Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

yandex_sws_waf_profile (Resource)

Written by
Updated at October 9, 2025

Creates a WAF Profile in the specified folder. For more information, see the official documentation.

Example usage

//
// Create a new SWS WAF Profile (Empty).
//
resource "yandex_sws_waf_profile" "empty" {
  // NOTE: this WAF profile do not contains any rules enabled.
  // See the next example to see how to enable default set of rules. 
  name = "waf-profile-dummy"

  core_rule_set {
    inbound_anomaly_score = 2
    paranoia_level        = 1
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }
}

//
// Create a new SWS WAF Profile (Default).
//
locals {
  waf_paranoia_level = 1
}

data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
  name    = "OWASP Core Ruleset"
  version = "4.0.0"
}

resource "yandex_sws_waf_profile" "default" {
  name = "waf-profile-default"

  core_rule_set {
    inbound_anomaly_score = 2
    paranoia_level        = local.waf_paranoia_level
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }

  dynamic "rule" {
    for_each = [
      for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
      if rule.paranoia_level >= local.waf_paranoia_level
    ]
    content {
      rule_id     = rule.value.id
      is_enabled  = true
      is_blocking = false
    }
  }

  analyze_request_body {
    is_enabled        = true
    size_limit        = 8
    size_limit_action = "IGNORE"
  }
}

Schema

Optional

  • analyze_request_body (Block List, Max: 1) Parameters for request body analyzer. (see below for nested schema)
  • cloud_id (String) The Cloud ID which resource belongs to. If it is not provided, the default provider cloud-id is used.
  • core_rule_set (Block List, Max: 1) Core rule set settings. See Basic rule set for details. (see below for nested schema)
  • description (String) The resource description.
  • exclusion_rule (Block List) List of exclusion rules. See Rules. (see below for nested schema)
  • folder_id (String) The folder identifier that resource belongs to. If it is not provided, the default provider folder-id is used.
  • labels (Map of String) A set of key/value label pairs which assigned to resource.
  • match_all_rule_sets (Boolean)
  • name (String) The resource name.
  • rule (Block List) Settings for each rule in rule set. (see below for nested schema)
  • rule_set (Block List) Rule set. (see below for nested schema)
  • timeouts (Block, Optional) (see below for nested schema)

Read-Only

  • created_at (String) The creation timestamp of the resource.
  • id (String) The ID of this resource.

Nested Schema for analyze_request_body

Optional:

  • is_enabled (Boolean) Possible to turn analyzer on and turn if off.
  • size_limit (Number) Maximum size of body to pass to analyzer. In kilobytes.
  • size_limit_action (String) Action to perform if maximum size of body exceeded. Possible values: IGNORE and DENY.

Nested Schema for core_rule_set

Required:

Optional:

  • inbound_anomaly_score (Number) Anomaly score. Enter an integer within the range of 2 and 10000. The higher this value, the more likely it is that the request that satisfies the rule is an attack. See Rules for more details.
  • paranoia_level (Number) Paranoia level. Enter an integer within the range of 1 and 4. Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better your protection, but also the higher the probability of WAF false positives. See Rules for more details. NOTE: this option has no effect on enabling or disabling rules, it is used only as recommendation for user to enable all rules with paranoia_level <= this value.

Nested Schema for core_rule_set.rule_set

Required:

  • version (String) Version of the rule set.

Optional:

  • id (String) Id of the rule set.
  • name (String) Name of the rule set.
  • type (String) Type of the rule set.

Nested Schema for exclusion_rule

Required:

Optional:

  • condition (Block List, Max: 1) (see below for nested schema)
  • description (String) Description of the rule. 0-512 characters long.
  • log_excluded (Boolean) Records the fact that an exception rule is triggered.
  • name (String) Name of exclusion rule.

Nested Schema for exclusion_rule.exclude_rules

Optional:

  • exclude_all (Boolean) Set this option true to exclude all rules.
  • rule_ids (List of String) List of rules to exclude.

