/terraform-aws-waf

This terraform module creates a Global Web Application Firewall(WAF) Web Acl to be used with Cloudfront.

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-waf

Lint Status LICENSE

This terraform module creates two type of WAFv2 Web ACL rules:

  • CLOUDFRONT is a Global rule used in CloudFront Distribution only
  • REGIONAL rules can be used in ALB, API Gateway or AppSync GraphQL API

Follow a commum list of Web ACL rules that can be used by this module and how to setup it, also a link of the documentation with a full list of AWS WAF Rules, you need to use the "Name" of the Rule Groups and take care with WCUs, it's why Web ACL rules can't exceed 1500 WCUs.

  • byte_match_statement
  • geo_match_statement
  • ip_set_reference_statement
  • managed_rule_group_statement
    • AWSManagedRulesCommonRuleSet
    • AWSManagedRulesAmazonIpReputationList
    • AWSManagedRulesKnownBadInputsRuleSet
    • AWSManagedRulesSQLiRuleSet
    • AWSManagedRulesLinuxRuleSet
    • AWSManagedRulesUnixRuleSet
  • rate_based_statement
  • regex_pattern_set_reference_statement
  • size_constraint_statement
  • sqli_match_statement
  • xss_match_statement

Usage

module "terraform_aws_wafv2_global" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_global.rules, []) : rule.global_rule => rule }

  waf_cloudfront_enable = try(each.value.waf_cloudfront_enable, false)
  web_acl_id            = try(each.value.web_acl_id, "") # Optional WEB ACLs (WAF) to attach to CloudFront
  global_rule           = try(each.value.global_rule, [])
  scope                 = each.value.scope
  default_action        = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}

data "aws_wafv2_web_acl" "web_acl_arn" {
# count = local.workspace.wafv2.global.waf_cloudfront_web_acl_enable ? 1 : 0
depends_on = [module.terraform_aws_wafv2_global]
provider = aws.us-east-1
  name  = "waf-${local.workspace.wafv2.global.acls.global_rule_name}"
  scope = "CLOUDFRONT"
}

module "terraform_aws_wafv2_regional" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_regional.rules, []) : rule.regional_rule => rule }

  waf_regional_enable = try(each.value.waf_regional_enable, false)
  associate_waf       = try(each.value.associate_waf, false)
  regional_rule       = try(each.value.regional_rule, [])
  scope               = each.value.scope
  resource_arn        = try(each.value.resource_arn, [])
  default_action      = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}q

Requirements

Name Version
terraform >= 0.13.0

Providers

Name Version
aws n/a

Inputs

Name Description Type Default Required
associate_waf Whether to associate an ALB with the WAFv2 ACL. bool false no
byte_match_statement_rules n/a
list(object({
name = string
priority = number
action = string
byte_matchs = list(object({
positional_constraint = string
search_string = string
}))
byte_match_statement = list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
text_transformation = list(object({
priority = string
type = string
}))
}))
n/a yes
default_action n/a string "block" no
geo_match_statement_rules n/a
list(object({
name = string
priority = string
action = string
country_codes = list(string)
geo_match_statement = list(object({
fallback_behavior = string
header_name = string
}))
}))
n/a yes
global_rule Cloudfront WAF Rule Name string "" no
ip_set_reference_statement_rules n/a
list(object({
name = string
priority = string
action = string
ip_set = list(string)
ip_set_reference_statement = list(object({
fallback_behavior = string
header_name = string
position = string
}))
}))
n/a yes
logging_filter n/a
list(object({
default_behavior = string
filter = list(object({
behavior = string
requirement = string
condition = list(object({
action_condition = string
label_name_condition = string
}))
}))
}))
n/a yes
logging_redacted_fields n/a
list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
n/a yes
logs_enable Enable logs bool false no
logs_retension Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. number 90 no
managed_rule_group_statement_rules n/a
list(object({
name = string
priority = string
managed_rule_group_statement = list(object({
name = string
vendor_name = string
excluded_rule = list(string)
block_rule_action_override = list(string)
}))
}))
n/a yes
rate_based_statement_rules n/a
list(object({
name = string
priority = string
action = string
rate_based = list(object({
aggregate_key_type = string
limit = number
}))
rate_based_statement = list(object({
fallback_behavior = string
header_name = string
}))
}))
n/a yes
regex_pattern_set_reference_statement_rules n/a
list(object({
name = string
priority = string
action = string
regex_set = list(string)
regex_pattern_set_reference_statement = list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
text_transformation = list(object({
priority = number
type = string
}))
}))
n/a yes
regional_rule Regional WAF Rules for ALB and API Gateway string "" no
resource_arn ARN of the ALB to be associated with the WAFv2 ACL. list(string) [] no
scope The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL(ALB). string n/a yes
size_constraint_statement_rules n/a
list(object({
name = string
priority = string
action = string
comparison_operator = string
size = number
size_constraint_statement = list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
text_transformation = list(object({
priority = number
type = string
}))
}))
n/a yes
sqli_match_statement_rules n/a
list(object({
name = string
priority = string
action = string
sqli_match_statement = list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
text_transformation = list(object({
priority = number
type = string
}))
}))
n/a yes
waf_cloudfront_enable Enable WAF for Cloudfront distribution bool false no
waf_regional_enable Enable WAFv2 to ALB, API Gateway or AppSync GraphQL API bool false no
web_acl_id Specify a web ACL ARN to be associated in CloudFront Distribution / # Optional WEB ACLs (WAF) to attach to CloudFront string null no
xss_match_statement_rules n/a
list(object({
name = string
priority = string
action = string
xss_match_statement = list(object({
all_query_arguments = string
body = string
method = string
query_string = string
single_header = string
single_query_argument = string
uri_path = string
}))
text_transformation = list(object({
priority = number
type = string
}))
}))
n/a yes

Outputs

Name Description
web_acl_arn The ARN of the WAFv2 WebACL.
web_acl_capacity_cloudfront The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_capacity_regional The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_id The ID of the WAFv2 WebACL.
web_acl_name_cloudfront The name of the WAFv2 WebACL.
web_acl_name_regional The name of the WAFv2 WebACL.
web_acl_visibility_config_name_cloudfront The web ACL visibility config name
web_acl_visibility_config_name_regional The web ACL visibility config name

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.