Rate limit ruleset

gulnaza · November 8, 2023, 11:20pm

I’m trying to create a ruleset with http_ratelimit phase using Terraform. I use dynamic blocks for several rate limit rules. The issue is I believe within ratelimit block, I’m getting this error, when I include requests_to_origin = true field

 Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.cloudflare_record.cloudflare_ruleset.zone_rate_limiting,
│   on ../../modules/cloudflare/main.tf line 72, in resource "cloudflare_ruleset" "zone_rate_limiting":
│   72: resource "cloudflare_ruleset" "zone_rate_limiting" {
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.

Cyb3r-Jak3 · November 9, 2023, 3:00am

Can you provide a sample of your terraform block?

gulnaza · November 9, 2023, 3:05pm

resource "cloudflare_ruleset" "zone_rate_limiting" {
  for_each    = var.record_env_map[data.aws_lb.app-stage.dns_name]

  zone_id     = var.cloudflare_zone
  name        = "global-rate-based-limit"
  description = "Rate limit for API requests"
  kind        = "zone"
  phase       = "http_ratelimit"

  dynamic "rules" {
    for_each = {
      api-rate-limit = {
          expression            = "(http.request.uri.path matches \"^/api/\")"
          requests_per_minute   = 12000
          period                = 60
          mitigation_timeout    = 600
          description           = "API rate limiting rule"
          action                = "block" 
          response              = "json('{\"error\": \"Rate limit exceeded for API requests. Please try again later.\"}')"
        },
      signin-rate-limit = {
          expression            = "(http.request.uri.path matches \"^/(signin|admin/signin|csp/login)\")"
          requests_per_minute   = 100
          period                = 3
          mitigation_timeout    = 1
          description           = "Signin rate limiting rule"
          action                = "block"
        },
      create-rate-limit = {
          expression            = "(http.request.uri.path matches \"^/create/\")"
          requests_per_minute   = 2
          period                = 1
          mitigation_timeout    = 1
          description           = "Create rate limiting rule"
          action                = "block"
        },
      verify-rate-limit = {
          expression            = "(http.request.uri.path matches \"^/(users/verify|users/resendverification)\")"
          requests_per_minute   = 2
          period                = 1
          mitigation_timeout    = 1
          description           = "Verify rate limiting rule"
          action                = "block"
        }
      }

    content {
      id         = "${rules.key}-${each.key}"
      action      = rules.value.action
      
        # Include the response block only if action is "block" and rate_limit_rules_enabled is true
        action_parameters {
          response {
            status_code = 429
            content = "{\"response\": \"block\"}"
            content_type = "application/json"
          }
        }

      ratelimit {
        characteristics      = ["ip.src", "cf.colo.id"]
        period               = rules.value.period
        requests_per_period  = rules.value.requests_per_minute
        requests_to_origin   = true
        mitigation_timeout   = rules.value.mitigation_timeout
      }

    expression = rules.value.expression
    description = rules.value.description
    enabled     = var.rate_limit_rules_enabled
    }
  }  
}

system · November 24, 2023, 3:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.