| title | WAF Managed Rules configuration using Terraform | |||||
|---|---|---|---|---|---|---|
| description | Deploy and configure Cloudflare WAF Managed Rules at the zone or account level using Terraform. | |||||
| pcx_content_type | how-to | |||||
| sidebar |
|
|||||
| head |
|
|||||
| products |
|
import { Details, Render, RuleID, Tabs, TabItem } from "~/components";
This page provides examples of deploying and configuring WAF Managed Rules in your zone or account using Terraform. It covers the following configurations:
- Deploy managed rulesets at the zone level
- Deploy managed rulesets at the account level
- Configure exceptions
- Configure payload logging
- Configure overrides
- Configure the OWASP paranoia level, score threshold, and action
If you are using the Cloudflare API, refer to the following resources:
For more information on deploying and configuring managed rulesets using the Rulesets API, refer to Work with managed rulesets in the Ruleset Engine documentation.
The IDs of WAF managed rulesets are also available in the WAF Managed Rules page.
The following example deploys two managed rulesets to the zone with ID <ZONE_ID> using Terraform, using a cloudflare_ruleset resource with two rules that execute the managed rulesets.
Configure the cloudflare_ruleset resource:
# Configure a ruleset at the zone level for the "http_request_firewall_managed" phase
resource "cloudflare_ruleset" "zone_level_managed_waf" {
zone_id = var.cloudflare_zone_id
name = "Managed WAF entry point ruleset"
description = "Zone-level WAF Managed Rules config"
kind = "zone"
phase = "http_request_firewall_managed"
rules = [
{
# Execute Cloudflare Managed Ruleset
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
},
{
# Execute Cloudflare OWASP Core Ruleset
ref = "execute_cloudflare_owasp_core_ruleset"
description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
},
]
}# Configure a ruleset at the zone level for the "http_request_firewall_managed" phase
resource "cloudflare_ruleset" "zone_level_managed_waf" {
zone_id = "<ZONE_ID>"
name = "Managed WAF entry point ruleset"
description = "Zone-level WAF Managed Rules config"
kind = "zone"
phase = "http_request_firewall_managed"
# Execute Cloudflare Managed Ruleset
rules {
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
}
# Execute Cloudflare OWASP Core Ruleset
rules {
ref = "execute_cloudflare_owasp_core_ruleset"
description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
}
}:::note[Notes]
-
Account-level WAF configuration requires an Enterprise plan with a paid add-on.
-
Managed rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your
executerule must end withand cf.zone.plan eq "ENT".
:::
The following example deploys two managed rulesets to the account with ID <ACCOUNT_ID> using Terraform, using a cloudflare_ruleset resource with two rules that execute the managed rulesets for two hostnames belonging to Enterprise zones.
Details
All of the following token permissions are required:
Account WAF WriteAccount Rulesets Write
Configure the cloudflare_ruleset resource:
resource "cloudflare_ruleset" "account_level_managed_waf" {
account_id = var.cloudflare_account_id
name = "Managed WAF entry point ruleset"
description = "Account-level WAF Managed Rules config"
kind = "root"
phase = "http_request_firewall_managed"
rules = [
{
# Execute Cloudflare Managed Ruleset
ref = "execute_cloudflare_managed_ruleset_api_store"
description = "Execute Cloudflare Managed Ruleset on my account-level phase entry point ruleset"
expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
},
{
# Execute Cloudflare OWASP Core Ruleset
ref = "execute_owasp_core_ruleset_api_store"
description = "Execute Cloudflare OWASP Core Ruleset on my account-level phase entry point ruleset"
expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
action = "execute"
action_parameters = {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
},
]
}resource "cloudflare_ruleset" "account_level_managed_waf" {
account_id = "<ACCOUNT_ID>"
name = "Managed WAF entry point ruleset"
description = "Account-level WAF Managed Rules config"
kind = "root"
phase = "http_request_firewall_managed"
# Execute Cloudflare Managed Ruleset
rules {
ref = "execute_cloudflare_managed_ruleset_api_store"
description = "Execute Cloudflare Managed Ruleset on my account-level phase entry point ruleset"
expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
}
# Execute Cloudflare OWASP Core Ruleset
rules {
ref = "execute_owasp_core_ruleset_api_store"
description = "Execute Cloudflare OWASP Core Ruleset on my account-level phase entry point ruleset"
expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
}
}The following example adds two exceptions for the Cloudflare Managed Ruleset:
- The first rule will skip the execution of the entire Cloudflare Managed Ruleset (with ID ) for specific URLs, according to the rule expression.
- The second rule will skip the execution of two rules belonging to the Cloudflare Managed Ruleset for specific URLs, according to the rule expression.
Add the two exceptions to the cloudflare_ruleset resource before the rule that deploys the Cloudflare Managed Ruleset:
resource "cloudflare_ruleset" "zone_level_managed_waf" {
# (...)
rules = [
{
# Skip execution of the entire Cloudflare Managed Ruleset for specific URLs
ref = "skip_cloudflare_managed_ruleset_example_com"
description = "Skip Cloudflare Managed Ruleset"
expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rulesets\")"
action = "skip"
action_parameters = {
rulesets = ["efb7b8c949ac4650a09736fc376e9aee"]
}
},
{
# Skip execution of two rules in the Cloudflare Managed Ruleset for specific URLs
ref = "skip_wordpress_sqli_rules_example_com"
description = "Skip WordPress and SQLi rules"
expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rules\")"
action = "skip"
action_parameters = {
rules = {
# Format: "<RULESET_ID>" = ["<RULE_ID_1>", "<RULE_ID_2>"]
"efb7b8c949ac4650a09736fc376e9aee" = ["5de7edfa648c4d6891dc3e7f84534ffa", "e3a567afc347477d9702d9047e97d760"]
