[string]CustomResponseBody 1349 1350 // A description of the rule group that helps with identification. 1351 Description *string 1352 1353 // The label namespace prefix for this rule group. All labels added by rules in 1354 // this rule group have this prefix. 1355 // 1356 // * The syntax for the label namespace prefix 1357 // for your rule groups is the following: awswaf::rulegroup:: 1358 // 1359 // * When a rule with a 1360 // label matches a web request, AWS WAF adds the fully qualified label to the 1361 // request. A fully qualified label is made up of the label namespace from the rule 1362 // group or web ACL where the rule is defined and the label from the rule, 1363 // separated by a colon: : 1364 LabelNamespace *string 1365 1366 // The Rule statements used to identify the web requests that you want to allow, 1367 // block, or count. Each rule includes one top-level statement that AWS WAF uses to 1368 // identify matching web requests, and parameters that govern how AWS WAF handles 1369 // them. 1370 Rules []Rule 1371} 1372 1373// A rule statement used to run the rules that are defined in a RuleGroup. To use 1374// this, create a rule group with your rules, then provide the ARN of the rule 1375// group in this statement. You cannot nest a RuleGroupReferenceStatement, for 1376// example for use inside a NotStatement or OrStatement. It can only be referenced 1377// as a top-level statement within a rule. 1378type RuleGroupReferenceStatement struct { 1379 1380 // The Amazon Resource Name (ARN) of the entity. 1381 // 1382 // This member is required. 1383 ARN *string 1384 1385 // The names of rules that are in the referenced rule group, but that you want AWS 1386 // WAF to exclude from processing for this rule statement. 1387 ExcludedRules []ExcludedRule 1388} 1389 1390// High-level information about a RuleGroup, returned by operations like create and 1391// list. This provides information like the ID, that you can use to retrieve and 1392// manage a RuleGroup, and the ARN, that you provide to the 1393// RuleGroupReferenceStatement to use the rule group in a Rule. 1394type RuleGroupSummary struct { 1395 1396 // The Amazon Resource Name (ARN) of the entity. 1397 ARN *string 1398 1399 // A description of the rule group that helps with identification. 1400 Description *string 1401 1402 // A unique identifier for the rule group. This ID is returned in the responses to 1403 // create and list commands. You provide it to operations like update and delete. 1404 Id *string 1405 1406 // A token used for optimistic locking. AWS WAF returns a token to your get and 1407 // list requests, to mark the state of the entity at the time of the request. To 1408 // make changes to the entity associated with the token, you provide the token to 1409 // operations like update and delete. AWS WAF uses the token to ensure that no 1410 // changes have been made to the entity since you last retrieved it. If a change 1411 // has been made, the update fails with a WAFOptimisticLockException. If this 1412 // happens, perform another get, and use the new token returned by that operation. 1413 LockToken *string 1414 1415 // The name of the data type instance. You cannot change the name after you create 1416 // the instance. 1417 Name *string 1418} 1419 1420// High-level information about a Rule, returned by operations like 1421// DescribeManagedRuleGroup. This provides information like the ID, that you can 1422// use to retrieve and manage a RuleGroup, and the ARN, that you provide to the 1423// RuleGroupReferenceStatement to use the rule group in a Rule. 1424type RuleSummary struct { 1425 1426 // The action that AWS WAF should take on a web request when it matches a rule's 1427 // statement. Settings at the web ACL level can override the rule action setting. 1428 Action *RuleAction 1429 1430 // The name of the rule. 1431 Name *string 1432} 1433 1434// Represents a single sampled web request. The response from GetSampledRequests 1435// includes a SampledHTTPRequests complex type that appears as SampledRequests in 1436// the response syntax. SampledHTTPRequests contains an array of SampledHTTPRequest 1437// objects. 1438type SampledHTTPRequest struct { 1439 1440 // A complex type that contains detailed information about the request. 1441 // 1442 // This member is required. 