Updating the condition format in the API, CLI, and Terraform
Warning
Starting June 9, 2026, Yandex Smart Web Security will migrate to the new format of conditions and field names in security profile, WAF, and ARL rules. If using the API, CLI, or Terraform, update your commands and configurations.
Earlier, multiple values in the same condition were provided as a list. Now you need to combine such values into a single text field, separated by |.
The http_methods, authorities, ja3_ranges, and ja4_ranges fields got new names.
Updating current configurations
All rules created in the old format will be automatically migrated to the new one. The migration will not affect your security settings.
Condition description format
|
Field in old format |
Field in new format |
|
|
GET|POST |
|
|
example\.com|example\.net |
|
|
d4e5f6a7b8c9|a1b2c3d4e5f6 |
|
|
t13d1516h2_8daaf6152771|t13d1812h2_c73b8a5f9d24 |
If the old configuration used different condition types for these fields, combine them into a regular expression.
Example of different condition types in the old format:
exact_match = example.com
exact_not_match = example.net
prefix_match = aaa/
prefix_match = bbb
prefix_not_match = ccc
pire_regex_match = d.*
pire_regex_not_match = f.*
Example of combining conditions in the new format:
"pireRegexMatch": "example\.com|~(example\.net)|aaa(|/.*)|bbb.*|~(ccc)|d.*|~(f.*)"
If in your regular expression the special characters (, ), {, }, [, ], ., *, +, ?, ^, $, |, \, &, or ~ are used as regular characters, escape them with \.
The ~ symbol can be used as logical negation.
In addition to regular expressions, you can combine conditions using lists of strings or lists of regular expressions.
Updating the CLI
-
Update the CLI to the latest version:
yc components update -
View the new field format in the
createandupdatecommands:yc smartwebsecurity security-profile create -h yc smartwebsecurity security-profile update -h
Examples of using new fields
If you provide parameters directly in the command, replace the old fields with the new ones:
yc smartwebsecurity security-profile create \
--name security-profile \
--default-action ALLOW \
--security-rules '[
{
name = "security-rule",
priority = 1,
dry-run = false,
rule-specifier = {
rule-condition = {
action = DENY,
condition = {
authority = {
authority-matcher = {
match = {
pire-regex-match = "example1|example2"
}
}
},
http-method = {
http-method-matcher = {
match = {
pire-regex-match = "GET|POST"
}
}
},
finger-print = {
ja3-matcher = {
match = {
pire-regex-match = "d4e5f6a7b8c9|a1b2c3d4e5f6"
}
},
ja4-matcher = {
match = {
pire-regex-match = "t13d1516h2_8daaf6152771|t13d1812h2_c73b8a5f9d24"
}
}
}
}
}
}
}
]'
Example of a command with new fields for lists:
yc smartwebsecurity security-profile create \
--name security-profile \
--default-action ALLOW \
--security-rules '[
{
name = "security-rule",
priority = 1,
dry-run = false,
rule-specifier = {
rule-condition = {
action = DENY,
condition = {
source-ip = {
asn-lists-match = {
list-ids = ["<list_1_ID>", "<list_2_ID>"]
},
asn-lists-not-match = {
list-ids = ["<list_1_ID>", "<list_2_ID>"]
}
},
authority = {
authority-matcher = {
match = {
lists-matchers = {
str-lists-match = {
list-ids = ["<list_ID>"]
},
str-lists-not-match = {
list-ids = ["<list_ID>"]
},
reg-exp-lists-match = {
list-ids = ["<list_ID>"]
},
reg-exp-lists-not-match = {
list-ids = ["<list_ID>"]
}
}
}
}
}
}
}
}
}
]'
If you are using a rules file, update the field names and condition values in it.
Learn more about the security-profile create and security-profile update commands in the CLI reference.