Nested Schema for exclusion_rule.condition

Optional:

Nested Schema for exclusion_rule.condition.authority

Optional:

Nested Schema for exclusion_rule.condition.authority.authorities

Optional:

  • exact_match (String)
  • exact_not_match (String)
  • pire_regex_match (String)
  • pire_regex_not_match (String)
  • prefix_match (String)
  • prefix_not_match (String)

Nested Schema for exclusion_rule.condition.headers

Required:

Optional:

  • name (String)

Nested Schema for exclusion_rule.condition.headers.value

Optional:

  • exact_match (String)
  • exact_not_match (String)
  • pire_regex_match (String)
  • pire_regex_not_match (String)
  • prefix_match (String)
  • prefix_not_match (String)

Nested Schema for exclusion_rule.condition.http_method

Optional:

Nested Schema for exclusion_rule.condition.http_method.http_methods

Optional:

  • exact_match (String)
  • exact_not_match (String)
  • pire_regex_match (String)
  • pire_regex_not_match (String)
  • prefix_match (String)
  • prefix_not_match (String)

Nested Schema for exclusion_rule.condition.request_uri

Optional:

Nested Schema for exclusion_rule.condition.request_uri.path

Optional:

  • exact_match (String)
  • exact_not_match (String)
  • pire_regex_match (String)
  • pire_regex_not_match (String)
  • prefix_match (String)
  • prefix_not_match (String)

Nested Schema for exclusion_rule.condition.request_uri.queries

Required:

Nested Schema for exclusion_rule.condition.request_uri.queries.value

Optional:

  • exact_match (String)
  • exact_not_match (String)
  • pire_regex_match (String)
  • pire_regex_not_match (String)
  • prefix_match (String)
  • prefix_not_match (String)

Nested Schema for exclusion_rule.condition.source_ip

Optional:

Nested Schema for exclusion_rule.condition.source_ip.geo_ip_match

Optional:

  • locations (List of String) Locations to include.

Nested Schema for exclusion_rule.condition.source_ip.geo_ip_not_match

Optional:

  • locations (List of String) Locations to exclude.

Nested Schema for exclusion_rule.condition.source_ip.ip_ranges_match

Optional:

  • ip_ranges (List of String) IP ranges to include.

Nested Schema for exclusion_rule.condition.source_ip.ip_ranges_not_match

Optional:

  • ip_ranges (List of String) IP ranges to exclude.

Nested Schema for rule

Required:

  • rule_id (String) Rule ID.

Optional:

  • is_blocking (Boolean) Determines is it rule blocking or not.
  • is_enabled (Boolean) Determines is it rule enabled or not.

Nested Schema for rule_set

Optional:

  • action (String) Action of the rule set.
  • core_rule_set (Block List, Max: 1) Core rule set. (see below for nested schema)
  • is_enabled (Boolean) Determines is it rule set enabled or not.
  • ml_rule_set (Block List, Max: 1) List of ML rule sets. (see below for nested schema)
  • priority (Number) Priority of the rule set.
  • ya_rule_set (Block List, Max: 1) Yandex rule set. (see below for nested schema)

Nested Schema for rule_set.core_rule_set

Required:

Optional:

  • inbound_anomaly_score (Number) Inbound anomaly score of the rule set.
  • paranoia_level (Number) Paranoia level of the rule set.

Nested Schema for rule_set.core_rule_set.rule_set

Required:

  • version (String) Version of the rule set.

Optional:

  • id (String) ID of the rule set.
  • name (String) Name of the rule set.
  • type (String) Type of the rule set.

Nested Schema for rule_set.ml_rule_set

Required:

Optional:

Nested Schema for rule_set.ml_rule_set.rule_set

Required:

  • version (String) Version of the rule set.

Optional:

  • id (String) ID of the rule set.
  • name (String) Name of the rule set.
  • type (String) Type of the rule set.

Nested Schema for rule_set.ml_rule_set.rule_group

Optional:

  • action (String) Action of the rule group.
  • id (String) ID of the rule group.
  • inbound_anomaly_score (Number) Inbound anomaly score.
  • is_enabled (Boolean) Is the rule group enabled.

Nested Schema for rule_set.ya_rule_set

Required:

Optional:

Nested Schema for rule_set.ya_rule_set.rule_set

Required:

  • version (String) Version of the rule set.

Optional:

  • id (String) ID of the rule set.
  • name (String) Name of the rule set.
  • type (String) Type of the rule set.

Nested Schema for rule_set.ya_rule_set.rule_group

Optional:

  • action (String) Action of the rule group.
  • id (String) ID of the rule group.
  • inbound_anomaly_score (Number) Inbound anomaly score.
  • is_enabled (Boolean) Is the rule group enabled.

Nested Schema for timeouts

Optional:

  • create (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
  • delete (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
  • read (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
  • update (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).

Import

The resource can be imported by using their resource ID. For getting the resource ID you can use Yandex Cloud Web Console or YC CLI.

# terraform import yandex_sws_waf_profile.<resource Name> <resource Id>
terraform import yandex_sws_waf_profile.default ...
Previous
sws_security_profile
Next
vpc_address