-
Notifications
You must be signed in to change notification settings - Fork 634
/
types.go
2050 lines (1770 loc) · 88 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Code generated by smithy-go-codegen DO NOT EDIT.
package types
import (
"time"
)
// A single action condition for a Condition in a logging filter.
type ActionCondition struct {
// The action setting that a log record must contain in order to meet the
// condition.
//
// This member is required.
Action ActionValue
}
// Inspect all of the elements that AWS WAF has parsed and extracted from the web
// request JSON body that are within the JsonBodyMatchScope. This is used with the
// FieldToMatch option JsonBody. This is used only to indicate the web request
// component for AWS WAF to inspect, in the FieldToMatch specification.
type All struct {
}
// Specifies that AWS WAF should allow the request and optionally defines
// additional custom handling for the request. This is used in the context of other
// settings, for example to specify values for RuleAction and web ACL
// DefaultAction.
type AllowAction struct {
// Defines custom handling for the web request. For information about customizing
// web requests and responses, see Customizing web requests and responses in AWS
// WAF
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
CustomRequestHandling *CustomRequestHandling
}
// All query arguments of a web request. This is used only to indicate the web
// request component for AWS WAF to inspect, in the FieldToMatch specification.
type AllQueryArguments struct {
}
// A logical rule statement used to combine other rule statements with AND logic.
// You provide more than one Statement within the AndStatement.
type AndStatement struct {
// The statements to combine with AND logic. You can use any statements that can be
// nested.
//
// This member is required.
Statements []Statement
}
// Specifies that AWS WAF should block the request and optionally defines
// additional custom handling for the response to the web request. This is used in
// the context of other settings, for example to specify values for RuleAction and
// web ACL DefaultAction.
type BlockAction struct {
// Defines a custom response for the web request. For information about customizing
// web requests and responses, see Customizing web requests and responses in AWS
// WAF
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
CustomResponse *CustomResponse
}
// The body of a web request. This immediately follows the request headers. This is
// used only to indicate the web request component for AWS WAF to inspect, in the
// FieldToMatch specification.
type Body struct {
}
// A rule statement that defines a string match search for AWS WAF to apply to web
// requests. The byte match statement provides the bytes to search for, the
// location in requests that you want AWS WAF to search, and other settings. The
// bytes to search for are typically a string that corresponds with ASCII
// characters. In the AWS WAF console and the developer guide, this is refered to
// as a string match statement.
type ByteMatchStatement struct {
// The part of a web request that you want AWS WAF to inspect. For more
// information, see FieldToMatch.
//
// This member is required.
FieldToMatch *FieldToMatch
// The area within the portion of a web request that you want AWS WAF to search for
// SearchString. Valid values include the following: CONTAINS The specified part of
// the web request must include the value of SearchString, but the location doesn't
// matter. CONTAINS_WORD The specified part of the web request must include the
// value of SearchString, and SearchString must contain only alphanumeric
// characters or underscore (A-Z, a-z, 0-9, or _). In addition, SearchString must
// be a word, which means that both of the following are true:
//
// * SearchString is
// at the beginning of the specified part of the web request or is preceded by a
// character other than an alphanumeric character or underscore (_). Examples
// include the value of a header and ;BadBot.
//
// * SearchString is at the end of the
// specified part of the web request or is followed by a character other than an
// alphanumeric character or underscore (_), for example, BadBot; and
// -BadBot;.
//
// EXACTLY The value of the specified part of the web request must
// exactly match the value of SearchString. STARTS_WITH The value of SearchString
// must appear at the beginning of the specified part of the web request. ENDS_WITH
// The value of SearchString must appear at the end of the specified part of the
// web request.
//
// This member is required.
PositionalConstraint PositionalConstraint
// A string value that you want AWS WAF to search for. AWS WAF searches only in the
// part of web requests that you designate for inspection in FieldToMatch. The
// maximum length of the value is 50 bytes. Valid values depend on the component
// that you specify for inspection in FieldToMatch:
//
// * Method: The HTTP method that
// you want AWS WAF to search for. This indicates the type of operation specified
// in the request.
//
// * UriPath: The value that you want AWS WAF to search for in the
// URI path, for example, /images/daily-ad.jpg.
