diff --git a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
index 8116cf52a5e3b6..fbb8ba4c876a83 100644
--- a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
+++ b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
@@ -8,16 +8,15 @@ head:
content: Configure WAF custom rules with Terraform
---
-import { Render } from "~/components";
+import { Render, GlossaryTooltip } from "~/components";
This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios:
- Zone-level configurations:
-
- [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
-
+ - [Add a custom rule challenging requests with leaked credentials](#add-a-custom-rule-challenging-requests-with-leaked-credentials)
+ - [Add a custom rule blocking malicious uploads](#add-a-custom-rule-blocking-malicious-uploads)
- Account-level configurations:
-
- [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
- [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
@@ -60,6 +59,60 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
+### Add a custom rule challenging requests with leaked credentials
+
+:::note
+For more information on enabling leaked credentials detection using Terraform, refer to the [leaked credentials detection](/waf/detections/leaked-credentials/get-started/#1-turn-on-leaked-credentials-detection) documentation.
+:::
+
+This example adds a custom rule that challenges requests with leaked credentials by using one of the [leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields) in the rule expression.
+
+```tf
+resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" {
+ zone_id = ""
+ name = "Phase entry point ruleset for custom rules in my zone"
+ description = ""
+ kind = "zone"
+ phase = "http_request_firewall_custom"
+
+ rules {
+ ref = "challenge_leaked_username_password"
+ description = "Challenge requests with a leaked username and password"
+ expression = "(cf.waf.credential_check.username_and_password_leaked)"
+ action = "managed_challenge"
+ }
+}
+```
+
+For more information on configuring custom detection locations, refer to the [Terraform example](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location) in the WAF documentation.
+
+### Add a custom rule blocking malicious uploads
+
+:::note
+For more information on enabling malicious uploads detection using Terraform, refer to the [malicious uploads detection](/waf/detections/malicious-uploads/get-started/#1-turn-on-the-detection) documentation.
+:::
+
+This example adds a custom rule that blocks requests with one or more content objects considered malicious by using one of the [content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields) in the rule expression.
+
+```tf
+resource "cloudflare_ruleset" "zone_custom_firewall_malicious_uploads" {
+ zone_id = ""
+ name = "Phase entry point ruleset for custom rules in my zone"
+ description = ""
+ kind = "zone"
+ phase = "http_request_firewall_custom"
+
+ rules {
+ ref = "block_malicious_uploads"
+ description = "Block requests uploading malicious content objects"
+ expression = "(cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq \"/upload.php\")"
+ action = "block"
+ }
+}
+```
+
+For more information on configuring custom scan expressions, refer to the [Terraform example](/waf/detections/malicious-uploads/get-started/#4-optional-configure-a-custom-scan-expression) in the WAF documentation.
+
## Account-level configurations
### Create and deploy a custom ruleset
@@ -67,7 +120,6 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets/) in the account with ID `` containing a single custom rule. This custom ruleset is then deployed using a separate `cloudflare_ruleset` Terraform resource. If you do not deploy a custom ruleset, it will not execute.
:::caution
-
You can only create and deploy custom rulesets at the account level.
:::
@@ -123,12 +175,11 @@ For more information on configuring and deploying custom rulesets, refer to [Wor
### Add a custom rule checking for exposed credentials
-The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
+
-:::caution
+The following configuration creates a custom ruleset with a single rule that [checks for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`).
-:::
```tf
resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" {
diff --git a/src/content/docs/waf/detections/leaked-credentials/examples.mdx b/src/content/docs/waf/detections/leaked-credentials/examples.mdx
index e10ac2950f77a6..530ff460c0cd47 100644
--- a/src/content/docs/waf/detections/leaked-credentials/examples.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/examples.mdx
@@ -57,3 +57,9 @@ Create a [custom rule](/waf/custom-rules/) that challenges requests containing a
```
- **Action**: _Managed Challenge_
+
+---
+
+## More resources
+
+- [Terraform example: Add a custom rule challenging requests with leaked credentials](/terraform/additional-configurations/waf-custom-rules/#add-a-custom-rule-challenging-requests-with-leaked-credentials)
diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
index a2342bb32b0d67..e7c8d9927745f9 100644
--- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
@@ -10,7 +10,7 @@ head:
import { Render, TabItem, Tabs, Details } from "~/components";
-## 1. Turn on leaked credentials detection
+## 1. Turn on the detection
@@ -126,6 +126,20 @@ This pair of lookup expressions (for username and password) will scan incoming H
Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function.
