cloudflare · pedrosousa · Jan 10, 2025 · Nov 29, 2024 · Dec 11, 2024 · Dec 11, 2024
@@ -8,16 +8,15 @@ head:
     content: Configure WAF custom rules with Terraform
 ---
 
-import { Render } from "~/components";
+import { Render, GlossaryTooltip } from "~/components";
 
 This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios:
 
 - Zone-level configurations:
-
   - [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
-
+  - [Add a custom rule challenging requests with leaked credentials](#add-a-custom-rule-challenging-requests-with-leaked-credentials)
+  - [Add a custom rule blocking malicious uploads](#add-a-custom-rule-blocking-malicious-uploads)
 - Account-level configurations:
-
   - [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
   - [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
 
@@ -60,14 +59,67 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
 
 <Render file="add-new-rule" params={{ one: "custom rule" }} /> <br />
 
+### Add a custom rule challenging requests with leaked credentials
+
+:::note
+For more information on enabling leaked credentials detection using Terraform, refer to the [leaked credentials detection](/waf/detections/leaked-credentials/get-started/#1-turn-on-leaked-credentials-detection) documentation.
+:::
+
+This example adds a custom rule that challenges requests with leaked credentials by using one of the [leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields) in the rule expression.
+
+```tf
+resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" {
+  zone_id     = "<ZONE_ID>"
+  name        = "Phase entry point ruleset for custom rules in my zone"
+  description = ""
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    ref         = "challenge_leaked_username_password"
+    description = "Challenge requests with a leaked username and password"
+    expression  = "(cf.waf.credential_check.username_and_password_leaked)"
+    action      = "managed_challenge"
+  }
+}
+```
+
+For more information on configuring custom detection locations, refer to the [Terraform example](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location) in the WAF documentation.
+
+### Add a custom rule blocking malicious uploads
+
+:::note
+For more information on enabling malicious uploads detection using Terraform, refer to the [malicious uploads detection](/waf/detections/malicious-uploads/get-started/#1-turn-on-the-detection) documentation.
+:::
+
+This example adds a custom rule that blocks requests with one or more <GlossaryTooltip term="content object">content objects</GlossaryTooltip> considered malicious by using one of the [content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields) in the rule expression.
+
+```tf
+resource "cloudflare_ruleset" "zone_custom_firewall_malicious_uploads" {
+  zone_id     = "<ZONE_ID>"
+  name        = "Phase entry point ruleset for custom rules in my zone"
+  description = ""
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    ref         = "block_malicious_uploads"
+    description = "Block requests uploading malicious content objects"
+    expression  = "(cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq \"/upload.php\")"
+    action      = "block"
+  }
+}
+```
+
+For more information on configuring custom scan expressions, refer to the [Terraform example](/waf/detections/malicious-uploads/get-started/#4-optional-configure-a-custom-scan-expression) in the WAF documentation.
+
 ## Account-level configurations
 
 ### Create and deploy a custom ruleset
 
 The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets/) in the account with ID `<ACCOUNT_ID>` containing a single custom rule. This custom ruleset is then deployed using a separate `cloudflare_ruleset` Terraform resource. If you do not deploy a custom ruleset, it will not execute.
 
 :::caution
-
 You can only create and deploy custom rulesets at the account level.
 :::
 
@@ -123,12 +175,11 @@ For more information on configuring and deploying custom rulesets, refer to [Wor
 
 ### Add a custom rule checking for exposed credentials
 
-The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
+<Render file="leaked-credentials-recommend-detection" product="waf" />
 
-:::caution
+The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
 
 You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`).
-:::
 
 ```tf
 resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" {

@@ -57,3 +57,9 @@ Create a [custom rule](/waf/custom-rules/) that challenges requests containing a
   ```
 
