WAF custom rules configuration using Terraform

This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios:

• Add a custom rule to a zone (zone-level configuration)
• Create and deploy a custom ruleset (account-level configuration)

The WAF documentation includes additional Terraform examples — refer to More resources.

If you are using the Cloudflare API, refer to the following resources in the WAF documentation:

• Create a custom rule via API
• Create a custom ruleset using the API

For more information on deploying and configuring custom rulesets using the Rulesets API, refer to Work with custom rulesets in the Ruleset Engine documentation.

Before you start

Obtain the necessary account or zone IDs

The Terraform configurations provided in this page need the zone ID (or account ID) of the zone/account where you will deploy rulesets.

• To retrieve the list of accounts you have access to, including their IDs, use the List accounts operation.
• To retrieve the list of zones you have access to, including their IDs, use the List zones operation.

Import or delete existing rulesets

Terraform assumes that it has complete control over account and zone rulesets. If you already have rulesets configured in your account or zone, do one of the following:

• Import existing rulesets to Terraform using the cf-terraforming tool. Recent versions of the tool can generate resource definitions for existing rulesets and import their configuration to Terraform state.
• Start from scratch by deleting existing rulesets (account and zone rulesets with "kind": "root" and "kind": "zone", respectively) and then defining your rulesets configuration in Terraform.

---

Add a custom rule to a zone

The following example configures a custom rule in the zone entry point ruleset for the http_request_firewall_custom phase for zone with ID <ZONE_ID>. The rule will block all traffic on non-standard HTTP(S) ports:

Note

Terraform code snippets below refer to the v4 SDK only.

resource "cloudflare_ruleset" "zone_custom_firewall" {
  zone_id     = "<ZONE_ID>"
  name        = "Phase entry point ruleset for custom rules in my zone"
  description = ""
  kind        = "zone"
  phase       = "http_request_firewall_custom"

  rules {
    ref         = "block_non_default_ports"
    description = "Block ports other than 80 and 443"
    expression  = "(not cf.edge.server_port in {80 443})"
    action      = "block"
  }
}

To create another custom rule, add a new rules object to the same cloudflare_ruleset resource.

Create and deploy a custom ruleset (account-level configuration)

Note

Account-level WAF configuration requires an Enterprise plan with a paid add-on.

The following example creates a custom ruleset in the account with ID <ACCOUNT_ID> containing a single custom rule. This custom ruleset is then deployed using a separate cloudflare_ruleset Terraform resource. If you do not deploy a custom ruleset, it will not execute.

You can only create and deploy custom rulesets at the account level.

The following configuration creates a custom ruleset with a single rule:

Note

Terraform code snippets below refer to the v4 SDK only.

resource "cloudflare_ruleset" "account_firewall_custom_ruleset" {
  account_id  = "<ACCOUNT_ID>"
  name        = "Custom ruleset blocking traffic in non-standard HTTP(S) ports"
  description = ""
  kind        = "custom"
  phase       = "http_request_firewall_custom"

  rules {
    ref         = "block_non_default_ports"
    description = "Block ports other than 80 and 443"
    expression  = "(not cf.edge.server_port in {80 443})"
    action      = "block"
  }
}

To create another custom rule in the custom ruleset, add a new rules object to the same cloudflare_ruleset resource.

The following configuration deploys the custom ruleset at the account level. It defines a dependency on the account_firewall_custom_ruleset resource and uses the ID of the created custom ruleset in action_parameters:

Note

Terraform code snippets below refer to the v4 SDK only.

resource "cloudflare_ruleset" "account_firewall_custom_entrypoint" {
  account_id  = "<ACCOUNT_ID>"
  name        = "Account-level entry point ruleset for the http_request_firewall_custom phase deploying a custom ruleset"
  description = ""
  kind        = "root"
  phase       = "http_request_firewall_custom"

  depends_on = [cloudflare_ruleset.account_firewall_custom_ruleset]

  rules {
    ref         = "deploy_custom_ruleset_example_com"
    description = "Deploy custom ruleset for example.com"
    expression  = "(cf.zone.name eq \"example.com\")"
    action      = "execute"
    action_parameters {
      id = cloudflare_ruleset.account_firewall_custom_ruleset.id
    }
  }
}

For more information on configuring and deploying custom rulesets, refer to Work with custom rulesets in the Ruleset Engine documentation.

More resources

• Malicious uploads detection: Add a custom rule to block malicious uploads
• Leaked credentials detection: Add a custom rule to challenge requests with leaked credentials