In the Terraform configuration, replace the old fields in blocks of conditions:
resource "yandex_sws_security_profile" "yandex-sws-security-profile" {
name = "test-terraform-yandex-sws-security-profile"
default_action = "ALLOW"
security_rule {
name = "rule-condition-migration"
priority = 4
rule_condition {
action = "ALLOW"
condition {
authority {
authority_matcher {
pire_regex_match = "example1|example2"
}
}
http_method {
http_method_matcher {
pire_regex_match = "GET|POST"
}
}
finger_print {
ja3_matcher {
pire_regex_match = "d4e5f6a7b8c9|a1b2c3d4e5f6"
}
ja4_matcher {
pire_regex_match = "t13d1516h2_8daaf6152771|t13d1812h2_c73b8a5f9d24"
}
}
}
}
}
}
Example of a configuration with new fields for lists:
resource "yandex_sws_security_profile" "yandex-sws-security-profile" {
name = "test-terraform-yandex-sws-security-profile"
default_action = "ALLOW"
security_rule {
name = "rule-condition-new-lists"
priority = 5
rule_condition {
action = "ALLOW"
condition {
source_ip {
asn_lists_match {
list_ids = ["<list_1_ID>", "<list_2_ID>"]
}
asn_lists_not_match {
list_ids = ["<list_1_ID>", "<list_2_ID>"]
}
}
authority {
authority_matcher {
lists_matchers {
str_lists_match {
list_ids = ["<list_ID>"]
}
str_lists_not_match {
list_ids = ["<list_ID>"]
}
reg_exp_lists_match {
list_ids = ["<list_ID>"]
}
reg_exp_lists_not_match {
list_ids = ["<list_ID>"]
}
}
}
}
}
}
}
}
For more on yandex_sws_security_profile properties, see this provider guide.
Example of a request with new fields:
curl -X POST \
'https://smartwebsecurity.api.cloud.yandex.net/smartwebsecurity/v1/securityProfiles' \
-H "Authorization: Bearer $(yc iam create-token)" \
-H 'Content-Type: application/json' \
-d '{
"folderId": "<folder_ID>",
"name": "security-profile",
"defaultAction": "ALLOW",
"securityRules": [
{
"name": "rule-condition-migration",
"priority": 4,
"ruleCondition": {
"action": "ALLOW",
"condition": {
"authority": {
"authorityMatcher": {
"pireRegexMatch": "example1|example2"
}
},
"httpMethod": {
"httpMethodMatcher": {
"pireRegexMatch": "GET|POST"
}
},
"fingerPrint": {
"ja3Matcher": {
"pireRegexMatch": "d4e5f6a7b8c9|a1b2c3d4e5f6"
},
"ja4Matcher": {
"pireRegexMatch": "t13d1516h2_8daaf6152771|t13d1812h2_c73b8a5f9d24"
}
}
}
}
}
]
}'
Example of a request with new fields for lists:
curl -X POST \
'https://smartwebsecurity.api.cloud.yandex.net/smartwebsecurity/v1/securityProfiles' \
-H "Authorization: Bearer $(yc iam create-token)" \
-H 'Content-Type: application/json' \
-d '{
"folderId": "<folder_ID>",
"name": "security-profile",
"defaultAction": "ALLOW",
"securityRules": [
{
"name": "rule-condition-new-lists",
"priority": 5,
"ruleCondition": {
"action": "ALLOW",
"condition": {
"sourceIp": {
"asnListsMatch": {
"listIds": [
"<list_1_ID>",
"<list_2_ID>"
]
},
"asnListsNotMatch": {
"listIds": [
"<list_1_ID>",
"<list_2_ID>"
]
}
},
"authority": {
"authorityMatcher": {
"listsMatchers": {
"strListsMatch": {
"listIds": [
"<list_ID>"
]
},
"strListsNotMatch": {
"listIds": [
"<list_ID>"
]
},
"regExpListsMatch": {
"listIds": [
"<list_ID>"
]
},
"regExpListsNotMatch": {
"listIds": [
"<list_ID>"
]
}
}
}
}
}
}
}
]
}'
For more on methods, see the REST API reference: SecurityProfile.Create and SecurityProfile.Update for the SecurityProfile resource.