 - **Action**: _Managed Challenge_
+
+---
+
+## More resources
+
+- [Terraform example: Add a custom rule challenging requests with leaked credentials](/terraform/additional-configurations/waf-custom-rules/#add-a-custom-rule-challenging-requests-with-leaked-credentials)
@@ -10,7 +10,7 @@ head:
 
 import { Render, TabItem, Tabs, Details } from "~/components";
 
-## 1. Turn on leaked credentials detection
+## 1. Turn on the detection
 
 <Render file="leaked-credentials-detection-enable" />
 
@@ -126,6 +126,20 @@ This pair of lookup expressions (for username and password) will scan incoming H
 
 Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function.
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_leaked_credential_check_rule` resource to add a custom detection location. For example:
+
+```terraform
+resource "cloudflare_leaked_credential_check_rule" "custom_location_example" {
+	zone_id = "<ZONE_ID>"
+	username = "lookup_json_string(http.request.body.raw, \"user\")"
+	password = "lookup_json_string(http.request.body.raw, \"secret\")"
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+
 </TabItem> </Tabs>
 
 You only need to provide an expression for the username in custom detection locations.

@@ -44,3 +44,9 @@ This custom rule example blocks requests with uploaded content objects over 15 M
 - Action: _Block_
 
 In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the `>` (greater than) [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) would not work for this particular rule — you should use `>=` (greater than or equal) instead.
+
+---
+
+## More resources
+
+- [Terraform example: Add a custom rule blocking malicious uploads](/terraform/additional-configurations/waf-custom-rules/#add-a-custom-rule-blocking-malicious-uploads)
@@ -5,17 +5,16 @@ sidebar:
   order: 2
 head:
   - tag: title
-    content: Get started with content scanning
+    content: Get started with malicious uploads detection
 ---
 
 import { Details, TabItem, Tabs } from "~/components";
 
 :::note
-
 WAF content scanning is available to customers on an Enterprise plan with a paid add-on.
 :::
 
-## 1. Enable WAF content scanning
+## 1. Turn on the detection
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
@@ -34,6 +33,19 @@ curl --request POST \
 --header "X-Auth-Key: <API_KEY>"
 ```
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_content_scanning` resource to enable malicious uploads detection for a zone. For example:
+
+```terraform
+resource "cloudflare_content_scanning" "zone_malicious_uploads_example" {
+	zone_id = "<ZONE_ID>"
+	enabled = true
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+
 </TabItem> </Tabs>
 
 ## 2. Validate the content scanning behavior
@@ -140,6 +152,17 @@ The above request will add the following expression to the current list of custo
 lookup_json_string(http.request.body.raw, "file")
 ```
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_content_scanning_expression` resource to add a custom scan expression. For example:
+
+```terraform
+resource "cloudflare_content_scanning_expression" "my_custom_scan_expression" {
+  zone_id = <ZONE_ID>
+  payload = "lookup_json_string(http.request.body.raw, \"file\")"
+}
+```
+
 </TabItem> </Tabs>
 
 The custom scan expression will scan any string found in an HTTP body with the following JSON string:
@@ -148,7 +171,7 @@ The custom scan expression will scan any string found in an HTTP body with the f
 { "file": "<BASE64_ENCODED_STRING>" }
 ```
 
-Refer to the [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_string) for more information and additional examples of looking up fields in nested JSON payloads.
+Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information and additional examples of looking up fields in nested JSON payloads.
 
 :::note
 The content scanner will automatically decode Base64 strings.

@@ -2,9 +2,9 @@
 {}
 ---
 
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
 
-On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API.
+On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard, via API, or using Terraform.
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
@@ -24,4 +24,17 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-che
 --data '{ "enabled": true }'
 ```
 
+</TabItem> <TabItem label="Terraform">
+
+Use the `cloudflare_leaked_credential_check` resource to enable leaked credentials detection for a zone. For example:
+
+```terraform
+resource "cloudflare_leaked_credential_check" "zone_lcc_example" {
+	zone_id = "<ZONE_ID>"
+	enabled = true
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+
 </TabItem> </Tabs>