Skip to content

Commit

Permalink
[Docs] Review cloudflare_ruleset Terraform examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@pedrosousa
pedrosousa committed Dec 11, 2024
1 parent 8f8b7d5 commit 1b8e916
Show file tree
Hide file tree
Showing 9 changed files with 195 additions and 195 deletions.
13 changes: 5 additions & 8 deletions src/content/docs/cache/how-to/cache-rules/terraform-example.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,12 @@ sidebar:
head:
- tag: title
content: Cache Rules — Terraform example

---

import { Details } from "~/components"
import { Details } from "~/components";

The following example defines a single cache rule for a zone using Terraform. The rule configures several cache settings and sets a custom cache key for incoming requests addressed at `example.net`.


<Details header="Terraform `cloudflare_ruleset` resource">

```tf
Expand All @@ -26,7 +24,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
phase = "http_request_cache_settings"
rules {
action = "set_cache_settings"
ref = "cache_settings_custom_cache_key"
description = "Set cache settings and custom cache key for example.net"
expression = "(http.host eq \"example.net\")"
action = "set_cache_settings"
action_parameters {
edge_ttl {
mode = "override_origin"
Expand Down Expand Up @@ -77,14 +78,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
}
origin_error_page_passthru = false
}
expression = "(http.host eq \"example.net\")"
description = "Set cache settings and custom cache key for example.net"
enabled = true
}
}
```


</Details>

For additional guidance on using Terraform with Cloudflare, refer to [Terraform](/terraform/).
8 changes: 4 additions & 4 deletions ...cs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ resource "cloudflare_ruleset" "http_config_rules_example" {
phase = "http_config_settings"
rules {
action = "set_config"
ref = "disable_obfuscation_bic"
description = "Disable email obfuscation and BIC for API requests"
expression = "(http.request.uri.path matches \"^/api/\")"
action = "set_config"
action_parameters {
email_obfuscation = false
bic = false
}
expression = "(http.request.uri.path matches \"^/api/\")"
description = "Disable email obfuscation and BIC for API requests"
enabled = true
}
}
```
Expand Down
8 changes: 4 additions & 4 deletions src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,17 @@ resource "cloudflare_ruleset" "http_origin_example" {
phase = "http_request_origin"
rules {
action = "route"
ref = "change_api_origin"
description = "Change origin of API requests"
expression = "(http.request.uri.path matches \"^/api/\")"
action = "route"
action_parameters {
host_header = "example.net"
origin {
host = "example.net"
port = 8000
}
}
expression = "(http.request.uri.path matches \"^/api/\")"
description = "Change origin of API requests"
enabled = true
}
}
```
Expand Down
8 changes: 4 additions & 4 deletions src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ resource "cloudflare_ruleset" "single_redirects_example" {
phase = "http_request_dynamic_redirect"
rules {
action = "redirect"
ref = "redirect_old_url"
description = "Redirect visitors still using old URL"
expression = "(http.request.uri.path matches \"^/contact-us/\")"
action = "redirect"
action_parameters {
from_value {
status_code = 301
Expand All @@ -30,9 +33,6 @@ resource "cloudflare_ruleset" "single_redirects_example" {
preserve_query_string = false
}
}
expression = "(http.request.uri.path matches \"^/contact-us/\")"
description = "Redirect visitors still using old URL"
enabled = true
}
}
```
Expand Down
48 changes: 24 additions & 24 deletions src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,21 +45,21 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
phase = "ddos_l7"
rules {
action = "execute"
ref = "override_l7_ddos_ruleset_all"
description = "Override the HTTP DDoS Attack Protection managed ruleset"
expression = "true"
action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #11).
id = "fdfdac75430c4c47a959592f0aa5e68a"
id = "fdfdac75430c4c47a959592f0aa5e68a"
sensitivity_level = "low"
}
}
}
expression = "true"
description = "Override the HTTP DDoS Attack Protection managed ruleset"
enabled = true
}
}
```
Expand All @@ -86,21 +86,21 @@ resource "cloudflare_ruleset" "account_level_network_ddos_config" {
phase = "ddos_l4"
rules {
action = "execute"
ref = "override_l7_ddos_ruleset_dst_ip"
description = "Override the HTTP DDoS Attack Protection managed ruleset"
expression = "ip.dst in { 192.0.2.0/24 }"
action = "execute"
action_parameters {
# Cloudflare L3/4 DDoS Attack Protection Ruleset
id = "3b64149bfa6e4220bbbc2bd6db589552"
overrides {
rules {
# Rule: Generic high-volume UDP traffic flows.
id = "599dab0942ff4898ac1b7797e954e98b"
id = "599dab0942ff4898ac1b7797e954e98b"
sensitivity_level = "low"
}
}
}
expression = "ip.dst in { 192.0.2.0/24 }"
description = "Override the HTTP DDoS Attack Protection managed ruleset"
enabled = true
}
}
```
Expand Down Expand Up @@ -159,53 +159,53 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
# level.
rules {
ref = "l7_ddos_block_traffic_low_threshold"
description = "At the low sensitivity threshold, block the traffic"
action = "execute"
expression = "true"
action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests from known botnet (signature #4).
id = "29d170ba2f004cc787b1ac272c9e04e7"
id = "29d170ba2f004cc787b1ac272c9e04e7"
sensitivity_level = "low"
action = "block"
action = "block"
}
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
id = "60a48054bbcf4014ac63c44f1712a123"
id = "60a48054bbcf4014ac63c44f1712a123"
sensitivity_level = "low"
action = "block"
action = "block"
}
}
}
expression = "true"
enabled = true
}
rules {
ref = "l7_ddos_log_default_threshold"
description = "At the default sensitivity threshold, log to see if any legitimate traffic gets caught"
action = "execute"
expression = "true"
action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests from known botnet (signature #4).
id = "29d170ba2f004cc787b1ac272c9e04e7"
id = "29d170ba2f004cc787b1ac272c9e04e7"
sensitivity_level = "default"
action = "log"
action = "log"
}
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
id = "60a48054bbcf4014ac63c44f1712a123"
id = "60a48054bbcf4014ac63c44f1712a123"
sensitivity_level = "default"
action = "log"
action = "log"
}
}
}
expression = "true"
enabled = true
}
}
```
70 changes: 33 additions & 37 deletions src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,17 @@ sidebar:
head:
- tag: title
content: Configure rate limiting rules with Terraform

