aws.rest-stage¶
Filters¶
client-certificate¶
Filter API stages by a client certificate
- example:
policies:
- name: rest-stages-old-certificate
resource: rest-stage
filters:
- type: client-certificate
key: createdDate
value_type: age
value: 90
op: greater-than
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- client-certificate
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - apigateway:GET
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions¶
delete¶
Delete an api stage
- example:
policies:
- name: delete-rest-stage
resource: rest-stage
filters:
- methodSettings."*/*".cachingEnabled: true
actions:
- type: delete
properties:
type:
enum:
- delete
required:
- type
Permissions - apigateway:DELETE
rename-tag¶
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-waf¶
Enable waf protection on API Gateway stage.
- example:
policies:
- name: set-waf-for-stage
resource: rest-stage
filters:
- type: waf-enabled
state: false
web-acl: test
actions:
- type: set-waf
state: true
web-acl: test
- name: disassociate-wafv2-associate-waf-regional-apigw
resource: rest-stage
filters:
- type: wafv2-enabled
state: true
actions:
- type: set-waf
state: true
web-acl: test
properties:
state:
type: boolean
type:
enum:
- set-waf
web-acl:
type: string
required:
- web-acl
- type
Permissions - waf-regional:AssociateWebACL, waf-regional:ListWebACLs
set-wafv2¶
Enable wafv2 protection on API Gateway stage.
- example:
policies:
- name: set-wafv2-for-stage
resource: rest-stage
filters:
- type: wafv2-enabled
state: false
web-acl: testv2
actions:
- type: set-wafv2
state: true
web-acl: testv2
- name: disassociate-waf-regional-associate-wafv2-apigw
resource: rest-stage
filters:
- type: waf-enabled
state: true
actions:
- type: set-wafv2
state: true
web-acl: testv2
properties:
state:
type: boolean
type:
enum:
- set-wafv2
web-acl:
type: string
required:
- type
Permissions - wafv2:AssociateWebACL, wafv2:ListWebACLs
update¶
Update/remove values of an api stage
- example:
policies:
- name: disable-stage-caching
resource: rest-stage
filters:
- methodSettings."*/*".cachingEnabled: true
actions:
- type: update
patch:
- op: replace
path: /*/*/caching/enabled
value: 'false'
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update
required:
- patch
- type
Permissions - apigateway:PATCH