/terraform-aws-wafv2

Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-wafv2

Creates AWS WAFv2 ACL and supports the following

  • AWS Managed Rule Sets
  • Associating with Application Load Balancers (ALB)
  • Blocking IP Sets
  • Rate limiting IPs

As of 12/2/2020, AWS GovCloud does not support the AWSManagedRulesAmazonIpReputationList managed rule set, which is enabled by default in this module. Until AWS supports that rule set, you will need to define your own managed_rules.

Terraform Versions

Terraform 0.13 and newer. Pin module version to ~> 2.0. Submit pull-requests to master branch.

Terraform 0.12. Pin module version to ~> 1.0. Submit pull-requests to terraform012 branch.

Usage with CloudFront

Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.

module "cloudfront_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "cloudfront-web-acl"
  scope = "CLOUDFRONT"
}

Usage with Application Load Balancer (ALB)

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "alb-web-acl"
  scope = "REGIONAL"

  alb_arn       = aws_lb.alb.arn
  associate_alb = true
}

Usage blocking IP Sets

resource "aws_wafv2_ip_set" "ipset" {
  name = "blocked_ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = [
    "1.2.3.4/32",
    "5.6.7.8/32"
  ]
}

module "wafv2" {
  source = "../../"

  name   = "wafv2"
  scope = "REGIONAL"

  ip_sets_rule = [
    {
      name       = "blocked_ips"
      action     = "block"
      priority   = 1
      ip_set_arn = aws_wafv2_ip_set.ipset.arn
    }
  ]
}

Requirements

Name Version
terraform >= 0.13.0
aws >= 3.0

Providers

Name Version
aws >= 3.0

Inputs

Name Description Type Default Required
alb_arn ARN of the ALB to be associated with the WAFv2 ACL. string "" no
associate_alb Whether to associate an ALB with the WAFv2 ACL. bool false no
filtered_header_rule HTTP header to filter . Currently supports a single header type and multiple header values. 
object({
    header_types = list(string)
    priority     = number
    header_value = string
    action       = string
  })
 
{
  "action": "block",
  "header_types": [],
  "header_value": "",
  "priority": 1
}
 no
ip_rate_based_rule A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span 
object({
    name     = string
    priority = number
    limit    = number
    action   = string
  })
 null no
ip_sets_rule A rule to detect web requests coming from particular IP addresses or address ranges. 
list(object({
    name       = string
    priority   = number
    ip_set_arn = string
    action     = string
  }))
 [] no
managed_rules List of Managed WAF rules. 
list(object({
    name            = string
    priority        = number
    override_action = string
    excluded_rules  = list(string)
  }))
 
[
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesCommonRuleSet",
    "override_action": "none",
    "priority": 10
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesAmazonIpReputationList",
    "override_action": "none",
    "priority": 20
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesKnownBadInputsRuleSet",
    "override_action": "none",
    "priority": 30
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesSQLiRuleSet",
    "override_action": "none",
    "priority": 40
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesLinuxRuleSet",
    "override_action": "none",
    "priority": 50
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesUnixRuleSet",
    "override_action": "none",
    "priority": 60
  }
]
 no
name A friendly name of the WebACL. string n/a yes
scope The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. string n/a yes
tags A mapping of tags to assign to the WAFv2 ACL. map(string) {} no

Outputs

Name Description
web_acl_id The ARN of the WAF WebACL.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test