}
}
},
{
# Execute Cloudflare Managed Ruleset
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
},
# (...)
]
}resource "cloudflare_ruleset" "zone_level_managed_waf" {
# (...)
# Skip execution of the entire Cloudflare Managed Ruleset for specific URLs
rules {
ref = "skip_cloudflare_managed_ruleset_example_com"
description = "Skip Cloudflare Managed Ruleset"
expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rulesets\")"
action = "skip"
action_parameters {
rulesets = ["efb7b8c949ac4650a09736fc376e9aee"]
}
}
# Skip execution of two rules in the Cloudflare Managed Ruleset for specific URLs
rules {
ref = "skip_wordpress_sqli_rules_example_com"
description = "Skip WordPress and SQLi rules"
expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rules\")"
action = "skip"
action_parameters {
rules = {
# Format: "<RULESET_ID>" = "<RULE_ID_1>,<RULE_ID_2>,..."
"efb7b8c949ac4650a09736fc376e9aee" = "5de7edfa648c4d6891dc3e7f84534ffa,e3a567afc347477d9702d9047e97d760"
}
}
}
# Execute Cloudflare Managed Ruleset
rules {
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
}
# (...)
}:::caution[Important]
Ensure that you place the exceptions before the rule that executes the managed ruleset (or some of its rules) that you wish to skip, as in the previous example. :::
The following example adds three overrides for the Cloudflare Managed Ruleset:
- A rule override for rule with ID
5de7edfa648c4d6891dc3e7f84534ffasetting the action tolog. - A rule override for rule with ID
75a0060762034a6cb663fd51a02344cbdisabling the rule. - A tag override for the
wordpresstag, setting the action of all the rules with this tag tojs_challenge.
The following configuration includes the three overrides in the rule that executes the Cloudflare Managed Ruleset:
# (...)
# Execute Cloudflare Managed Ruleset
rules = [{
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides = {
rules = [
{
id = "5de7edfa648c4d6891dc3e7f84534ffa"
action = "log"
enabled = true
},
{
id = "75a0060762034a6cb663fd51a02344cb"
enabled = false
},
]
categories = [{
category = "wordpress"
action = "js_challenge"
enabled = true
}]
}
}
}]
# (...) # (...)
# Execute Cloudflare Managed Ruleset
rules {
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides {
rules {
id = "5de7edfa648c4d6891dc3e7f84534ffa"
action = "log"
enabled = true
}
rules {
id = "75a0060762034a6cb663fd51a02344cb"
enabled = false
}
categories {
category = "wordpress"
action = "js_challenge"
enabled = true
}
}
}
}
# (...)This example enables payload logging for matched rules of the Cloudflare Managed Ruleset, setting the public key used to encrypt the logged payload.
Building upon the rule that deploys the Cloudflare Managed Ruleset, the following rule configuration adds the matched_data object with the public key used to encrypt the payload:
# (...)
# Execute Cloudflare Managed Ruleset
rules = [{
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
matched_data = {
public_key = "Ycig/Zr/pZmklmFUN99nr+taURlYItL91g+NcHGYpB8="
}
}
}]
# (...) # (...)
# Execute Cloudflare Managed Ruleset
rules {
ref = "execute_cloudflare_managed_ruleset"
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
matched_data {
public_key = "Ycig/Zr/pZmklmFUN99nr+taURlYItL91g+NcHGYpB8="
}
}
}
# (...)The OWASP managed ruleset supports the following configurations:
-
Enable all the rules up to a specific paranoia level by creating tag overrides that disable all the rules associated with higher paranoia levels.
-
Set the action to perform when the calculated threat score is greater than the score threshold by creating a rule override for the last rule in the Cloudflare OWASP Core Ruleset (rule with ID ), and including the
actionproperty. -
Set the score threshold by creating a rule override for the last rule in the Cloudflare OWASP Core Ruleset (rule with ID ), and including the
score_thresholdproperty.
For more information on the available configuration values, refer to the Cloudflare OWASP Core Ruleset page in the WAF documentation.
The following example rule of a cloudflare_ruleset Terraform resource performs the following configuration:
- Deploys the OWASP managed ruleset.
- Sets the OWASP paranoia level to PL2.
- Sets the score threshold to
60(Low). - Sets the ruleset action to
log.
# (...)
# Execute Cloudflare OWASP Core Ruleset
rules = [{
ref = "execute_owasp_core_ruleset"
description = "Execute Cloudflare OWASP Core Ruleset"
expression = "true"
action = "execute"
action_parameters = {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
overrides = {
# By default, all PL1 to PL4 rules are enabled.
# Set the paranoia level to PL2 by disabling rules with
# tags "paranoia-level-3" and "paranoia-level-4".
categories = [
{
category = "paranoia-level-3"
enabled = false
},
{
category = "paranoia-level-4"
enabled = false
},
]
rules = [{
id = "6179ae15870a4bb7b2d480d4843b323c"
action = "log"
score_threshold = 60
}]
}
}
}]
# (...) # (...)
# Execute Cloudflare OWASP Core Ruleset
rules {
ref = "execute_owasp_core_ruleset"
description = "Execute Cloudflare OWASP Core Ruleset"
expression = "true"
action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
overrides {
# By default, all PL1 to PL4 rules are enabled.
# Set the paranoia level to PL2 by disabling rules with
# tags "paranoia-level-3" and "paranoia-level-4".
categories {
category = "paranoia-level-3"
enabled = false
}
categories {
category = "paranoia-level-4"
enabled = false
}
rules {
id = "6179ae15870a4bb7b2d480d4843b323c"
action = "log"
score_threshold = 60
}
}
}
}
# (...)