From 2a9fd6e6cfff4e0e5ff8c99ccb30500aaf2d634c Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:20:39 +0000 Subject: [PATCH 1/5] [WAF, Terraform] Add Terraform docs for leaked credentials --- .../waf-custom-rules.mdx | 63 ++++++++++++++----- .../leaked-credentials/get-started.mdx | 6 ++ ...etection-add-custom-location-terraform.mdx | 18 ++++++ ...credentials-detection-enable-terraform.mdx | 12 ++++ .../leaked-credentials-detection-enable.mdx | 8 ++- 5 files changed, 90 insertions(+), 17 deletions(-) create mode 100644 src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx create mode 100644 src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx diff --git a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx index 4d69248ddcffa5..4b41c3f1d17e99 100644 --- a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx +++ b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx @@ -6,21 +6,21 @@ sidebar: head: - tag: title content: Configure WAF custom rules with Terraform - --- -import { Render } from "~/components" +import { Render } from "~/components"; This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios: -* Zone-level configurations: +- Zone-level configurations: - * [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone) + - [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone) + - [Add a custom rule challenging requests with leaked credentials](#add-a-custom-rule-challenging-requests-with-leaked-credentials) -* Account-level configurations: +- Account-level configurations: - * [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset) - * [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials) + - [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset) + - [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials) For more information on custom rules, refer to [Custom rules](/waf/custom-rules/) in the Cloudflare WAF documentation. @@ -34,7 +34,7 @@ For more information on custom rules, refer to [Custom rules](/waf/custom-rules/ -*** +--- ## Zone-level configurations @@ -59,7 +59,34 @@ resource "cloudflare_ruleset" "zone_custom_firewall" { } ``` -
+
+ +### Add a custom rule challenging requests with leaked credentials + +:::note +For more information on enabling leaked credentials detection using Terraform, refer to the [leaked credentials detection](/waf/detections/leaked-credentials/get-started/#1-turn-on-leaked-credentials-detection) documentation. +::: + +This example adds a custom rule that challenges requests with leaked credentials by using one of the [leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields) in the rule expression. + +```tf +resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" { + zone_id = "" + name = "Phase entry point ruleset for custom rules in my zone" + description = "" + kind = "zone" + phase = "http_request_firewall_custom" + + rules { + action = "managed_challenge" + expression = "(cf.waf.credential_check.username_and_password_leaked)" + description = "Challenge requests with a leaked username and password" + enabled = true + } +} +``` + +For more information on configuring custom detection locations, refer to the [Terraform example](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location) in the WAF documentation. ## Account-level configurations @@ -69,7 +96,7 @@ The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets :::caution -You can only create and deploy custom rulesets at the account level. +You can only create and deploy custom rulesets at the account level. ::: The following configuration creates the custom ruleset with a single rule: @@ -91,7 +118,10 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset" { } ``` -
+
The following configuration deploys the custom ruleset at the account level. It defines a dependency on the `account_firewall_custom_ruleset` resource and uses the ID of the created custom ruleset in `action_parameters`: @@ -121,12 +151,13 @@ For more information on configuring and deploying custom rulesets, refer to [Wor ### Add a custom rule checking for exposed credentials -The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials). + -:::caution +The following configuration creates a custom ruleset with a single rule that +[checks for exposed +credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials). -You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`). -::: +You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`). ```tf resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" { @@ -156,7 +187,7 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" { } ``` -
+
The following configuration deploys the custom ruleset. It defines a dependency on the `account_firewall_custom_ruleset_exposed_creds` resource and obtains the ID of the created custom ruleset: diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx index a2342bb32b0d67..b0f5e986ab02db 100644 --- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx +++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx @@ -126,6 +126,12 @@ This pair of lookup expressions (for username and password) will scan incoming H Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function. + + +Use the `cloudflare_leaked_credential_check_rules` resource to add custom detection locations. For example: + + + You only need to provide an expression for the username in custom detection locations. diff --git a/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx new file mode 100644 index 00000000000000..f6bd79bf488906 --- /dev/null +++ b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx @@ -0,0 +1,18 @@ +--- +{} +--- + +```terraform +# Create user-defined detection locations for leaked credentials detection +resource "cloudflare_leaked_credential_check_rules" "custom_location_example" { + zone_id = "" + rule { + username = "lookup_json_string(http.request.body.raw, \"user\")" + password = "lookup_json_string(http.request.body.raw, \"secret\")" + } +} +``` + +To create another custom detection location, add a new `rule` object to the same `cloudflare_leaked_credential_check_rules` resource. + +For more information, refer to the [Terraform Cloudflare provider](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check_rules) documentation. diff --git a/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx b/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx new file mode 100644 index 00000000000000..cc42386cb323d6 --- /dev/null +++ b/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx @@ -0,0 +1,12 @@ +--- +{} +--- + +```terraform +resource "cloudflare_leaked_credential_check" "zone_lcc_example" { + zone_id = "" + enabled = true +} +``` + +For