1443 Request *HTTPRequest 1444 1445 // A value that indicates how one result in the response relates proportionally to 1446 // other results in the response. For example, a result that has a weight of 2 1447 // represents roughly twice as many web requests as a result that has a weight of 1448 // 1. 1449 // 1450 // This member is required. 1451 Weight int64 1452 1453 // The action for the Rule that the request matched: ALLOW, BLOCK, or COUNT. 1454 Action *string 1455 1456 // Labels applied to the web request by matching rules. AWS WAF applies fully 1457 // qualified labels to matching web requests. A fully qualified label is the 1458 // concatenation of a label namespace and a rule label. The rule's rule group or 1459 // web ACL defines the label namespace. For example, 1460 // awswaf:111122223333:myRuleGroup:testRules:testNS1:testNS2:labelNameA or 1461 // awswaf:managed:aws:managed-rule-set:header:encoding:utf8. 1462 Labels []Label 1463 1464 // Custom request headers inserted by AWS WAF into the request, according to the 1465 // custom request configuration for the matching rule action. 1466 RequestHeadersInserted []HTTPHeader 1467 1468 // The response code that was sent for the request. 1469 ResponseCodeSent *int32 1470 1471 // The name of the Rule that the request matched. For managed rule groups, the 1472 // format for this name is ##. For your own rule groups, the format for this name 1473 // is #. If the rule is not in a rule group, this field is absent. 1474 RuleNameWithinRuleGroup *string 1475 1476 // The time at which AWS WAF received the request from your AWS resource, in Unix 1477 // time format (in seconds). 1478 Timestamp *time.Time 1479} 1480 1481// One of the headers in a web request, identified by name, for example, User-Agent 1482// or Referer. This setting isn't case sensitive. This is used only to indicate the 1483// web request component for AWS WAF to inspect, in the FieldToMatch specification. 1484type SingleHeader struct { 1485 1486 // The name of the query header to inspect. 1487 // 1488 // This member is required. 1489 Name *string 1490} 1491 1492// One query argument in a web request, identified by name, for example UserName or 1493// SalesRegion. The name can be up to 30 characters long and isn't case sensitive. 1494type SingleQueryArgument struct { 1495 1496 // The name of the query argument to inspect. 1497 // 1498 // This member is required. 1499 Name *string 1500} 1501 1502// A rule statement that compares a number of bytes against the size of a request 1503// component, using a comparison operator, such as greater than (>) or less than 1504// (<). For example, you can use a size constraint statement to look for query 1505// strings that are longer than 100 bytes. If you configure AWS WAF to inspect the 1506// request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request 1507// body for your web requests never exceeds 8192 bytes, you can create a size 1508// constraint condition and block requests that have a request body greater than 1509// 8192 bytes. If you choose URI for the value of Part of the request to filter on, 1510// the slash (/) in the URI counts as one character. For example, the URI /logo.jpg 1511// is nine characters long. 1512type SizeConstraintStatement struct { 1513 1514 // The operator to use to compare the request part to the size setting. 1515 // 1516 // This member is required. 1517 ComparisonOperator ComparisonOperator 1518 1519 // The part of a web request that you want AWS WAF to inspect. For more 1520 // information, see FieldToMatch. 1521 // 1522 // This member is required. 1523 FieldToMatch *FieldToMatch 1524 1525 // The size, in byte, to compare to the request part, after any transformations. 1526 // 1527 // This member is required. 1528 Size int64 1529 1530 // Text transformations eliminate some of the unusual formatting that attackers use 1531 // in web requests in an effort to bypass detection. If you specify one or more 1532 // transformations in a rule statement, AWS WAF performs all transformations on the 1533 // content of the request component identified by FieldToMatch, starting from the 1534 // lowest priority setting, before inspecting the content for a match. 1535 // 1536 // This member is required. 1537 TextTransformations []TextTransformation 1538} 1539 1540// Attackers sometimes insert malicious SQL code into web requests in an effort to 1541// extract data from your database. To allow or block web requests that appear to 1542// contain malicious SQL code, create one or more SQL injection match conditions. 