这是indexloc提供的服务,不要输入任何密码
Skip to content

[firewall config resource] Fix example config #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 1, 2025
Merged

[firewall config resource] Fix example config #307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
65d6a9b
fix firewall example config
OhMyVolk Apr 30, 2025
0ace36e
re-generate docs
OhMyVolk Apr 30, 2025
ef33b04
add task docs to readme
OhMyVolk Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ $ task test -- -run 'TestAcc_Project*'

## Building The Documentation

```sh
$ task docs
```
The documentation is autogenerated from Description fields within the provider, and the `examples` directory.
Building the documentation generates markdown in the `docs` folder, ready for deployment to Hashicorp.

Expand Down
86 changes: 43 additions & 43 deletions docs/resources/firewall_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,23 +22,23 @@ resource "vercel_firewall_config" "example" {

rules {
rule {
name = "Bypass Known request"
name = "Bypass Known request"
description = "Bypass requests using internal bearer tokens"
# individual condition groups are evaluated as ORs
condition_group = [
{
conditions = [{
type = "header"
key = "Authorization"
op = "eq"
type = "header"
key = "Authorization"
op = "eq"
value = "Bearer internaltoken"
}]
},
{
conditions = [{
type = "header"
key = "Authorization"
op = "eq"
type = "header"
key = "Authorization"
op = "eq"
value = "Bearer internaltoken2"
}]
}
Expand All @@ -49,12 +49,12 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Challenge curl"
name = "Challenge curl"
description = "Challenge user agents containing 'curl'"
condition_group = [{
conditions = [{
type = "user_agent"
op = "sub"
type = "user_agent"
op = "sub"
value = "curl"
}]
}]
Expand All @@ -64,20 +64,20 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Deny cookieless requests"
name = "Deny cookieless requests"
description = "requests to /api that are missing a session cookie"
# multiple conditions in a single condition group are evaluated as ANDs
condition_group = [{
conditions = [{
type = "path"
op = "eq"
type = "path"
op = "eq"
value = "/api"
},
{
type = "cookie"
key = "_session"
neg = true
op = "ex"
},
{
type = "cookie"
key = "_session"
neg = true
op = "ex"
}]
}]
action = {
Expand All @@ -86,37 +86,37 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Rate limit API"
name = "Rate limit API"
description = "apply ratelimit to requests under /api"
condition_group = [{
conditions = [{
type = "path"
op = "pre"
type = "path"
op = "pre"
value = "/api"
}]
}]

action = {
action = "rate_limit"
rate_limit = {
limit = 100
limit = 100
window = 300
keys = ["ip", "ja4"]
algo = "fixed_window"
keys = ["ip", "ja4"]
algo = "fixed_window"
action = "deny"
}
action_duration = "5m"
}
}

rule {
name = "Known clients"
description = "Match known keys in header
name = "Known clients"
description = "Match known keys in header"
condition_group = [{
conditions = [{
type = "header"
key = "Authorization"
op = "inc"
key = "Authorization"
op = "inc"
values = [
"key1",
"key2",
Expand All @@ -127,10 +127,10 @@ resource "vercel_firewall_config" "example" {
action = {
action = "rate_limit"
rate_limit = {
limit = 100
limit = 100
window = 300
keys = ["ip", "ja4"]
algo = "fixed_window"
keys = ["ip", "ja4"]
algo = "fixed_window"
action = "deny"
}
action_duration = "5m"
Expand All @@ -149,13 +149,13 @@ resource "vercel_firewall_config" "managed" {
managed_rulesets {
owasp {
xss = { action = "deny" }
sqli = { action = "deny" }
rce = { action = "deny" }
php = { action = "deny" }
sqli = { action = "deny" }
rce = { action = "deny" }
php = { action = "deny" }
java = { action = "deny" }
lfi = { action = "deny" }
rfi = { action = "deny" }
gen = { action = "deny" }
lfi = { action = "deny" }
rfi = { action = "deny" }
gen = { action = "deny" }
}
}
}
Expand All @@ -170,14 +170,14 @@ resource "vercel_firewall_config" "ip-blocking" {
ip_rules {
# deny this subnet for all my hosts
rule {
action = "deny"
ip = "51.85.0.0/16"
hostname ="*"
action = "deny"
ip = "51.85.0.0/16"
hostname = "*"
}

