Configure DDoS Managed Rulesets
This page provides examples of configuring DDoS Managed Rulesets in your zone or account using Terraform. It covers the following configurations:
DDoS Managed Rulesets are always enabled. Depending on your Cloudflare services, you may be able to adjust their behavior.
For more information on DDoS Managed Rulesets, refer to Managed Rulesets in the Cloudflare DDoS Protection documentation. For more information on deploying and configuring rulesets using the Rulesets API, refer to Work with Managed Rulesets in the Ruleset Engine documentation.
Before you start
Delete any existing rulesets before using Terraform
Terraform assumes that it has complete control over account and zone rulesets. Before you can start configuring your account and zone using Terraform, you must delete existing rulesets (any ruleset with kind: root or kind: zone at the account and zone level, respectively), and then recreate them using Terraform.
Cloudflare recommends that you delete rulesets in both scopes (account and zone) so that you can manage them all using Terraform. However, you can also manage rulesets for only one of the scopes: account or zone. In this case, delete the rulesets in the desired scope before you start managing rulesets using Terraform.
To find existing entry point rulesets, use the API operations described in List existing rulesets , for the account and zone levels. To delete existing rulesets, use the API operations described in Delete ruleset , for the account and zone levels.
Obtain the necessary account, zone, and Managed Ruleset IDs
The Terraform configurations provided in this page need the zone ID (or account ID) of the zone/account where you will deploy DDoS Managed Rulesets.
- To retrieve the list of accounts you have access to, including their IDs, use the List accounts API operation.
- To retrieve the list of zones you have access to, including their IDs, use the List zones API operation.
The deployment of DDoS Managed Rulesets via Terraform requires that you use the ruleset IDs. To find the IDs of DDoS Managed Rulesets, use the List account rulesets API operation. The response will include the description and IDs of the existing DDoS Managed Rulesets.
Configure HTTP DDoS Attack Protection
This example configures HTTP DDoS Attack Protection for a zone using Terraform, changing the sensitivity level of rule with ID fdfdac75430c4c47a959592f0aa5e68a to low.
resource "cloudflare_ruleset" "zone_level_http_ddos_config" { zone_id = "<ZONE_ID>" name = "HTTP DDoS Attack Protection entry point ruleset" description = "" kind = "zone" phase = "ddos_l7" rules { action = "execute" action_parameters { id = "4d21379b4f9f4bb088e0729962c8b3cf" overrides { rules { # Rule: HTTP requests with unusual HTTP headers or URI path (signature #11). id = "fdfdac75430c4c47a959592f0aa5e68a" sensitivity_level = "low" } } } expression = "true" description = "Override the HTTP DDoS Attack Protection Managed Ruleset" enabled = true }
}
For more information about HTTP DDoS Attack Protection, refer to HTTP DDoS Attack Protection Managed Ruleset .
Configure Network-layer DDoS Attack Protection
This example configures Network-layer DDoS Attack Protection for an account using Terraform, changing the sensitivity level of rule with ID 599dab0942ff4898ac1b7797e954e98b to low using an override.
resource "cloudflare_ruleset" "account_level_network_ddos_config" { account_id = "<ACCOUNT_ID>" name = "Network-layer DDoS Attack Protection entry point ruleset" description = "" kind = "root" phase = "ddos_l4" rules { action = "execute" action_parameters { id = "3b64149bfa6e4220bbbc2bd6db589552" overrides { rules { # Rule: Generic high-volume UDP traffic flows. id = "599dab0942ff4898ac1b7797e954e98b" sensitivity_level = "low" } } } expression = "ip.dst in { 192.0.2.0/24 }" description = "Override the HTTP DDoS Attack Protection Managed Ruleset" enabled = true }
}
For more information about Network-layer DDoS Attack Protection, refer to Network-layer DDoS Attack Protection Managed Ruleset .