1543// An SQL injection match condition identifies the part of web requests, such as 1544// the URI or the query string, that you want AWS WAF to inspect. Later in the 1545// process, when you create a web ACL, you specify whether to allow or block 1546// requests that appear to contain malicious SQL code. 1547type SqliMatchStatement struct { 1548 1549 // The part of a web request that you want AWS WAF to inspect. For more 1550 // information, see FieldToMatch. 1551 // 1552 // This member is required. 1553 FieldToMatch *FieldToMatch 1554 1555 // Text transformations eliminate some of the unusual formatting that attackers use 1556 // in web requests in an effort to bypass detection. If you specify one or more 1557 // transformations in a rule statement, AWS WAF performs all transformations on the 1558 // content of the request component identified by FieldToMatch, starting from the 1559 // lowest priority setting, before inspecting the content for a match. 1560 // 1561 // This member is required. 1562 TextTransformations []TextTransformation 1563} 1564 1565// The processing guidance for a Rule, used by AWS WAF to determine whether a web 1566// request matches the rule. 1567type Statement struct { 1568 1569 // A logical rule statement used to combine other rule statements with AND logic. 1570 // You provide more than one Statement within the AndStatement. 1571 AndStatement *AndStatement 1572 1573 // A rule statement that defines a string match search for AWS WAF to apply to web 1574 // requests. The byte match statement provides the bytes to search for, the 1575 // location in requests that you want AWS WAF to search, and other settings. The 1576 // bytes to search for are typically a string that corresponds with ASCII 1577 // characters. In the AWS WAF console and the developer guide, this is refered to 1578 // as a string match statement. 1579 ByteMatchStatement *ByteMatchStatement 1580 1581 // A rule statement used to identify web requests based on country of origin. 1582 GeoMatchStatement *GeoMatchStatement 1583 1584 // A rule statement used to detect web requests coming from particular IP addresses 1585 // or address ranges. To use this, create an IPSet that specifies the addresses you 1586 // want to detect, then use the ARN of that set in this statement. To create an IP 1587 // set, see CreateIPSet. Each IP set rule statement references an IP set. You 1588 // create and maintain the set independent of your rules. This allows you to use 1589 // the single set in multiple rules. When you update the referenced set, AWS WAF 1590 // automatically updates all rules that reference it. 1591 IPSetReferenceStatement *IPSetReferenceStatement 1592 1593 // A rule statement that defines a string match search against labels that have 1594 // been added to the web request by rules that have already run in the web ACL. The 1595 // label match statement provides the label or namespace string to search for. The 1596 // label string can represent a part or all of the fully qualified label name that 1597 // had been added to the web request. Fully qualified labels have a prefix, 1598 // optional namespaces, and label name. The prefix identifies the rule group or web 1599 // ACL context of the rule that added the label. If you do not provide the fully 1600 // qualified name in your label match string, AWS WAF performs the search for 1601 // labels that were added in the same context as the label match statement. 1602 LabelMatchStatement *LabelMatchStatement 1603 1604 // A rule statement used to run the rules that are defined in a managed rule group. 1605 // To use this, provide the vendor name and the name of the rule group in this 1606 // statement. You can retrieve the required names by calling 1607 // ListAvailableManagedRuleGroups. You can't nest a ManagedRuleGroupStatement, for 1608 // example for use inside a NotStatement or OrStatement. It can only be referenced 1609 // as a top-level statement within a rule. 1610 ManagedRuleGroupStatement *ManagedRuleGroupStatement 1611 1612 // A logical rule statement used to negate the results of another rule statement. 1613 // You provide one Statement within the NotStatement. 1614 NotStatement *NotStatement 1615 1616 // A logical rule statement used to combine other rule statements with OR logic. 1617 // You provide more than one Statement within the OrStatement. 