//
// If SearchString includes
// alphabetic characters A-Z and a-z, note that the value is case sensitive. If
// you're using the AWS WAF API Specify a base64-encoded version of the value. The
// maximum length of the value before you base64-encode it is 50 bytes. For
// example, suppose the value of Type is HEADER and the value of Data is
// User-Agent. If you want to search the User-Agent header for the value BadBot,
// you base64-encode BadBot using MIME base64-encoding and include the resulting
// value, QmFkQm90, in the value of SearchString. If you're using the AWS CLI or
// one of the AWS SDKs The value that you want AWS WAF to search for. The SDK
// automatically base64 encodes the value.
//
// This member is required.
SearchString []byte
// Text transformations eliminate some of the unusual formatting that attackers use
// in web requests in an effort to bypass detection. If you specify one or more
// transformations in a rule statement, AWS WAF performs all transformations on the
// content of the request component identified by FieldToMatch, starting from the
// lowest priority setting, before inspecting the content for a match.
//
// This member is required.
TextTransformations []TextTransformation
}
// A single match condition for a Filter.
type Condition struct {
// A single action condition.
ActionCondition *ActionCondition
// A single label name condition.
LabelNameCondition *LabelNameCondition
}
// Specifies that AWS WAF should count the request. Optionally defines additional
// custom handling for the request. This is used in the context of other settings,
// for example to specify values for RuleAction and web ACL DefaultAction.
type CountAction struct {
// Defines custom handling for the web request. For information about customizing
// web requests and responses, see Customizing web requests and responses in AWS
// WAF
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
CustomRequestHandling *CustomRequestHandling
}
// A custom header for custom request and response handling. This is used in
// CustomResponse and CustomRequestHandling.
type CustomHTTPHeader struct {
// The name of the custom header. For custom request header insertion, when AWS WAF
// inserts the header into the request, it prefixes this name x-amzn-waf-, to avoid
// confusion with the headers that are already in the request. For example, for the
// header name sample, AWS WAF inserts the header x-amzn-waf-sample.
//
// This member is required.
Name *string
// The value of the custom header.
//
// This member is required.
Value *string
}
// Custom request handling behavior that inserts custom headers into a web request.
// You can add custom request handling for the rule actions allow and count. For
// information about customizing web requests and responses, see Customizing web
// requests and responses in AWS WAF
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
type CustomRequestHandling struct {
// The HTTP headers to insert into the request. Duplicate header names are not
// allowed. For information about the limits on count and size for custom request
// and response settings, see AWS WAF quotas
// (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS
// WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
//
// This member is required.
InsertHeaders []CustomHTTPHeader
}
// A custom response to send to the client. You can define a custom response for
// rule actions and default web ACL actions that are set to BlockAction. For
// information about customizing web requests and responses, see Customizing web
// requests and responses in AWS WAF
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
type CustomResponse struct {
// The HTTP status code to return to the client. For a list of status codes that
// you can use in your custom reqponses, see Supported status codes for custom
// response
// (https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html)
// in the AWS WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
//
// This member is required.
ResponseCode *int32
// References the response body that you want AWS WAF to return to the web request
// client. You can define a custom response for a rule action or a default web ACL
// action that is set to block. To do this, you first define the response body key
// and value in the CustomResponseBodies setting for the WebACL or RuleGroup where
// you want to use it. Then, in the rule action or web ACL default action
// BlockAction setting, you reference the response body using this key.
CustomResponseBodyKey *string
// The HTTP headers to use in the response. Duplicate header names are not allowed.
// For information about the limits on count and size for custom request and
// response settings, see AWS WAF quotas
// (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS
// WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
ResponseHeaders []CustomHTTPHeader
}
// The response body to use in a custom response to a web request. This is
// referenced by key from CustomResponseCustomResponseBodyKey.
type CustomResponseBody struct {
// The payload of the custom response. You can use JSON escape strings in JSON
// content. To do this, you must specify JSON content in the ContentType setting.
// For information about the limits on count and size for custom request and
// response settings, see AWS WAF quotas
// (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the AWS
// WAF Developer Guide
// (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
//
// This member is required.