+
+
+Use the `cloudflare_leaked_credential_check_rule` resource to add a custom detection location. For example:
+
+```terraform
+resource "cloudflare_leaked_credential_check_rule" "custom_location_example" {
+ zone_id = ""
+ username = "lookup_json_string(http.request.body.raw, \"user\")"
+ password = "lookup_json_string(http.request.body.raw, \"secret\")"
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+
You only need to provide an expression for the username in custom detection locations.
diff --git a/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx
index d889c17654f877..3c58919c7b879e 100644
--- a/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx
@@ -44,3 +44,9 @@ This custom rule example blocks requests with uploaded content objects over 15 M
- Action: _Block_
In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the `>` (greater than) [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) would not work for this particular rule — you should use `>=` (greater than or equal) instead.
+
+---
+
+## More resources
+
+- [Terraform example: Add a custom rule blocking malicious uploads](/terraform/additional-configurations/waf-custom-rules/#add-a-custom-rule-blocking-malicious-uploads)
diff --git a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
index ffa7b689bc252d..b46367c931b5a2 100644
--- a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
@@ -5,17 +5,16 @@ sidebar:
order: 2
head:
- tag: title
- content: Get started with content scanning
+ content: Get started with malicious uploads detection
---
import { Details, TabItem, Tabs } from "~/components";
:::note
-
WAF content scanning is available to customers on an Enterprise plan with a paid add-on.
:::
-## 1. Enable WAF content scanning
+## 1. Turn on the detection
@@ -34,6 +33,19 @@ curl --request POST \
--header "X-Auth-Key: "
```
+
+
+Use the `cloudflare_content_scanning` resource to enable malicious uploads detection for a zone. For example:
+
+```terraform
+resource "cloudflare_content_scanning" "zone_malicious_uploads_example" {
+ zone_id = ""
+ enabled = true
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+
## 2. Validate the content scanning behavior
@@ -140,6 +152,17 @@ The above request will add the following expression to the current list of custo
lookup_json_string(http.request.body.raw, "file")
```
+
+
+Use the `cloudflare_content_scanning_expression` resource to add a custom scan expression. For example:
+
+```terraform
+resource "cloudflare_content_scanning_expression" "my_custom_scan_expression" {
+ zone_id =
+ payload = "lookup_json_string(http.request.body.raw, \"file\")"
+}
+```
+
The custom scan expression will scan any string found in an HTTP body with the following JSON string:
@@ -148,7 +171,7 @@ The custom scan expression will scan any string found in an HTTP body with the f
{ "file": "" }
```
-Refer to the [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_string) for more information and additional examples of looking up fields in nested JSON payloads.
+Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information and additional examples of looking up fields in nested JSON payloads.
:::note
The content scanner will automatically decode Base64 strings.
diff --git a/src/content/partials/waf/leaked-credentials-detection-enable.mdx b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
index db44403bf494bd..dd11b469de7846 100644
--- a/src/content/partials/waf/leaked-credentials-detection-enable.mdx
+++ b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
@@ -2,9 +2,9 @@
{}
---
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
-On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API.
+On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard, via API, or using Terraform.
@@ -24,4 +24,17 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-che
--data '{ "enabled": true }'
```
+
+
+Use the `cloudflare_leaked_credential_check` resource to enable leaked credentials detection for a zone. For example:
+
+```terraform
+resource "cloudflare_leaked_credential_check" "zone_lcc_example" {
+ zone_id = ""
+ enabled = true
+}
+```
+
+For more information, refer to the [Terraform Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
+