1618 OrStatement *OrStatement 1619 1620 // A rate-based rule tracks the rate of requests for each originating IP address, 1621 // and triggers the rule action when the rate exceeds a limit that you specify on 1622 // the number of requests in any 5-minute time span. You can use this to put a 1623 // temporary block on requests from an IP address that is sending excessive 1624 // requests. When the rule action triggers, AWS WAF blocks additional requests from 1625 // the IP address until the request rate falls below the limit. You can optionally 1626 // nest another statement inside the rate-based statement, to narrow the scope of 1627 // the rule so that it only counts requests that match the nested statement. For 1628 // example, based on recent requests that you have seen from an attacker, you might 1629 // create a rate-based rule with a nested AND rule statement that contains the 1630 // following nested statements: 1631 // 1632 // * An IP match statement with an IP set that 1633 // specified the address 192.0.2.44. 1634 // 1635 // * A string match statement that searches in 1636 // the User-Agent header for the string BadBot. 1637 // 1638 // In this rate-based rule, you also 1639 // define a rate limit. For this example, the rate limit is 1,000. Requests that 1640 // meet both of the conditions in the statements are counted. If the count exceeds 1641 // 1,000 requests per five minutes, the rule action triggers. Requests that do not 1642 // meet both conditions are not counted towards the rate limit and are not affected 1643 // by this rule. You cannot nest a RateBasedStatement, for example for use inside a 1644 // NotStatement or OrStatement. It can only be referenced as a top-level statement 1645 // within a rule. 1646 RateBasedStatement *RateBasedStatement 1647 1648 // A rule statement used to search web request components for matches with regular 1649 // expressions. To use this, create a RegexPatternSet that specifies the 1650 // expressions that you want to detect, then use the ARN of that set in this 1651 // statement. A web request matches the pattern set rule statement if the request 1652 // component matches any of the patterns in the set. To create a regex pattern set, 1653 // see CreateRegexPatternSet. Each regex pattern set rule statement references a 1654 // regex pattern set. You create and maintain the set independent of your rules. 1655 // This allows you to use the single set in multiple rules. When you update the 1656 // referenced set, AWS WAF automatically updates all rules that reference it. 1657 RegexPatternSetReferenceStatement *RegexPatternSetReferenceStatement 1658 1659 // A rule statement used to run the rules that are defined in a RuleGroup. To use 1660 // this, create a rule group with your rules, then provide the ARN of the rule 1661 // group in this statement. You cannot nest a RuleGroupReferenceStatement, for 1662 // example for use inside a NotStatement or OrStatement. It can only be referenced 1663 // as a top-level statement within a rule. 1664 RuleGroupReferenceStatement *RuleGroupReferenceStatement 1665 1666 // A rule statement that compares a number of bytes against the size of a request 1667 // component, using a comparison operator, such as greater than (>) or less than 1668 // (<). For example, you can use a size constraint statement to look for query 1669 // strings that are longer than 100 bytes. If you configure AWS WAF to inspect the 1670 // request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request 1671 // body for your web requests never exceeds 8192 bytes, you can create a size 1672 // constraint condition and block requests that have a request body greater than 1673 // 8192 bytes. If you choose URI for the value of Part of the request to filter on, 1674 // the slash (/) in the URI counts as one character. For example, the URI /logo.jpg 1675 // is nine characters long. 1676 SizeConstraintStatement *SizeConstraintStatement 1677 1678 // Attackers sometimes insert malicious SQL code into web requests in an effort to 1679 // extract data from your database. To allow or block web requests that appear to 1680 // contain malicious SQL code, create one or more SQL injection match conditions. 