Terraform module to configure WAF Web ACL V2 for Application Load Balancer or Cloudfront distribution.
Module supports all AWS managed rules defained in https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html.
Terraform 0.12. Pin module version to ~> v1.0. Submit pull-requests to master branch.
Please pin down version of this module to exact version.
module "waf" {
source = "umotif-public/waf-webaclv2/aws"
version = "~> 1.3.0"
name_prefix = "test-waf-setup"
alb_arn = module.alb.arn
scope = "REGIONAL"
create_alb_association = true
allow_default_action = true # set to allow if not specified
visibility_config = {
metric_name = "test-waf-setup-waf-main-metrics"
}
rules = [
{
name = "AWSManagedRulesCommonRuleSet-rule-1"
priority = "1"
override_action = "none" # set to none if not specified
visibility_config = {
metric_name = "AWSManagedRulesCommonRuleSet-metric"
}
managed_rule_group_statement = {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
excluded_rule = [
"SizeRestrictions_QUERYSTRING",
"SizeRestrictions_BODY",
"GenericRFI_QUERYARGUMENTS"
]
}
},
{
name = "AWSManagedRulesKnownBadInputsRuleSet-rule-2"
priority = "2"
override_action = "count"
visibility_config = {
metric_name = "AWSManagedRulesKnownBadInputsRuleSet-metric"
}
managed_rule_group_statement = {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
},
{
name = "AWSManagedRulesPHPRuleSet-rule-3"
priority = "3"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesPHPRuleSet-metric"
sampled_requests_enabled = false
}
managed_rule_group_statement = {
name = "AWSManagedRulesPHPRuleSet"
vendor_name = "AWS"
}
}
]
tags = {
"Name" = "test-waf-setup"
"Env" = "test"
}
}provider "aws" {
alias = "us-east"
version = "~> 2.68"
region = "us-east-1"
}
module "waf" {
providers = {
aws = aws.us-east
}
source = "umotif-public/waf-webaclv2/aws"
version = "~> 1.3.0"
name_prefix = "test-waf-setup-cloudfront"
scope = "CLOUDFRONT"
create_alb_association = false
...
}Module is to be used with Terraform > 0.12.
When you enable logging configuration for WAFv2. Remember to follow naming convention defined in https://docs.aws.amazon.com/waf/latest/developerguide/logging.html.
Importantly, make sure that Amazon Kinesis Data Firehose is using a name starting with the prefix aws-waf-logs-.
Module managed by Marcin Cuber LinkedIn.
| Name | Version |
|---|---|
| terraform | ~> 0.12.6 |
| aws | ~> 2.68 |
| Name | Version |
|---|---|
| aws | ~> 2.68 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_arn | Application Load Balancer ARN | string |
"" |
no |
| alb_arn_list | Application Load Balancer ARN list | list |
[] | no |
| allow_default_action | Set to true for WAF to allow requests by default. Set to false for WAF to block requests by default. |
bool |
true |
no |
| create_alb_association | Whether to create alb association with WAF web acl | bool |
true |
no |
| create_logging_configuration | Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose. | bool |
false |
no |
| enabled | Whether to create the resources. Set to false to prevent the module from creating any resources |
bool |
true |
no |
| log_destination_configs | The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to associate with the web ACL. Currently, only 1 ARN is supported. | list(string) |
[] |
no |
| name_prefix | Name prefix used to create resources. | string |
n/a | yes |
| redacted_fields | The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. |
list |
[] |
no |
| rules | List of WAF rules. | list |
[] |
no |
| scope | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | string |
"REGIONAL" |
no |
| tags | A map of tags (key-value pairs) passed to resources. | map(string) |
{} |
no |
| visibility_config | Visibility config for WAFv2 web acl. https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#visibility-configuration | map(string) |
{} |
no |
| Name | Description |
|---|---|
| web_acl_arn | The ARN of the WAFv2 WebACL. |
| web_acl_capacity | The web ACL capacity units (WCUs) currently being used by this web ACL. |
| web_acl_id | The ID of the WAFv2 WebACL. |
| web_acl_name | The name of the WAFv2 WebACL. |
See LICENSE for full details.
pre-committerraform-docsrequired forterraform_docshooks.TFLintrequired forterraform_tflinthook.
brew install pre-commit terraform-docs tflint
brew tap git-chglog/git-chglog
brew install git-chglog