cloudflare · pedrosousa · Nov 29, 2024 · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024
@@ -6,21 +6,21 @@ sidebar:
 head:
   - tag: title
     content: Configure WAF custom rules with Terraform
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios:
 
-* Zone-level configurations:
+- Zone-level configurations:
 
-  * [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
+  - [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
+  - [Add a custom rule challenging requests with leaked credentials](#add-a-custom-rule-challenging-requests-with-leaked-credentials)
 
-* Account-level configurations:
+- Account-level configurations:
 
-  * [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
-  * [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
+  - [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
+  - [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
 
 For more information on custom rules, refer to [Custom rules](/waf/custom-rules/) in the Cloudflare WAF documentation.
 
@@ -34,7 +34,7 @@ For more information on custom rules, refer to [Custom rules](/waf/custom-rules/
 
 <Render file="import-delete-existing-rulesets" />
 
-***
+---
 
 ## Zone-level configurations
 
@@ -59,7 +59,34 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
 }
 ```
 
-<Render file="add-new-rule" params={{ one: "custom rule" }} /> <br/>
+<Render file="add-new-rule" params={{ one: "custom rule" }} /> <br />
+
+### Add a custom rule challenging requests with leaked credentials
+
+:::note
+For more information on enabling leaked credentials detection using Terraform, refer to the [leaked credentials detection](/waf/detections/leaked-credentials/get-started/#1-turn-on-leaked-credentials-detection) documentation.
+:::
+
+This example adds a custom rule that challenges requests with leaked credentials by using one of the [leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields) in the rule expression.
+
+```tf
+resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" {
+  zone_id     = "<ZONE_ID>"
+  name        = "Phase entry point ruleset for custom rules in my zone"
+  description = ""
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    ref         = "challenge_leaked_username_password"
+    description = "Challenge requests with a leaked username and password"
+    expression  = "(cf.waf.credential_check.username_and_password_leaked)"
+    action      = "managed_challenge"
+  }
+}
+```
+
+For more information on configuring custom detection locations, refer to the [Terraform example](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location) in the WAF documentation.
 
 ## Account-level configurations
 
@@ -68,8 +95,7 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
 The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets/) in the account with ID `<ACCOUNT_ID>` containing a single custom rule. This custom ruleset is then deployed using a separate `cloudflare_ruleset` Terraform resource. If you do not deploy a custom ruleset, it will not execute.
 
 :::caution
-
-You can only create and deploy custom rulesets at the account level. 
+You can only create and deploy custom rulesets at the account level.
 :::
 
 The following configuration creates the custom ruleset with a single rule:
@@ -91,7 +117,10 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset" {
 }
 ```
 
-<Render file="add-new-rule" params={{ one: "custom rule in the custom ruleset" }} /> <br/>
+<Render
+	file="add-new-rule"
+	params={{ one: "custom rule in the custom ruleset" }}
+/> <br />
 
 The following configuration deploys the custom ruleset at the account level. It defines a dependency on the `account_firewall_custom_ruleset` resource and uses the ID of the created custom ruleset in `action_parameters`:
 
@@ -121,12 +150,11 @@ For more information on configuring and deploying custom rulesets, refer to [Wor
 
 ### Add a custom rule checking for exposed credentials
 
-The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
+<Render file="leaked-credentials-recommend-detection" product="waf" />
 
-:::caution
+The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
 
-You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`). 
-:::
+You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`).
 
 ```tf
 resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" {
@@ -156,7 +184,7 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" {
 }
 ```
 
-<Render file="add-new-rule" params={{ one: "rule" }} /> <br/>
+<Render file="add-new-rule" params={{ one: "rule" }} /> <br />
 
 The following configuration deploys the custom ruleset. It defines a dependency on the `account_firewall_custom_ruleset_exposed_creds` resource and obtains the ID of the created custom ruleset:
 

@@ -126,6 +126,12 @@ This pair of lookup expressions (for username and password) will scan incoming H
 
 Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function.
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_leaked_credential_check_rule` resource to add a custom detection location. For example:
+
+<Render file="leaked-credentials-detection-add-custom-location-terraform" />
+
 </TabItem> </Tabs>
 
 You only need to provide an expression for the username in custom detection locations.

@@ -0,0 +1,14 @@
+---
+{}
+---
+
+```terraform
+# Create user-defined detection locations for leaked credentials detection
+resource "cloudflare_leaked_credential_check_rule" "custom_location_example" {
+	zone_id = "<ZONE_ID>"
+	username = "lookup_json_string(http.request.body.raw, \"user\")"
+	password = "lookup_json_string(http.request.body.raw, \"secret\")"
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check_rule).
@@ -0,0 +1,12 @@
+---
+{}
+---
+
+```terraform
+resource "cloudflare_leaked_credential_check" "zone_lcc_example" {
+	zone_id = "<ZONE_ID>"
+	enabled = true
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/leaked_credential_check).
@@ -2,7 +2,7 @@
 {}
 ---
 
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
 
 On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API.
 
@@ -24,4 +24,10 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-che
 --data '{ "enabled": true }'
 ```
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_leaked_credential_check` resource to enable leaked credentials detection for a zone. For example:
+
+<Render file="leaked-credentials-detection-enable-terraform" />
+
 </TabItem> </Tabs>