Creating a WAF profile

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

1. In the configuration file, describe the parameters of the resources you want to create:

   # In the basic set, rules of this paranoia level and below will be active
   locals {
     waf_paranoia_level = <paranoia_level>
   }
   
   # OWASP Core Rule Set data source
   data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
     name    = "OWASP Core Ruleset"
     version = "4.0.0"
   }
   
   # WAF profile
   resource "yandex_sws_waf_profile" "default" {
     name = "<WAF_profile_name>"
   
     # Basic rule set
     core_rule_set {
       inbound_anomaly_score = <anomaly_threshold>
       paranoia_level        = local.waf_paranoia_level
       rule_set {
         name    = "OWASP Core Ruleset"
         version = "4.0.0"
       }
     }
   
     # Activating rules from the basic set if their paranoia level is not higher than specified in the waf_paranoia_level variable
     dynamic "rule" {
       for_each = [
         for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
         if rule.paranoia_level <= local.waf_paranoia_level
       ]
       content {
         rule_id     = rule.value.id
         is_enabled  = true
         is_blocking = false
       }
     }
   
     analyze_request_body {
       is_enabled        = true
       size_limit        = 8
       size_limit_action = "IGNORE"
     }
   }
   

   Where:

   • waf_paranoia_level: Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better your protection, but also the higher the probability of WAF false positives.
   • data "yandex_sws_waf_rule_set_descriptor": Terraform data source for a basic rule set. From the data source, you can get a list of rules and their IDs.
   • resource "yandex_sws_waf_profile": Terraform resource to manage the WAF profile.

     • name: WAF profile name.

     • core_rule_set: Basic rule set:

       • inbound_anomaly_score: Anomaly threshold. This is the sum of anomaly values of the triggered rules that will block the request. Possible values: from 2 to 10,000. The higher the value, the more likely it is that the request satisfying the rules is in fact an attack.

       • paranoia_level: Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better the protection, but also the higher the probability of false positives. Possible values: from 1 to 4.

         Note

         The paranoia level has no effect on enabling or disabling rules, it only serves as a recommendation for the user to enable all rules with paranoia_level less than or equal to the specified value.

       • rule_set: Rule set. Specify name (name) and version (version) of the rule set.

     • dynamic "rule": Dynamic activation of rules from the basic set if their paranoia level is not higher than specified in the waf_paranoia_level variable. For dynamically configured rules, you can change the parameters manually. For example, you can turn a rule into a blocking one or activate a rule with paranoia level higher than specified in the variable.

       • rule_id: Rule ID.
       • is_enabled: Flag to enable or disable a rule.
       • is_blocking: Blocking rule flag.

     • analyze_request_body: Request analysis parameters block:

       • is_enabled: Flag enabling request body inspection.
       • size_limit: Maximum request body size in KB. The default value is 8 KB. Currently, you cannot change the default value.
       • size_limit_action: Action if the maximum size is exceeded. The possible values are IGNORE (do not analyze the request body) or DENY (block the request).

   For more information about the yandex_sws_waf_profile resource parameters in Terraform, see the relevant provider documentation.

2. Create resources:

   1. In the terminal, change to the folder where you edited the configuration file.

   2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      

   3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

   4. Apply the configuration changes:

      terraform apply
      

   5. Confirm the changes: type yes in the terminal and press Enter.

Terraform will create all the required resources. You can check the new resources using the management console.

After creating a WAF profile, you can customize a set of basic rules and exception rules.

Use the create REST API method for the WafProfile resource or the WafProfile/Create RPC API call.