Content *string
// The type of content in the payload that you are defining in the Content string.
//
// This member is required.
ContentType ResponseContentType
}
// In a WebACL, this is the action that you want AWS WAF to perform when a web
// request doesn't match any of the rules in the WebACL. The default action must be
// a terminating action, so you can't use count.
type DefaultAction struct {
// Specifies that AWS WAF should allow requests by default.
Allow *AllowAction
// Specifies that AWS WAF should block requests by default.
Block *BlockAction
}
// Specifies a single rule to exclude from the rule group. Excluding a rule
// overrides its action setting for the rule group in the web ACL, setting it to
// COUNT. This effectively excludes the rule from acting on web requests.
type ExcludedRule struct {
// The name of the rule to exclude.
//
// This member is required.
Name *string
}
// The part of a web request that you want AWS WAF to inspect. Include the single
// FieldToMatch type that you want to inspect, with additional specifications as
// needed, according to the type. You specify a single request component in
// FieldToMatch for each rule statement that requires it. To inspect more than one
// component of a web request, create a separate rule statement for each component.
type FieldToMatch struct {
// Inspect all query arguments.
AllQueryArguments *AllQueryArguments
// Inspect the request body as plain text. The request body immediately follows the
// request headers. This is the part of a request that contains any additional data
// that you want to send to your web server as the HTTP request body, such as data
// from a form. Note that only the first 8 KB (8192 bytes) of the request body are
// forwarded to AWS WAF for inspection by the underlying host service. If you don't
// need to inspect more than 8 KB, you can guarantee that you don't allow
// additional bytes in by combining a statement that inspects the body of the web
// request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a
// SizeConstraintStatement that enforces an 8 KB size limit on the body of the
// request. AWS WAF doesn't support inspecting the entire contents of web requests
// whose bodies exceed the 8 KB limit.
Body *Body
// Inspect the request body as JSON. The request body immediately follows the
// request headers. This is the part of a request that contains any additional data
// that you want to send to your web server as the HTTP request body, such as data
// from a form. Note that only the first 8 KB (8192 bytes) of the request body are
// forwarded to AWS WAF for inspection by the underlying host service. If you don't
// need to inspect more than 8 KB, you can guarantee that you don't allow
// additional bytes in by combining a statement that inspects the body of the web
// request, such as ByteMatchStatement or RegexPatternSetReferenceStatement, with a
// SizeConstraintStatement that enforces an 8 KB size limit on the body of the
// request. AWS WAF doesn't support inspecting the entire contents of web requests
// whose bodies exceed the 8 KB limit.
JsonBody *JsonBody
// Inspect the HTTP method. The method indicates the type of operation that the
// request is asking the origin to perform.
Method *Method
// Inspect the query string. This is the part of a URL that appears after a ?
// character, if any.
QueryString *QueryString
// Inspect a single header. Provide the name of the header to inspect, for example,
// User-Agent or Referer. This setting isn't case sensitive. Example JSON:
// "SingleHeader": { "Name": "haystack" }
SingleHeader *SingleHeader
// Inspect a single query argument. Provide the name of the query argument to
// inspect, such as UserName or SalesRegion. The name can be up to 30 characters
// long and isn't case sensitive. This is used only to indicate the web request
// component for AWS WAF to inspect, in the FieldToMatch specification. Example
// JSON: "SingleQueryArgument": { "Name": "myArgument" }
SingleQueryArgument *SingleQueryArgument
// Inspect the request URI path. This is the part of a web request that identifies
// a resource, for example, /images/daily-ad.jpg.
UriPath *UriPath
}
// A single logging filter, used in LoggingFilter.
type Filter struct {
// How to handle logs that satisfy the filter's conditions and requirement.
//
// This member is required.
Behavior FilterBehavior
// Match conditions for the filter.
//
// This member is required.
Conditions []Condition
// Logic to apply to the filtering conditions. You can specify that, in order to
// satisfy the filter, a log must match all conditions or must match at least one
// condition.
//
// This member is required.
Requirement FilterRequirement
}
// A rule group that's defined for an AWS Firewall Manager WAF policy.
type FirewallManagerRuleGroup struct {
// The processing guidance for an AWS Firewall Manager rule. This is like a regular
// rule Statement, but it can only contain a rule group reference.