1681 // An SQL injection match condition identifies the part of web requests, such as 1682 // the URI or the query string, that you want AWS WAF to inspect. Later in the 1683 // process, when you create a web ACL, you specify whether to allow or block 1684 // requests that appear to contain malicious SQL code. 1685 SqliMatchStatement *SqliMatchStatement 1686 1687 // A rule statement that defines a cross-site scripting (XSS) match search for AWS 1688 // WAF to apply to web requests. XSS attacks are those where the attacker uses 1689 // vulnerabilities in a benign website as a vehicle to inject malicious client-site 1690 // scripts into other legitimate web browsers. The XSS match statement provides the 1691 // location in requests that you want AWS WAF to search and text transformations to 1692 // use on the search area before AWS WAF searches for character sequences that are 1693 // likely to be malicious strings. 1694 XssMatchStatement *XssMatchStatement 1695} 1696 1697// A tag associated with an AWS resource. Tags are key:value pairs that you can use 1698// to categorize and manage your resources, for purposes like billing or other 1699// management. Typically, the tag key represents a category, such as "environment", 1700// and the tag value represents a specific value within that category, such as 1701// "test," "development," or "production". Or you might set the tag key to 1702// "customer" and the value to the customer name or ID. You can specify one or more 1703// tags to add to each AWS resource, up to 50 tags for a resource. You can tag the 1704// AWS resources that you manage through AWS WAF: web ACLs, rule groups, IP sets, 1705// and regex pattern sets. You can't manage or view tags through the AWS WAF 1706// console. 1707type Tag struct { 1708 1709 // Part of the key:value pair that defines a tag. You can use a tag key to describe 1710 // a category of information, such as "customer." Tag keys are case-sensitive. 1711 // 1712 // This member is required. 1713 Key *string 1714 1715 // Part of the key:value pair that defines a tag. You can use a tag value to 1716 // describe a specific value within a category, such as "companyA" or "companyB." 1717 // Tag values are case-sensitive. 1718 // 1719 // This member is required. 1720 Value *string 1721} 1722 1723// The collection of tagging definitions for an AWS resource. Tags are key:value 1724// pairs that you can use to categorize and manage your resources, for purposes 1725// like billing or other management. Typically, the tag key represents a category, 1726// such as "environment", and the tag value represents a specific value within that 1727// category, such as "test," "development," or "production". Or you might set the 1728// tag key to "customer" and the value to the customer name or ID. You can specify 1729// one or more tags to add to each AWS resource, up to 50 tags for a resource. You 1730// can tag the AWS resources that you manage through AWS WAF: web ACLs, rule 1731// groups, IP sets, and regex pattern sets. You can't manage or view tags through 1732// the AWS WAF console. 1733type TagInfoForResource struct { 1734 1735 // The Amazon Resource Name (ARN) of the resource. 1736 ResourceARN *string 1737 1738 // The array of Tag objects defined for the resource. 1739 TagList []Tag 1740} 1741 1742// Text transformations eliminate some of the unusual formatting that attackers use 1743// in web requests in an effort to bypass detection. 1744type TextTransformation struct { 1745 1746 // Sets the relative processing order for multiple transformations that are defined 1747 // for a rule statement. AWS WAF processes all transformations, from lowest 1748 // priority to highest, before inspecting the transformed content. The priorities 1749 // don't need to be consecutive, but they must all be different. 1750 // 1751 // This member is required. 1752 Priority int32 1753 1754 // You can specify the following transformation types: CMD_LINE When you're 1755 // concerned that attackers are injecting an operating system command line command 1756 // and using unusual formatting to disguise some or all of the command, use this 1757 // option to perform the following transformations: 1758 // 1759 // * Delete the following 1760 // characters: \ " ' ^ 1761 // 1762 // * Delete spaces before the following characters: / ( 1763 // 1764 // * 1765 // Replace the following characters with a space: , ; 1766 // 1767 // * Replace multiple spaces 1768 // with one space 1769 // 1770 // * Convert uppercase letters (A-Z) to lowercase 1771 // (a-z) 1772 // 1773 // COMPRESS_WHITE_SPACE Use this option to replace the following characters 1774 // with a space character (decimal 32): 1775 // 1776 // * \f, formfeed, decimal 12 1777 // 1778 // * \t, tab, 1779 // decimal 9 1780 // 1781 // * \n, newline, decimal 10 1782 // 1783 // * \r, carriage return, decimal 13 1784 // 1785 // * \v, 1786 // vertical tab, decimal 11 1787 // 1788 // * non-breaking space, decimal 1789 // 160 1790 // 1791 // COMPRESS_WHITE_SPACE also replaces multiple spaces with one space. 