---

import { Details, Render } from "~/components"
import { Details, Render } from "~/components";

This page provides an example of creating a rate limiting rule in a zone using Terraform.

For more information on rate limiting rules, refer to [Rate limiting rules](/waf/rate-limiting-rules/) in the Cloudflare WAF documentation.

:::note

For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation.
For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation.
:::

## Before you start
Expand All @@ -30,7 +29,7 @@ For more information on configuring the previous version of rate limiting rules

<Render file="import-delete-existing-rulesets" />

***
---

## Create a rate limiting rule

Expand All @@ -45,31 +44,29 @@ resource "cloudflare_ruleset" "zone_rl" {
phase = "http_ratelimit"
rules {
action = "block"
ref = "rate_limit_api_requests_ip"
description = "Rate limit API requests by IP"
expression = "(http.request.uri.path matches \"^/api/\")"
action = "block"
ratelimit {
characteristics = ["cf.colo.id", "ip.src"]
period = 60
requests_per_period = 100
mitigation_timeout = 600
}
expression = "(http.request.uri.path matches \"^/api/\")"
description = "My rate limiting rule"
enabled = true
}
}
```

<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br/>

<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br />

<Details header="Account-level example configuration">

:::note[Before you start]

- Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.

* Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.

* Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`.
- Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`.
:::

This example defines a [custom ruleset](/ruleset-engine/custom-rulesets/) with a single rate limiting rule in account with ID `<ACCOUNT_ID>` that blocks traffic for the `/api/` path exceeding the configured rate. The second `cloudflare_ruleset` resource defines an `execute` rule that deploys the custom ruleset for traffic addressed at `example.com`.
Expand All @@ -83,16 +80,16 @@ resource "cloudflare_ruleset" "account_rl" {
phase = "http_ratelimit"
rules {
action = "block"
ref = "rate_limit_api_ip"
description = "Rate limit API requests by IP"
expression = "http.request.uri.path contains \"/api/\""
action = "block"
ratelimit {
characteristics = ["cf.colo.id", "ip.src"]
period = 60
characteristics = ["cf.colo.id", "ip.src"]
period = 60
requests_per_period = 100
mitigation_timeout = 600
mitigation_timeout = 600
}
expression = "http.request.uri.path contains \"/api/\""
description = "API rule"
enabled = true
}
}
Expand All @@ -108,26 +105,25 @@ resource "cloudflare_ruleset" "account_rl_entrypoint" {
rules {
# Deploy the previously defined custom ruleset containing a rate limiting rule
action = "execute"
ref = "deploy_rate_limit_example_com"
description = "Deploy custom ruleset with RL rule"
expression = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
action = "execute"
action_parameters {
id = cloudflare_ruleset.account_rl.id
}
expression = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
description = "Deploy custom ruleset with RL rule"
enabled = true
}
}
```


</Details>

## Create an advanced rate limiting rule

This example creates a rate limiting rule in zone with ID `<ZONE_ID>` with:

* A custom counting expression that includes a response field (`http.response.code`).
* A custom JSON response for rate limited requests.
- A custom counting expression that includes a response field (`http.response.code`).
- A custom JSON response for rate limited requests.

```tf
resource "cloudflare_ruleset" "zone_rl_custom_response" {
Expand All @@ -138,26 +134,26 @@ resource "cloudflare_ruleset" "zone_rl_custom_response" {
phase = "http_ratelimit"
rules {
action = "block"
ref = "rate_limit_example_com_status_404"
description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
action = "block"
action_parameters {
response {
status_code = 429
content = "{\"response\": \"block\"}"
status_code = 429
content = "{\"response\": \"block\"}"
content_type = "application/json"
}
}
ratelimit {
characteristics = ["ip.src", "cf.colo.id"]
period = 10
characteristics = ["ip.src", "cf.colo.id"]
period = 10
requests_per_period = 5
mitigation_timeout = 30
mitigation_timeout = 30
counting_expression = "(http.host eq \"www.example.com\") and (http.request.uri.path matches \"^/status/\") and (http.response.code eq 404)"
}
expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
enabled = true
}
}
```

<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br/>
<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br />
Loading

0 comments on commit 1b8e916

Please sign in to comment.