//
// This member is required.
FirewallManagerStatement *FirewallManagerStatement
// The name of the rule group. You cannot change the name of a rule group after you
// create it.
//
// This member is required.
Name *string
// The override action to apply to the rules in a rule group. Used only for rule
// statements that reference a rule group, like RuleGroupReferenceStatement and
// ManagedRuleGroupStatement. Set the override action to none to leave the rule
// actions in effect. Set it to count to only count matches, regardless of the rule
// action settings. In a Rule, you must specify either this OverrideAction setting
// or the rule Action setting, but not both:
//
// * If the rule statement references a
// rule group, use this override action setting and not the action setting.
//
// * If
// the rule statement does not reference a rule group, use the rule action setting
// and not this rule override action setting.
//
// This member is required.
OverrideAction *OverrideAction
// If you define more than one rule group in the first or last Firewall Manager
// rule groups, AWS WAF evaluates each request against the rule groups in order,
// starting from the lowest priority setting. The priorities don't need to be
// consecutive, but they must all be different.
//
// This member is required.
Priority int32
// Defines and enables Amazon CloudWatch metrics and web request sample collection.
//
// This member is required.
VisibilityConfig *VisibilityConfig
}
// The processing guidance for an AWS Firewall Manager rule. This is like a regular
// rule Statement, but it can only contain a rule group reference.
type FirewallManagerStatement struct {
// A rule statement used to run the rules that are defined in a managed rule group.
// To use this, provide the vendor name and the name of the rule group in this
// statement. You can retrieve the required names by calling
// ListAvailableManagedRuleGroups. You can't nest a ManagedRuleGroupStatement, for
// example for use inside a NotStatement or OrStatement. It can only be referenced
// as a top-level statement within a rule.
ManagedRuleGroupStatement *ManagedRuleGroupStatement
// A rule statement used to run the rules that are defined in a RuleGroup. To use
// this, create a rule group with your rules, then provide the ARN of the rule
// group in this statement. You cannot nest a RuleGroupReferenceStatement, for
// example for use inside a NotStatement or OrStatement. It can only be referenced
// as a top-level statement within a rule.
RuleGroupReferenceStatement *RuleGroupReferenceStatement
}
// The configuration for inspecting IP addresses in an HTTP header that you
// specify, instead of using the IP address that's reported by the web request
// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
// any header name. If the specified header isn't present in the request, AWS WAF
// doesn't apply the rule to the web request at all. This configuration is used for
// GeoMatchStatement and RateBasedStatement. For IPSetReferenceStatement, use
// IPSetForwardedIPConfig instead. AWS WAF only evaluates the first IP address
// found in the specified HTTP header.
type ForwardedIPConfig struct {
// The match status to assign to the web request if the request doesn't have a
// valid IP address in the specified position. If the specified header isn't
// present in the request, AWS WAF doesn't apply the rule to the web request at
// all. You can specify the following fallback behaviors:
//
// * MATCH - Treat the web
// request as matching the rule statement. AWS WAF applies the rule action to the
// request.
//
// * NO_MATCH - Treat the web request as not matching the rule statement.
//
// This member is required.
FallbackBehavior FallbackBehavior
// The name of the HTTP header to use for the IP address. For example, to use the
// X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified
// header isn't present in the request, AWS WAF doesn't apply the rule to the web
// request at all.
//
// This member is required.
HeaderName *string
}
// A rule statement used to identify web requests based on country of origin.
type GeoMatchStatement struct {
// An array of two-character country codes, for example, [ "US", "CN" ], from the
// alpha-2 country ISO codes of the ISO 3166 international standard.
CountryCodes []CountryCode
// The configuration for inspecting IP addresses in an HTTP header that you
// specify, instead of using the IP address that's reported by the web request
// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
// any header name. If the specified header isn't present in the request, AWS WAF
// doesn't apply the rule to the web request at all.
ForwardedIPConfig *ForwardedIPConfig
}
// Part of the response from GetSampledRequests. This is a complex type that
// appears as Headers in the response syntax. HTTPHeader contains the names and
// values of all of the headers that appear in one of the web requests.
type HTTPHeader struct {
// The name of the HTTP header.