1792 // HTML_ENTITY_DECODE Use this option to replace HTML-encoded characters with 1793 // unencoded characters. HTML_ENTITY_DECODE performs the following operations: 1794 // 1795 // * 1796 // Replaces (ampersand)quot; with " 1797 // 1798 // * Replaces (ampersand)nbsp; with a 1799 // non-breaking space, decimal 160 1800 // 1801 // * Replaces (ampersand)lt; with a "less than" 1802 // symbol 1803 // 1804 // * Replaces (ampersand)gt; with > 1805 // 1806 // * Replaces characters that are 1807 // represented in hexadecimal format, (ampersand)#xhhhh;, with the corresponding 1808 // characters 1809 // 1810 // * Replaces characters that are represented in decimal format, 1811 // (ampersand)#nnnn;, with the corresponding characters 1812 // 1813 // LOWERCASE Use this option 1814 // to convert uppercase letters (A-Z) to lowercase (a-z). URL_DECODE Use this 1815 // option to decode a URL-encoded value. NONE Specify NONE if you don't want any 1816 // text transformations. 1817 // 1818 // This member is required. 1819 Type TextTransformationType 1820} 1821 1822// In a GetSampledRequests request, the StartTime and EndTime objects specify the 1823// time range for which you want AWS WAF to return a sample of web requests. You 1824// must specify the times in Coordinated Universal Time (UTC) format. UTC format 1825// includes the special designator, Z. For example, "2016-09-27T14:50Z". You can 1826// specify any time range in the previous three hours. In a GetSampledRequests 1827// response, the StartTime and EndTime objects specify the time range for which AWS 1828// WAF actually returned a sample of web requests. AWS WAF gets the specified 1829// number of requests from among the first 5,000 requests that your AWS resource 1830// receives during the specified time period. If your resource receives more than 1831// 5,000 requests during that period, AWS WAF stops sampling after the 5,000th 1832// request. In that case, EndTime is the time that AWS WAF received the 5,000th 1833// request. 1834type TimeWindow struct { 1835 1836 // The end of the time range from which you want GetSampledRequests to return a 1837 // sample of the requests that your AWS resource received. You must specify the 1838 // times in Coordinated Universal Time (UTC) format. UTC format includes the 1839 // special designator, Z. For example, "2016-09-27T14:50Z". You can specify any 1840 // time range in the previous three hours. 1841 // 1842 // This member is required. 1843 EndTime *time.Time 1844 1845 // The beginning of the time range from which you want GetSampledRequests to return 1846 // a sample of the requests that your AWS resource received. You must specify the 1847 // times in Coordinated Universal Time (UTC) format. UTC format includes the 1848 // special designator, Z. For example, "2016-09-27T14:50Z". You can specify any 1849 // time range in the previous three hours. 1850 // 1851 // This member is required. 1852 StartTime *time.Time 1853} 1854 1855// The path component of the URI of a web request. This is the part of a web 1856// request that identifies a resource, for example, /images/daily-ad.jpg. This is 1857// used only to indicate the web request component for AWS WAF to inspect, in the 1858// FieldToMatch specification. 1859type UriPath struct { 1860} 1861 1862// Defines and enables Amazon CloudWatch metrics and web request sample collection. 1863type VisibilityConfig struct { 1864 1865 // A boolean indicating whether the associated resource sends metrics to 1866 // CloudWatch. For the list of available metrics, see AWS WAF Metrics 1867 // (https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). 1868 // 1869 // This member is required. 1870 CloudWatchMetricsEnabled bool 1871 1872 // A name of the CloudWatch metric. The name can contain only the characters: A-Z, 1873 // a-z, 0-9, - (hyphen), and _ (underscore). The name can be from one to 128 1874 // characters long. It can't contain whitespace or metric names reserved for AWS 1875 // WAF, for example "All" and "Default_Action." 