/terraform-aws-wafv2

Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-wafv2

Creates AWS WAFv2 ACL and supports the following

  • AWS Managed Rule Sets
  • Associating with Application Load Balancers (ALB)
  • Blocking IP Sets
  • Global IP Rate limiting
  • Custom IP rate limiting for different URLs

Terraform Versions

Terraform 0.13 and newer. Pin module version to ~> 2.0. Submit pull-requests to master branch.

Terraform 0.12. Pin module version to ~> 1.0. Submit pull-requests to terraform012 branch.

Usage with CloudFront

Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.

module "cloudfront_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "cloudfront-web-acl"
  scope = "CLOUDFRONT"
}

Usage with Application Load Balancer (ALB)

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "alb-web-acl"
  scope = "REGIONAL"

  alb_arn       = aws_lb.alb.arn
  associate_alb = true
}

Usage blocking IP Sets

resource "aws_wafv2_ip_set" "ipset" {
  name = "blocked_ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = [
    "1.2.3.4/32",
    "5.6.7.8/32"
  ]
}

module "wafv2" {
  source = "../../"

  name   = "wafv2"
  scope = "REGIONAL"

  ip_sets_rule = [
    {
      name       = "blocked_ips"
      action     = "block"
      priority   = 1
      ip_set_arn = aws_wafv2_ip_set.ipset.arn
    }
  ]
}

Requirements

Name Version
terraform >= 0.13.0
aws >= 3.0

Providers

Name Version
aws >= 3.0

Inputs

Name Description Type Default Required
alb_arn ARN of the ALB to be associated with the WAFv2 ACL. string "" no
associate_alb Whether to associate an ALB with the WAFv2 ACL. bool false no
filtered_header_rule HTTP header to filter . Currently supports a single header type and multiple header values. 
object({
    header_types = list(string)
    priority     = number
    header_value = string
    action       = string
  })
 
{
  "action": "block",
  "header_types": [],
  "header_value": "",
  "priority": 1
}
 no
group_rules List of WAFv2 Rule Groups. 
list(object({
    name            = string
    arn             = string
    priority        = number
    override_action = string
    excluded_rules  = list(string)
  }))
 [] no
ip_rate_based_rule A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span 
object({
    name     = string
    priority = number
    limit    = number
    action   = string
  })
 null no
ip_rate_url_based_rules A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span 
list(object({
    name                  = string
    priority              = number
    limit                 = number
    action                = string
    search_string         = string
    positional_constraint = string
  }))
 [] no
ip_sets_rule A rule to detect web requests coming from particular IP addresses or address ranges. 
list(object({
    name       = string
    priority   = number
    ip_set_arn = string
    action     = string
  }))
 [] no
managed_rules List of Managed WAF rules. 
list(object({
    name            = string
    priority        = number
    override_action = string
    excluded_rules  = list(string)
  }))
 
[
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesCommonRuleSet",
    "override_action": "none",
    "priority": 10
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesAmazonIpReputationList",
    "override_action": "none",
    "priority": 20
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesKnownBadInputsRuleSet",
    "override_action": "none",
    "priority": 30
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesSQLiRuleSet",
    "override_action": "none",
    "priority": 40
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesLinuxRuleSet",
    "override_action": "none",
    "priority": 50
  },
  {
    "excluded_rules": [],
    "name": "AWSManagedRulesUnixRuleSet",
    "override_action": "none",
    "priority": 60
  }
]
 no
name A friendly name of the WebACL. string n/a yes
scope The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. string n/a yes
tags A mapping of tags to assign to the WAFv2 ACL. map(string) {} no

Outputs

Name Description
web_acl_id The ARN of the WAF WebACL.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test