Amazon web services 如何使用Terraform在一个AWS WAF规则中使用多个谓词(条件)?
我只需单击“添加条件””按钮,就可以从AWS控制台在一个AWS WAF经典规则中创建多个条件 那么,如何使用terraform在一个waf规则中定义多个条件(谓词) 我用这个测试:Amazon web services 如何使用Terraform在一个AWS WAF规则中使用多个谓词(条件)?,amazon-web-services,terraform,Amazon Web Services,Terraform,我只需单击“添加条件””按钮,就可以从AWS控制台在一个AWS WAF经典规则中创建多个条件 那么,如何使用terraform在一个waf规则中定义多个条件(谓词) 我用这个测试: resource "aws_wafregional_rule" "wafregional_ip_whitelist_rule" { depends_on = ["aws_wafregional_ipset.wafregional_ip_whitelist&qu
resource "aws_wafregional_rule" "wafregional_ip_whitelist_rule" {
depends_on = ["aws_wafregional_ipset.wafregional_ip_whitelist", "aws_wafregional_ipset.wafregional_vpn_ip_whitelist"]
name = "internal_ip_whitelist_rule"
metric_name = "WAFWhitelistRule"
predicate {
data_id = ["${aws_wafregional_ipset.wafregional_ip_whitelist.id}","${aws_wafregional_ipset.wafregional_vpn_ip_whitelist.id}"]
negated = false
type = "IPMatch"
}
}
但是predicate.data_id不是一个列表:
Error:aws\u WAF regional\u rule.WAF regional\u ip\u whitelist\u rule:predicate.0.data\u id必须是单个值,而不是列表
如果要为单个WAF规则指定多个谓词,则必须多次指定谓词
块:
resource "aws_wafregional_ipset" "ipset_1" {
name = "tfIPSet1"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_ipset" "ipset_2" {
name = "tfIPSet2"
ip_set_descriptor {
type = "IPV4"
value = "10.0.0.0/24"
}
}
resource "aws_wafregional_rule" "wafrule" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
type = "IPMatch"
data_id = aws_wafregional_ipset.ipset_1.id
negated = false
}
predicate {
type = "IPMatch"
data_id = aws_wafregional_ipset.ipset_2.id
negated = false
}
}
这将创建一个具有基于指定的两个IP集的允许/拒绝的单个规则。如果要为单个WAF规则指定多个谓词,则必须多次指定
谓词
块:
resource "aws_wafregional_ipset" "ipset_1" {
name = "tfIPSet1"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_ipset" "ipset_2" {
name = "tfIPSet2"
ip_set_descriptor {
type = "IPV4"
value = "10.0.0.0/24"
}
}
resource "aws_wafregional_rule" "wafrule" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
type = "IPMatch"
data_id = aws_wafregional_ipset.ipset_1.id
negated = false
}
predicate {
type = "IPMatch"
data_id = aws_wafregional_ipset.ipset_2.id
negated = false
}
}
这将创建一个具有基于指定的两个IP集的允许/拒绝的单一规则。是的,这里是一个具有两个条件的规则示例:
rule {
name = "AllowPath"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_path.arn
field_to_match {
uri_path {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_example.arn
field_to_match {
single_header {
name = "my_header"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AllowPath"
sampled_requests_enabled = true
}
}
rule {
name = "my_rule"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
### STATEMENT 1
}
statement {
### STATEMENT 2
}
}
}
}
基本上,在本例中,如果有特定的头,我允许访问特定的路径,但为了简化示例,您应该遵循以下结构以具有多个条件:
rule {
name = "AllowPath"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_path.arn
field_to_match {
uri_path {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_example.arn
field_to_match {
single_header {
name = "my_header"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AllowPath"
sampled_requests_enabled = true
}
}
rule {
name = "my_rule"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
### STATEMENT 1
}
statement {
### STATEMENT 2
}
}
}
}
是的,这里有一个规则示例,有两个条件:
rule {
name = "AllowPath"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_path.arn
field_to_match {
uri_path {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_example.arn
field_to_match {
single_header {
name = "my_header"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AllowPath"
sampled_requests_enabled = true
}
}
rule {
name = "my_rule"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
### STATEMENT 1
}
statement {
### STATEMENT 2
}
}
}
}
基本上,在本例中,如果有特定的头,我允许访问特定的路径,但为了简化示例,您应该遵循以下结构以具有多个条件:
rule {
name = "AllowPath"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_path.arn
field_to_match {
uri_path {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_set_example.arn
field_to_match {
single_header {
name = "my_header"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AllowPath"
sampled_requests_enabled = true
}
}
rule {
name = "my_rule"
priority = 1
action {
allow {}
}
statement {
and_statement {
statement {
### STATEMENT 1
}
statement {
### STATEMENT 2
}
}
}
}
这可能是一个愚蠢的问题,但两个谓词必须是同一类型吗?(比如在示例中:“IPMatch”)或者我可以有1个是“IPMatch”和1个“RegexMatch”?这可能是一个愚蠢的问题,但这两个谓词必须是相同的类型吗?(如示例中的“IPMatch”)或者我可以有1个是“IPMatch”和1个“RegexMatch”?