Configure client lists

ūüöß

Beta

While the underlying code for our Client Lists subprovider has been vetted, we’ve placed the beta label here only to collect your feedback and work through any issues.

Reduce harmful security attacks by allowing only trusted IP/CIDRs, locations, autonomous system numbers, and TLS fingerprints to access your services and content.

What you'll do

Create and activate a client list to use with other Akamai services.

1. Create a client list

Each client list is of a certain type. To create a client list, choose a list type and add entries of that type using the items blocks.

TypeDescriptionEntry limit
IPIPv4 and/or IPv6 addresses.10,000
GEORequest's country of origin.275
ASNAutonomous system numbers with a decimal value between 0 and 4294967295.100
FILE_HASHSHA-256 file hashes100
TLS_FINGERPRINTSignals from data shared during the initial handshake between an HTTPS client and your server.100

Optionally, you can create and add up to five tags to help filter and sort searches against your list. Tag strings can use any character except a comma or semicolon and are limited to 256 characters. Use the tags within your items entries.

Configure your client list using the akamai_clientlist_list resource.

resource "akamai_clientlist_list" "my_client_list" {
  name = "my_client_list"
  type = "ASN"
  notes = "Client list creation"
  tags = ["tag1", "tag2", "tag3"]
  contract_id = "12345"
  group_id = 12345
  items {
    value           = "1"
    description     = "Item one"
    tags            = ["tag1", "tag2"]
    expiration_date = "2023-09-06T15:58:39.225+00:00"
  }
  items {
    value           = "2"
    description     = "Item two"
    tags            = ["tag2", "tag3"]
    expiration_date = ""
  }
  items {
    value           = "3"
    description     = "Item three"
    tags            = ["tag1"]
    expiration_date = ""
  }
}

There's no standard output for this resource, but returned in the last line of the apply log is the client list ID.

2. Activate your client list

Use your client list ID to activate your client list on either the STAGING or PRODUCTION network.

resource "akamai_clientlist_activation" "my_activation" {
  list_id                 = "123456_MYCLIENTLIST"
  version                 = 1
  network                 = "STAGING"
  comments                = "My activation comments"
  notification_recipients = ["jsmith@example.com"]
}

3. Use your client list

To add your client list to your security configuration, include your client list's name or ID in one of these services as an allowlist or blocklist.

ūüďė

All of the changes here require a new version and reactivation of your AppSec configuration.

IP/GEO firewall

Use the respective client list ID in the geo_network_lists, ip_network_lists, and/or exception_ip_network_lists arguments of the IP/GEO resource.

resource "akamai_appsec_ip_geo" "my_ip_geo_lists" {
  config_id                  = 12345
  security_policy_id         = "12345"
  mode                       = "block"
  geo_network_lists          = ["12345_GEO_LIST"]
  ip_network_lists           = ["12345_IP_LIST"]
  exception_ip_network_lists = ["98765_EXCEPTION_LIST"]
}

Match Targets

  1. Place a bypassNetworkLists object in your match_targets.json file with the name and ID of your client list.

    {
      "bypassNetworkLists": {
        "id": "12345_MYCLIENTLIST",
        "name": "my_client_list"
      }
    }
    
  2. Point the value of match_target to your updated JSON file.

    Uses the match target resource.

    resource "akamai_appsec_match_target" "my_match_target" {
    config_id    = 12345
    match_target = file("${path.module}/match_targets.json")
    }
    

Pragma Headers

  1. In an excludeCondition array, add your your client list's ID in the value property of your pragma_header.json file.

    {
      "excludeCondition": [
        {
          "positiveMatch": true,
          "type": "networkList",
          "useHeaders": false,
          "value": [
            "12345_MYCLIENTLIST"
          ]
        }
      ]
    }
    
    excludeCondition:
    
      positiveMatch: The match condition for a policy's trigger. True or false.
    
      type: The condition's category. Client lists uses networkList.
    
      useHeaders: Whether the condition should include the X-Forwarded-For header.
    
      value: A list of match items. Use your client list's ID.
    
  2. Point the value of pragma_header to your updated JSON file.

    Uses the pragma header resource.

    resource "akamai_appsec_advanced_settings_pragma_header" "my_pragma_header" {
      config_id          = 12345
      security_policy_id = "gms1_12345"
      pragma_header = file("${path.module}/pragma_header.json")
    }
    

Client Reputation

  1. Add your client list's ID to the value property of the atomicConditions array in your reputation_profile.json file.

    {
      "condition": {
        "atomicConditions": [
          {
            "checkIps": "connecting",
            "className": "NetworkListCondition",
            "index": 1,
            "positiveMatch": true,
            "value": [
              "12345_MYCLIENTLIST"
            ]
          }
        ],
        "positiveMatch": true
      }
    }
    
    condition:
    
      atomicConditions: The conditions that trigger the rate policy.
    
      checkIps: The part of the request that determines the IP address to use. Use connecting for connecting IP addresses or or xff_headers for the X_Forwarded_For header.
    
      className: The type of condition. Client lists uses NetworkListCondition.
    
      index:
    
      positiveMatch: The match condition for a policy's trigger. True or false.
    
      value: A list of match items. Use your client list's ID.
    
      positiveMatch: The match condition for a policy's trigger. True or false.
    
  2. Point the value of reputation_profile to your updated JSON file.

    Uses the reputation profile resource.

    resource "akamai_appsec_reputation_profile" "my_reputation_profile" {
      config_id          = 12345
      reputation_profile = file("${path.module}/reputation_profile.json")
    }
    

Rate Policies

  1. Use the additionalMatchOptions array with your client list's ID in the values property to add a network list condition to your rate_policies.json file.

    {
      "additionalMatchOptions": [
        {
          "positiveMatch": true,
          "type": "NetworkListCondition",
          "values": [
            "12345_MYCLIENTLIST"
          ]
        }
      ]
    }
    
    additionalMatchOptions:
    
      positiveMatch: The match condition for a policy's trigger. True or false.
    
      type: The option's category. Client lists uses NetworkListCondition.
    
      values: A list of match items. Use your client list's ID.
    
  2. Point the value of rate_policy to your updated JSON file.

    Uses the rate policy resource.

    resource "akamai_appsec_rate_policy" "my_rate_policy" {
      config_id   = 12345
      rate_policy = file("${path.module}/rate_policy.json")
    }