| page_title | subcategory | description |
|---|---|---|
sigsci_site_rule Resource - terraform-provider-sigsci |
resource "sigsci_site_rule" "test-request-rule" {
site_short_name = sigsci_site.my-site.short_name
type = "request"
group_operator = "all"
enabled = true
reason = "Example request site rule"
requestlogging = "sampled"
expiration = ""
conditions {
type = "single"
field = "ip"
operator = "equals"
value = "1.2.3.4"
}
conditions {
type = "multival"
field = "requestHeader"
operator = "exists"
group_operator = "all"
conditions {
type = "single"
field = "name"
operator = "equals"
value = "Content-Type"
}
conditions {
type = "single"
field = "valueString"
operator = "equals"
value = "application/json"
}
}
actions {
type = "block"
}
}
resource "sigsci_site_rule" "test-ratelimit-rule-conditions" {
site_short_name = sigsci_site.my-site.short_name
type = "rateLimit"
group_operator = "all"
enabled = true
reason = "Example rate limit rule that rate limits clients who match the rule conditions after exceeding threshold"
signal = "site.count-ratelimit-rule1"
expiration = ""
conditions {
type = "single"
field = "path"
operator = "equals"
value = "/#"
}
rate_limit {
threshold = 6
interval = 10
duration = 300
client_identifiers {
type = "ip"
}
}
actions {
type = "logRequest"
signal = "site.count-ratelimit-rule1"
}
}
resource "sigsci_site_rule" "test-ratelimit-other-signal" {
site_short_name = sigsci_site.my-site.short_name
type = "rateLimit"
group_operator = "all"
enabled = true
reason = "Example rate limit rule that rate limits clients who match a different signal after exceeding threshold"
signal = "site.count-ratelimit-rule2"
expiration = ""
conditions {
type = "single"
field = "path"
operator = "equals"
value = "/reset_password"
}
rate_limit {
threshold = 6
interval = 10
duration = 300
client_identifiers {
type = "ip"
}
}
actions {
type = "logRequest"
signal = "site.action-on-other-signal"
}
}
resource "sigsci_site_rule" "test-ratelimit-all-requests" {
site_short_name = sigsci_site.my-site.short_name
type = "rateLimit"
group_operator = "all"
enabled = true
reason = "Example rule that rate limits all requests from clients after exceeding threshold"
signal = "site.count-ratelimit-rule3"
expiration = ""
conditions {
type = "single"
field = "path"
operator = "equals"
value = "/#"
}
rate_limit {
threshold = 6
interval = 10
duration = 300
client_identifiers {
type = "ip"
}
}
actions {
type = "logRequest"
signal = "ALL-REQUESTS"
}
}
resource "sigsci_site_rule" "test-signal-exclusion" {
site_short_name = sigsci_site.my-site.short_name
type = "signal"
group_operator = "all"
enabled = true
reason = "Example signal exclusion site rule"
signal = "SQLI"
expiration = ""
conditions {
type = "single"
field = "ip"
operator = "equals"
value = "1.2.3.6"
}
actions {
type = "excludeSignal"
}
}| Warning: You must terraform apply with the option parallelism=1 when using this resource or risk data inconsistencies! See the FAQ. |
|---|
conditions(Block Set, Min: 1, Max: 10) Conditions (see below for nested schema)enabled(Boolean) enable the ruleexpiration(String) Date the rule will automatically be disabled. If rule is always enabled, will return empty stringgroup_operator(String) Conditions that must be matched when evaluating the request (all, any)reason(String) Description of the rulesite_short_name(String) Site short nametype(String) Type of rule (request, signal, rateLimit)
actions(Block Set, Max: 2) Actions (see below for nested schema)rate_limit(Block Set, Max: 1) Rate Limit (see below for nested schema)requestlogging(String) Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for rules of typerequest. Not valid forsignalorrateLimit.signal(String) The signal id of the signal being excluded
id(String) The ID of this resource.
