The following Terraform configuration examples address common scenarios for managing, configuring, and using WAF content scanning.

For more information, refer to the Terraform Cloudflare provider documentation ↗.

If you are using the Cloudflare API, refer to Common API calls.

Enable WAF content scanning

Use the cloudflare_content_scanning resource to enable content scanning for a zone. For example:

resource "cloudflare_content_scanning" "zone_content_scanning_example" { zone_id = "<ZONE_ID>" enabled = true }

Configure a custom scan expression

Use the cloudflare_content_scanning_expression resource to add a custom scan expression. For example:

resource "cloudflare_content_scanning_expression" "my_custom_scan_expression" { zone_id = < ZONE_ID > payload = "lookup_json_string(http.request.body.raw, \" file \" )" }

For more information, refer to Custom scan expressions.

Add a custom rule to block malicious uploads

This example adds a custom rule that blocks requests with one or more content objects considered malicious by using one of the content scanning fields in the rule expression.

To use the cf.waf.content_scan.has_malicious_obj field you must enable content scanning.

Note Terraform code snippets below refer to the v4 SDK only.

resource "cloudflare_ruleset" "zone_custom_firewall_malicious_uploads" { zone_id = "<ZONE_ID>" name = "Phase entry point ruleset for custom rules in my zone" description = "" kind = "zone" phase = "http_request_firewall_custom" rules { ref = "block_malicious_uploads" description = "Block requests uploading malicious content objects" expression = "(cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq \" /upload.php \" )" action = "block" } }

More resources

For additional Terraform configuration examples, refer to WAF custom rules configuration using Terraform.