Name *string
// The value of the HTTP header.
Value *string
}
// Part of the response from GetSampledRequests. This is a complex type that
// appears as Request in the response syntax. HTTPRequest contains information
// about one of the web requests.
type HTTPRequest struct {
// The IP address that the request originated from. If the web ACL is associated
// with a CloudFront distribution, this is the value of one of the following fields
// in CloudFront access logs:
//
// * c-ip, if the viewer did not use an HTTP proxy or a
// load balancer to send the request
//
// * x-forwarded-for, if the viewer did use an
// HTTP proxy or a load balancer to send the request
ClientIP *string
// The two-letter country code for the country that the request originated from.
// For a current list of country codes, see the Wikipedia entry ISO 3166-1 alpha-2
// (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
Country *string
// The HTTP version specified in the sampled web request, for example, HTTP/1.1.
HTTPVersion *string
// A complex type that contains the name and value for each header in the sampled
// web request.
Headers []HTTPHeader
// The HTTP method specified in the sampled web request.
Method *string
// The URI path of the request, which identifies the resource, for example,
// /images/daily-ad.jpg.
URI *string
}
// Contains one or more IP addresses or blocks of IP addresses specified in
// Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and
// IPv6 CIDR ranges except for /0. For information about CIDR notation, see the
// Wikipedia entry Classless Inter-Domain Routing
// (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). AWS WAF assigns
// an ARN to each IPSet that you create. To use an IP set in a rule, you provide
// the ARN to the Rule statement IPSetReferenceStatement.
type IPSet struct {
// The Amazon Resource Name (ARN) of the entity.
//
// This member is required.
ARN *string
// Contains an array of strings that specify one or more IP addresses or blocks of
// IP addresses in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports
// all IPv4 and IPv6 CIDR ranges except for /0. Examples:
//
// * To configure AWS WAF
// to allow, block, or count requests that originated from the IP address
// 192.0.2.44, specify 192.0.2.44/32.
//
// * To configure AWS WAF to allow, block, or
// count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255,
// specify 192.0.2.0/24.
//
// * To configure AWS WAF to allow, block, or count requests
// that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111,
// specify 1111:0000:0000:0000:0000:0000:0000:0111/128.
//
// * To configure AWS WAF to
// allow, block, or count requests that originated from IP addresses
// 1111:0000:0000:0000:0000:0000:0000:0000 to
// 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify
// 1111:0000:0000:0000:0000:0000:0000:0000/64.
//
// For more information about CIDR
// notation, see the Wikipedia entry Classless Inter-Domain Routing
// (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
//
// This member is required.
Addresses []string
// Specify IPV4 or IPV6.
//
// This member is required.
IPAddressVersion IPAddressVersion
// A unique identifier for the set. This ID is returned in the responses to create
// and list commands. You provide it to operations like update and delete.
//
// This member is required.
Id *string
// The name of the IP set. You cannot change the name of an IPSet after you create
// it.
//
// This member is required.
Name *string
// A description of the IP set that helps with identification.
Description *string
}
// The configuration for inspecting IP addresses in an HTTP header that you
// specify, instead of using the IP address that's reported by the web request
// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
// any header name. If the specified header isn't present in the request, AWS WAF
// doesn't apply the rule to the web request at all. This configuration is used
// only for IPSetReferenceStatement. For GeoMatchStatement and RateBasedStatement,
// use ForwardedIPConfig instead.
type IPSetForwardedIPConfig struct {
// The match status to assign to the web request if the request doesn't have a
// valid IP address in the specified position. If the specified header isn't
// present in the request, AWS WAF doesn't apply the rule to the web request at
// all. You can specify the following fallback behaviors:
//
// * MATCH - Treat the web
// request as matching the rule statement. AWS WAF applies the rule action to the
// request.
//
// * NO_MATCH - Treat the web request as not matching the rule statement.
//
// This member is required.
FallbackBehavior FallbackBehavior
// The name of the HTTP header to use for the IP address. For example, to use the
// X-Forwarded-For (XFF) header, set this to X-Forwarded-For. If the specified
// header isn't present in the request, AWS WAF doesn't apply the rule to the web
// request at all.