Required:
type(String) (group, multival, single)
Optional:
conditions(Block Set, Max: 10) Conditions (see below for nested schema)field(String) types:- single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, value, ja3Fingerprint, protocolVersion)
- multival - (signal, requestHeader, queryParameter, postParameter, requestCookie, responseHeader)
group_operator(String) type: group, multival - Conditions that must be matched when evaluating the request (all, any)operator(String) type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)value(String) type: single - See request fields (https://docs.fastly.com/signalsciences/using-signal-sciences/rules/defining-rule-conditions/#fields)
Required:
type(String) (group, multival, single)
Optional:
conditions(Block Set, Max: 10) Conditions (see below for nested schema)field(String) types:- single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, value, ja3Fingerprint, protocolVersion)
- multival - (signal, requestHeader, queryParameter, postParameter, requestCookie, responseHeader)
group_operator(String) type: group, multival - Conditions that must be matched when evaluating the request (all, any)operator(String) type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)value(String) type: single - See request fields (https://docs.fastly.com/signalsciences/using-signal-sciences/rules/defining-rule-conditions/#fields)
Required:
type(String) (group, multival, single)
Optional:
field(String) types:- single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, value, ja3Fingerprint, protocolVersion)
- multival - (signal, requestHeader, queryParameter, postParameter, requestCookie, responseHeader)
group_operator(String) type: group, multival - Conditions that must be matched when evaluating the request (all, any)operator(String) type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)value(String) type: single - See request fields (https://docs.fastly.com/signalsciences/using-signal-sciences/rules/defining-rule-conditions/#fields)
Required:
type(String) (addSignal, allow, block, browserChallenge, excludeSignal, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)
Optional:
allow_interactive(Boolean) Allows toggling between a non-interactive and interactive browser challenge. Only valid with the 'browserChallenge' action type.redirect_url(String) URL to redirect to when blocking response code is set to 301 or 302response_code(Number) HTTP code agent for agent to respond with. range: 301, 302, or 400-599, defaults to '406' if not provided. Only valid with the 'block' action type.signal(String) signal id to tag
Required:
client_identifiers(Block Set, Min: 1) Client Identifiers (see below for nested schema)duration(Number) duration in seconds (300 < x < 3600)interval(Number) interval in minutes (1, 5, 10)threshold(Number) threshold
Required:
type(String) (ip, requestHeader, requestCookie, postParameter, signalPayload)
Optional:
key(String)name(String)
We have curated a list of templates for common rules, the full list of available signals is available below.
For these you must specify type = "templatedSignal". Note that they will show up in the site "Templated Rules" page in the Console.
resource "sigsci_site_rule" "testsignal" {
site_short_name = sigsci_site.my-site.short_name
type = "templatedSignal"
group_operator = "all"
enabled = true
reason = "Example site rule update"
signal = "PW-RESET-ATTEMPT"
expiration = ""
conditions {
type = "single"
field = "method"
operator = "equals"
value = "POST"
}
conditions {
type = "single"
field = "path"
operator = "equals"
value = "/change-password"
}
conditions {
type = "multival"
group_operator = "all"
conditions {
field = "name"
operator = "equals"
type = "single"
value = "foo"
}
}
}
// These are all of the valid values for signal
signals = ["2FA-CHANGED","2FA-DISABLED","ADDRESS-CHANGED","CC-VAL-ATTEMPT","CC-VAL-FAILURE", "CC-VAL-SUCCESS",
"EMAIL-CHANGED","EMAIL-VALIDATION","GC-VAL-ATTEMPT","GC-VAL-FAILURE", "GC-VAL-SUCCESS","INFO-VIEWED",
"INVITE-ATTEMPT","INVITE-FAILURE","INVITE-SUCCESS", "KBA-CHANGED","MESSAGE-SENT","PW-CHANGED","PW-RESET-ATTEMPT",
"RSRC-ID-ENUM-ATTEMPT", "RSRC-ID-ENUM-FAILURE","RSRC-ID-ENUM-SUCCESS","RSRC-ID-ENUM-SUCCESS","USER-ID-ENUM-ATTEMPT",
"USER-ID-ENUM-FAILURE","USER-ID-ENUM-SUCCESS","USER-ID-ENUM-SUCCESS","WRONG-API-CLIENT"]If you do not see the signal you want in this list, check out the Templated Rules page for some additional templates
Import is supported using the following syntax:
terraform import sigsci_site_rule.test site_short_name:id