rule {
action = "challenge"
ip = "1.2.3.4"
action = "challenge"
ip = "1.2.3.4"
hostname = "example.com"
}
}
Expand Down
86 changes: 43 additions & 43 deletions examples/resources/vercel_firewall_config/resource.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,23 +7,23 @@ resource "vercel_firewall_config" "example" {

rules {
rule {
name = "Bypass Known request"
name = "Bypass Known request"
description = "Bypass requests using internal bearer tokens"
# individual condition groups are evaluated as ORs
condition_group = [
{
conditions = [{
type = "header"
key = "Authorization"
op = "eq"
type = "header"
key = "Authorization"
op = "eq"
value = "Bearer internaltoken"
}]
},
{
conditions = [{
type = "header"
key = "Authorization"
op = "eq"
type = "header"
key = "Authorization"
op = "eq"
value = "Bearer internaltoken2"
}]
}
Expand All @@ -34,12 +34,12 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Challenge curl"
name = "Challenge curl"
description = "Challenge user agents containing 'curl'"
condition_group = [{
conditions = [{
type = "user_agent"
op = "sub"
type = "user_agent"
op = "sub"
value = "curl"
}]
}]
Expand All @@ -49,20 +49,20 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Deny cookieless requests"
name = "Deny cookieless requests"
description = "requests to /api that are missing a session cookie"
# multiple conditions in a single condition group are evaluated as ANDs
condition_group = [{
conditions = [{
type = "path"
op = "eq"
type = "path"
op = "eq"
value = "/api"
},
{
type = "cookie"
key = "_session"
neg = true
op = "ex"
},
{
type = "cookie"
key = "_session"
neg = true
op = "ex"
}]
}]
action = {
Expand All @@ -71,37 +71,37 @@ resource "vercel_firewall_config" "example" {
}

rule {
name = "Rate limit API"
name = "Rate limit API"
description = "apply ratelimit to requests under /api"
condition_group = [{
conditions = [{
type = "path"
op = "pre"
type = "path"
op = "pre"
value = "/api"
}]
}]

action = {
action = "rate_limit"
rate_limit = {
limit = 100
limit = 100
window = 300
keys = ["ip", "ja4"]
algo = "fixed_window"
keys = ["ip", "ja4"]
algo = "fixed_window"
action = "deny"
}
action_duration = "5m"
}
}

rule {
name = "Known clients"
description = "Match known keys in header
name = "Known clients"
description = "Match known keys in header"
condition_group = [{
conditions = [{
type = "header"
key = "Authorization"
op = "inc"
key = "Authorization"
op = "inc"
values = [
"key1",
"key2",
Expand All @@ -112,10 +112,10 @@ resource "vercel_firewall_config" "example" {
action = {
action = "rate_limit"
rate_limit = {
limit = 100
limit = 100
window = 300
keys = ["ip", "ja4"]
algo = "fixed_window"
keys = ["ip", "ja4"]
algo = "fixed_window"
action = "deny"
}
action_duration = "5m"
Expand All @@ -134,13 +134,13 @@ resource "vercel_firewall_config" "managed" {
managed_rulesets {
owasp {
xss = { action = "deny" }
sqli = { action = "deny" }
rce = { action = "deny" }
php = { action = "deny" }
sqli = { action = "deny" }
rce = { action = "deny" }
php = { action = "deny" }
java = { action = "deny" }
lfi = { action = "deny" }
rfi = { action = "deny" }
gen = { action = "deny" }
lfi = { action = "deny" }
rfi = { action = "deny" }
gen = { action = "deny" }
}
}
}
Expand All @@ -155,14 +155,14 @@ resource "vercel_firewall_config" "ip-blocking" {
ip_rules {
# deny this subnet for all my hosts
rule {
action = "deny"
ip = "51.85.0.0/16"
hostname ="*"
action = "deny"
ip = "51.85.0.0/16"
hostname = "*"
}

rule {
action = "challenge"
ip = "1.2.3.4"
action = "challenge"
ip = "1.2.3.4"
hostname = "example.com"
}
}
Expand Down