more information, refer to the [Terraform Cloudflare provider](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check) documentation. diff --git a/src/content/partials/waf/leaked-credentials-detection-enable.mdx b/src/content/partials/waf/leaked-credentials-detection-enable.mdx index db44403bf494bd..307f8ba565e529 100644 --- a/src/content/partials/waf/leaked-credentials-detection-enable.mdx +++ b/src/content/partials/waf/leaked-credentials-detection-enable.mdx @@ -2,7 +2,7 @@ {} --- -import { TabItem, Tabs } from "~/components"; +import { TabItem, Tabs, Render } from "~/components"; On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API. @@ -24,4 +24,10 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-che --data '{ "enabled": true }' ``` + + +Use the `cloudflare_leaked_credential_check` resource to enable leaked credentials detection for a zone. For example: + + + From 76de0bec78e50302098d5f940de91e8cb5933366 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:23:38 +0000 Subject: [PATCH 2/5] Update resource name and usage --- .../detections/leaked-credentials/get-started.mdx | 2 +- ...tials-detection-add-custom-location-terraform.mdx | 12 ++++-------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx index b0f5e986ab02db..3ee1fa60aad7ca 100644 --- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx +++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx @@ -128,7 +128,7 @@ Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/# -Use the `cloudflare_leaked_credential_check_rules` resource to add custom detection locations. For example: +Use the `cloudflare_leaked_credential_check_rule` resource to add a custom detection location. For example: diff --git a/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx index f6bd79bf488906..05132502733a67 100644 --- a/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx +++ b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx @@ -4,15 +4,11 @@ ```terraform # Create user-defined detection locations for leaked credentials detection -resource "cloudflare_leaked_credential_check_rules" "custom_location_example" { +resource "cloudflare_leaked_credential_check_rule" "custom_location_example" { zone_id = "" - rule { - username = "lookup_json_string(http.request.body.raw, \"user\")" - password = "lookup_json_string(http.request.body.raw, \"secret\")" - } + username = "lookup_json_string(http.request.body.raw, \"user\")" + password = "lookup_json_string(http.request.body.raw, \"secret\")" } ``` -To create another custom detection location, add a new `rule` object to the same `cloudflare_leaked_credential_check_rules` resource. - -For more information, refer to the [Terraform Cloudflare provider](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check_rules) documentation. +For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check_rule). From bcb8848270af7d449d22bc9bb7f2acc48ca7f0c6 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:24:50 +0000 Subject: [PATCH 3/5] Small updates --- .../additional-configurations/waf-custom-rules.mdx | 5 +---- .../waf/leaked-credentials-detection-enable-terraform.mdx | 6 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx index 4b41c3f1d17e99..825dab000623b0 100644 --- a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx +++ b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx @@ -95,7 +95,6 @@ For more information on configuring custom detection locations, refer to the [Te The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets/) in the account with ID `` containing a single custom rule. This custom ruleset is then deployed using a separate `cloudflare_ruleset` Terraform resource. If you do not deploy a custom ruleset, it will not execute. :::caution - You can only create and deploy custom rulesets at the account level. ::: @@ -153,9 +152,7 @@ For more information on configuring and deploying custom rulesets, refer to [Wor -The following configuration creates a custom ruleset with a single rule that -[checks for exposed -credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials). +The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials). You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`). diff --git a/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx b/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx index cc42386cb323d6..38b99810ce52b2 100644 --- a/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx +++ b/src/content/partials/waf/leaked-credentials-detection-enable-terraform.mdx @@ -4,9 +4,9 @@ ```terraform resource "cloudflare_leaked_credential_check" "zone_lcc_example" { - zone_id = "" - enabled = true + zone_id = "" + enabled = true } ``` -For more information, refer to the [Terraform Cloudflare provider](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check) documentation. +For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check). From 60341129e7f551edc9a34cb034f93bb6d9db1b91 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:43:25 +0000 Subject: [PATCH 4/5] Fix indentation --- ...aked-credentials-detection-add-custom-location-terraform.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx index 05132502733a67..d0aaa2af12e170 100644 --- a/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx +++ b/src/content/partials/waf/leaked-credentials-detection-add-custom-location-terraform.mdx @@ -5,7 +5,7 @@ ```terraform # Create user-defined detection locations for leaked credentials detection resource "cloudflare_leaked_credential_check_rule" "custom_location_example" { - zone_id = "" + zone_id = "" username = "lookup_json_string(http.request.body.raw, \"user\")" password = "lookup_json_string(http.request.body.raw, \"secret\")" } From fc258a8ecf9fd29618c96c7dfe96bc0f43cf511c Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Wed, 11 Dec 2024 18:14:45 +0000 Subject: [PATCH 5/5] Use `ref` in new custom rules Terraform example --- .../additional-configurations/waf-custom-rules.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx index 825dab000623b0..8afa0f47c08e36 100644 --- a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx +++ b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx @@ -78,10 +78,10 @@ resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" { phase = "http_request_firewall_custom" rules { - action = "managed_challenge" - expression = "(cf.waf.credential_check.username_and_password_leaked)" + ref = "challenge_leaked_username_password" description = "Challenge requests with a leaked username and password" - enabled = true + expression = "(cf.waf.credential_check.username_and_password_leaked)" + action = "managed_challenge" } } ```