//
// This member is required.
HeaderName *string
// The position in the header to search for the IP address. The header can contain
// IP addresses of the original client and also of proxies. For example, the header
// value could be 10.1.1.1, 127.0.0.0, 10.10.10.10 where the first IP address
// identifies the original client and the rest identify proxies that the request
// went through. The options for this setting are the following:
//
// * FIRST - Inspect
// the first IP address in the list of IP addresses in the header. This is usually
// the client's original IP.
//
// * LAST - Inspect the last IP address in the list of
// IP addresses in the header.
//
// * ANY - Inspect all IP addresses in the header for
// a match. If the header contains more than 10 IP addresses, AWS WAF inspects the
// last 10.
//
// This member is required.
Position ForwardedIPPosition
}
// A rule statement used to detect web requests coming from particular IP addresses
// or address ranges. To use this, create an IPSet that specifies the addresses you
// want to detect, then use the ARN of that set in this statement. To create an IP
// set, see CreateIPSet. Each IP set rule statement references an IP set. You
// create and maintain the set independent of your rules. This allows you to use
// the single set in multiple rules. When you update the referenced set, AWS WAF
// automatically updates all rules that reference it.
type IPSetReferenceStatement struct {
// The Amazon Resource Name (ARN) of the IPSet that this statement references.
//
// This member is required.
ARN *string
// The configuration for inspecting IP addresses in an HTTP header that you
// specify, instead of using the IP address that's reported by the web request
// origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
// any header name. If the specified header isn't present in the request, AWS WAF
// doesn't apply the rule to the web request at all.
IPSetForwardedIPConfig *IPSetForwardedIPConfig
}
// High-level information about an IPSet, returned by operations like create and
// list. This provides information like the ID, that you can use to retrieve and
// manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to
// use the address set in a Rule.
type IPSetSummary struct {
// The Amazon Resource Name (ARN) of the entity.
ARN *string
// A description of the IP set that helps with identification.
Description *string
// A unique identifier for the set. This ID is returned in the responses to create
// and list commands. You provide it to operations like update and delete.
Id *string
// A token used for optimistic locking. AWS WAF returns a token to your get and
// list requests, to mark the state of the entity at the time of the request. To
// make changes to the entity associated with the token, you provide the token to
// operations like update and delete. AWS WAF uses the token to ensure that no
// changes have been made to the entity since you last retrieved it. If a change
// has been made, the update fails with a WAFOptimisticLockException. If this
// happens, perform another get, and use the new token returned by that operation.
LockToken *string
// The name of the IP set. You cannot change the name of an IPSet after you create
// it.
Name *string
}
// The body of a web request, inspected as JSON. The body immediately follows the
// request headers. This is used in the FieldToMatch specification. Use the
// specifications in this object to indicate which parts of the JSON body to
// inspect using the rule's inspection criteria. AWS WAF inspects only the parts of
// the JSON that result from the matches that you indicate.
type JsonBody struct {
// The patterns to look for in the JSON body. AWS WAF inspects the results of these
// pattern matches against the rule inspection criteria.
//
// This member is required.
MatchPattern *JsonMatchPattern
// The parts of the JSON to match against using the MatchPattern. If you specify
// All, AWS WAF matches against keys and values.
//
// This member is required.
MatchScope JsonMatchScope
// What AWS WAF should do if it fails to completely parse the JSON body. The
// options are the following:
//
// * EVALUATE_AS_STRING - Inspect the body as plain
// text. AWS WAF applies the text transformations and inspection criteria that you
// defined for the JSON inspection to the body text string.
//
// * MATCH - Treat the
// web request as matching the rule statement. AWS WAF applies the rule action to
// the request.
//
// * NO_MATCH - Treat the web request as not matching the rule
// statement.