1876 // 1877 // This member is required. 1878 MetricName *string 1879 1880 // A boolean indicating whether AWS WAF should store a sampling of the web requests 1881 // that match the rules. You can view the sampled requests through the AWS WAF 1882 // console. 1883 // 1884 // This member is required. 1885 SampledRequestsEnabled bool 1886} 1887 1888// A Web ACL defines a collection of rules to use to inspect and control web 1889// requests. Each rule has an action defined (allow, block, or count) for requests 1890// that match the statement of the rule. In the Web ACL, you assign a default 1891// action to take (allow, block) for any request that does not match any of the 1892// rules. The rules in a Web ACL can be a combination of the types Rule, RuleGroup, 1893// and managed rule group. You can associate a Web ACL with one or more AWS 1894// resources to protect. The resources can be Amazon CloudFront, an Amazon API 1895// Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API. 1896type WebACL struct { 1897 1898 // The Amazon Resource Name (ARN) of the Web ACL that you want to associate with 1899 // the resource. 1900 // 1901 // This member is required. 1902 ARN *string 1903 1904 // The action to perform if none of the Rules contained in the WebACL match. 1905 // 1906 // This member is required. 1907 DefaultAction *DefaultAction 1908 1909 // A unique identifier for the WebACL. This ID is returned in the responses to 1910 // create and list commands. You use this ID to do things like get, update, and 1911 // delete a WebACL. 1912 // 1913 // This member is required. 1914 Id *string 1915 1916 // The name of the Web ACL. You cannot change the name of a Web ACL after you 1917 // create it. 1918 // 1919 // This member is required. 1920 Name *string 1921 1922 // Defines and enables Amazon CloudWatch metrics and web request sample collection. 1923 // 1924 // This member is required. 1925 VisibilityConfig *VisibilityConfig 1926 1927 // The web ACL capacity units (WCUs) currently being used by this web ACL. AWS WAF 1928 // uses WCUs to calculate and control the operating resources that are used to run 1929 // your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently 1930 // for each rule type, to reflect the relative cost of each rule. Simple rules that 1931 // cost little to run use fewer WCUs than more complex rules that use more 1932 // processing power. Rule group capacity is fixed at creation, which helps users 1933 // plan their web ACL WCU usage when they use a rule group. The WCU limit for web 1934 // ACLs is 1,500. 1935 Capacity int64 1936 1937 // A map of custom response keys and content bodies. When you create a rule with a 1938 // block action, you can send a custom response to the web request. You define 1939 // these for the web ACL, and then use them in the rules and default actions that 1940 // you define in the web ACL. For information about customizing web requests and 1941 // responses, see Customizing web requests and responses in AWS WAF 1942 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) 1943 // in the AWS WAF Developer Guide 1944 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). For 1945 // information about the limits on count and size for custom request and response 1946 // settings, see AWS WAF quotas 1947 // (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS 1948 // WAF Developer Guide 1949 // (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). 1950 CustomResponseBodies map[string]CustomResponseBody 1951 1952 // A description of the Web ACL that helps with identification. 1953 Description *string 1954 1955 // The label namespace prefix for this web ACL. All labels added by rules in this 1956 // web ACL have this prefix. 1957 // 1958 // * The syntax for the label namespace prefix for a web 1959 // ACL is the following: awswaf::webacl:: 1960 // 1961 // * When a rule with a label matches a web 1962 // request, AWS WAF adds the fully qualified label to the request. A fully 1963 // qualified label is made up of the label namespace from the rule group or web ACL 1964 // where the rule is defined and the label from the rule, separated by a colon: : 1965 LabelNamespace *string 1966 1967 // Indicates whether this web ACL is managed by AWS Firewall Manager. If true, then 1968 // only AWS Firewall Manager can delete the web ACL or any Firewall Manager rule 1969 // groups in the web ACL. 1970 ManagedByFirewallManager bool 1971 1972 // The last set of rules for AWS WAF to process in the web ACL. This is defined in 1973 // an AWS Firewall Manager WAF policy and contains only rule group references. You 1974 // can't alter these. Any rules and rule groups that you define for the web ACL are 1975 // prioritized before these. In the Firewall Manager WAF policy, the Firewall 1976 // Manager administrator can define a set of rule groups to run first in the web 1977 // ACL and a set of rule groups to run last. Within each set, the administrator 1978 // prioritizes the rule groups, to determine their relative processing order. 