//
// If you don't provide this setting, AWS WAF parses and evaluates the
// content only up to the first parsing failure that it encounters. AWS WAF does
// its best to parse the entire JSON body, but might be forced to stop for reasons
// such as invalid characters, duplicate keys, truncation, and any content whose
// root node isn't an object or an array. AWS WAF parses the JSON in the following
// examples as two valid key, value pairs:
//
// * Missing comma:
// {"key1":"value1""key2":"value2"}
//
// * Missing colon:
// {"key1":"value1","key2""value2"}
//
// * Extra colons:
// {"key1"::"value1","key2""value2"}
InvalidFallbackBehavior BodyParsingFallbackBehavior
}
// The patterns to look for in the JSON body. AWS WAF inspects the results of these
// pattern matches against the rule inspection criteria. This is used with the
// FieldToMatch option JsonBody.
type JsonMatchPattern struct {
// Match all of the elements. See also MatchScope in JsonBody. You must specify
// either this setting or the IncludedPaths setting, but not both.
All *All
// Match only the specified include paths. See also MatchScope in JsonBody. Provide
// the include paths using JSON Pointer syntax. For example, "IncludedPaths":
// ["/dogs/0/name", "/dogs/1/name"]. For information about this syntax, see the
// Internet Engineering Task Force (IETF) documentation JavaScript Object Notation
// (JSON) Pointer (https://tools.ietf.org/html/rfc6901). You must specify either
// this setting or the All setting, but not both. Don't use this option to include
// all paths. Instead, use the All setting.
IncludedPaths []string
}
// A single label container. This is used as an element of a label array in
// multiple contexts, for example, in RuleLabels inside a Rule and in Labels inside
// a SampledHTTPRequest.
type Label struct {
// The label string.
//
// This member is required.
Name *string
}
// A rule statement that defines a string match search against labels that have
// been added to the web request by rules that have already run in the web ACL. The
// label match statement provides the label or namespace string to search for. The
// label string can represent a part or all of the fully qualified label name that
// had been added to the web request. Fully qualified labels have a prefix,
// optional namespaces, and label name. The prefix identifies the rule group or web
// ACL context of the rule that added the label. If you do not provide the fully
// qualified name in your label match string, AWS WAF performs the search for
// labels that were added in the same context as the label match statement.
type LabelMatchStatement struct {
// The string to match against. The setting you provide for this depends on the
// match statement's Scope settings:
//
// * If the Scope indicates LABEL, then this
// specification must include the name and can include any number of preceding
// namespace specifications and prefix up to providing the fully qualified label
// name.
//
// * If the Scope indicates NAMESPACE, then this specification can include
// any number of contiguous namespace strings, and can include the entire label
// namespace prefix from the rule group or web ACL where the label
// originates.
//
// Labels are case sensitive and components of a label must be
// separated by colon, for example NS1:NS2:name.
//
// This member is required.
Key *string
// Specify whether you want to match using the label name or just the namespace.
//
// This member is required.
Scope LabelMatchScope
}
// A single label name condition for a Condition in a logging filter.
type LabelNameCondition struct {
// The label name that a log record must contain in order to meet the condition.
// This must be a fully qualified label name. Fully qualified labels have a prefix,
// optional namespaces, and label name. The prefix identifies the rule group or web
// ACL context of the rule that added the label.
//
// This member is required.
LabelName *string
}
// List of labels used by one or more of the rules of a RuleGroup. This summary
// object is used for the following rule group lists:
//
// * AvailableLabels - Labels
// that rules add to matching requests. These labels are defined in the RuleLabels
// for a Rule.
//
// * ConsumedLabels - Labels that rules match against. These labels
// are defined in a LabelMatchStatement specification, in the Statement definition
// of a rule.
type LabelSummary struct {
// An individual label specification.
Name *string
}
// Defines an association between Amazon Kinesis Data Firehose destinations and a
// web ACL resource, for logging from AWS WAF. As part of the association, you can
// specify parts of the standard logging fields to keep out of the logs and you can
// specify filters so that you log only a subset of the logging records.
type LoggingConfiguration struct {
// The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to
// associate with the web ACL.
//
// This member is required.
LogDestinationConfigs []string
// The Amazon Resource Name (ARN) of the web ACL that you want to associate with
// LogDestinationConfigs.
//
// This member is required.
ResourceArn *string
// Filtering that specifies which web requests are kept in the logs and which are
// dropped. You can filter on the rule action and on the web request labels that
// were applied by matching rules during web ACL evaluation.