1979 PostProcessFirewallManagerRuleGroups []FirewallManagerRuleGroup 1980 1981 // The first set of rules for AWS WAF to process in the web ACL. This is defined in 1982 // an AWS Firewall Manager WAF policy and contains only rule group references. You 1983 // can't alter these. Any rules and rule groups that you define for the web ACL are 1984 // prioritized after these. In the Firewall Manager WAF policy, the Firewall 1985 // Manager administrator can define a set of rule groups to run first in the web 1986 // ACL and a set of rule groups to run last. Within each set, the administrator 1987 // prioritizes the rule groups, to determine their relative processing order. 1988 PreProcessFirewallManagerRuleGroups []FirewallManagerRuleGroup 1989 1990 // The Rule statements used to identify the web requests that you want to allow, 1991 // block, or count. Each rule includes one top-level statement that AWS WAF uses to 1992 // identify matching web requests, and parameters that govern how AWS WAF handles 1993 // them. 1994 Rules []Rule 1995} 1996 1997// High-level information about a WebACL, returned by operations like create and 1998// list. This provides information like the ID, that you can use to retrieve and 1999// manage a WebACL, and the ARN, that you provide to operations like 2000// AssociateWebACL. 2001type WebACLSummary struct { 2002 2003 // The Amazon Resource Name (ARN) of the entity. 2004 ARN *string 2005 2006 // A description of the Web ACL that helps with identification. 2007 Description *string 2008 2009 // The unique identifier for the Web ACL. This ID is returned in the responses to 2010 // create and list commands. You provide it to operations like update and delete. 2011 Id *string 2012 2013 // A token used for optimistic locking. AWS WAF returns a token to your get and 2014 // list requests, to mark the state of the entity at the time of the request. To 2015 // make changes to the entity associated with the token, you provide the token to 2016 // operations like update and delete. AWS WAF uses the token to ensure that no 2017 // changes have been made to the entity since you last retrieved it. If a change 2018 // has been made, the update fails with a WAFOptimisticLockException. If this 2019 // happens, perform another get, and use the new token returned by that operation. 2020 LockToken *string 2021 2022 // The name of the Web ACL. You cannot change the name of a Web ACL after you 2023 // create it. 2024 Name *string 2025} 2026 2027// A rule statement that defines a cross-site scripting (XSS) match search for AWS 2028// WAF to apply to web requests. XSS attacks are those where the attacker uses 2029// vulnerabilities in a benign website as a vehicle to inject malicious client-site 2030// scripts into other legitimate web browsers. The XSS match statement provides the 2031// location in requests that you want AWS WAF to search and text transformations to 2032// use on the search area before AWS WAF searches for character sequences that are 2033// likely to be malicious strings. 2034type XssMatchStatement struct { 2035 2036 // The part of a web request that you want AWS WAF to inspect. For more 2037 // information, see FieldToMatch. 2038 // 2039 // This member is required. 2040 FieldToMatch *FieldToMatch 2041 2042 // Text transformations eliminate some of the unusual formatting that attackers use 2043 // in web requests in an effort to bypass detection. If you specify one or more 2044 // transformations in a rule statement, AWS WAF performs all transformations on the 2045 // content of the request component identified by FieldToMatch, starting from the 2046 // lowest priority setting, before inspecting the content for a match. 2047 // 2048 // This member is required. 2049 TextTransformations []TextTransformation 2050} 2051