LoggingFilter *LoggingFilter
// Indicates whether the logging configuration was created by AWS Firewall Manager,
// as part of an AWS WAF policy configuration. If true, only Firewall Manager can
// modify or delete the configuration.
ManagedByFirewallManager bool
// The parts of the request that you want to keep out of the logs. For example, if
// you redact the HEADER field, the HEADER field in the firehose will be xxx. You
// must use one of the following values: URI, QUERY_STRING, HEADER, or METHOD.
RedactedFields []FieldToMatch
}
// Filtering that specifies which web requests are kept in the logs and which are
// dropped, defined for a web ACL's LoggingConfiguration. You can filter on the
// rule action and on the web request labels that were applied by matching rules
// during web ACL evaluation.
type LoggingFilter struct {
// Default handling for logs that don't match any of the specified filtering
// conditions.
//
// This member is required.
DefaultBehavior FilterBehavior
// The filters that you want to apply to the logs.
//
// This member is required.
Filters []Filter
}
// A rule statement used to run the rules that are defined in a managed rule group.
// To use this, provide the vendor name and the name of the rule group in this
// statement. You can retrieve the required names by calling
// ListAvailableManagedRuleGroups. You can't nest a ManagedRuleGroupStatement, for
// example for use inside a NotStatement or OrStatement. It can only be referenced
// as a top-level statement within a rule.
type ManagedRuleGroupStatement struct {
// The name of the managed rule group. You use this, along with the vendor name, to
// identify the rule group.
//
// This member is required.
Name *string
// The name of the managed rule group vendor. You use this, along with the rule
// group name, to identify the rule group.
//
// This member is required.
VendorName *string
// The rules whose actions are set to COUNT by the web ACL, regardless of the
// action that is set on the rule. This effectively excludes the rule from acting
// on web requests.
ExcludedRules []ExcludedRule
// The processing guidance for a Rule, used by AWS WAF to determine whether a web
// request matches the rule.
ScopeDownStatement *Statement
}
// High-level information about a managed rule group, returned by
// ListAvailableManagedRuleGroups. This provides information like the name and
// vendor name, that you provide when you add a ManagedRuleGroupStatement to a web
// ACL. Managed rule groups include AWS Managed Rules rule groups, which are free
// of charge to AWS WAF customers, and AWS Marketplace managed rule groups, which
// you can subscribe to through AWS Marketplace.
type ManagedRuleGroupSummary struct {
// The description of the managed rule group, provided by AWS Managed Rules or the
// AWS Marketplace seller who manages it.
Description *string
// The name of the managed rule group. You use this, along with the vendor name, to
// identify the rule group.
Name *string
// The name of the managed rule group vendor. You use this, along with the rule
// group name, to identify the rule group.
VendorName *string
}
// The HTTP method of a web request. The method indicates the type of operation
// that the request is asking the origin to perform. This is used only to indicate
// the web request component for AWS WAF to inspect, in the FieldToMatch
// specification.
type Method struct {
}
// Specifies that AWS WAF should do nothing. This is generally used to try out a
// rule without performing any actions. You set the OverrideAction on the Rule.
// This is used in the context of other settings, for example to specify values for
// RuleAction and web ACL DefaultAction.
type NoneAction struct {
}
// A logical rule statement used to negate the results of another rule statement.
// You provide one Statement within the NotStatement.
type NotStatement struct {
// The statement to negate. You can use any statement that can be nested.
//
// This member is required.
Statement *Statement
}
// A logical rule statement used to combine other rule statements with OR logic.
// You provide more than one Statement within the OrStatement.
type OrStatement struct {
// The statements to combine with OR logic. You can use any statements that can be
// nested.
//
// This member is required.
Statements []Statement
}
// The override action to apply to the rules in a rule group. Used only for rule
// statements that reference a rule group, like RuleGroupReferenceStatement and
// ManagedRuleGroupStatement. Set the override action to none to leave the rule
// actions in effect. Set it to count to only count matches, regardless of the rule
// action settings. In a Rule, you must specify either this OverrideAction setting
// or the rule Action setting, but not both:
//
// * If the rule statement references a
// rule group, use this override action setting and not the action setting.