This terraform module creates two type of WAFv2 Web ACL rules:
- CLOUDFRONT is a Global rule used in CloudFront Distribution only
- REGIONAL rules can be used in ALB, API Gateway or AppSync GraphQL API
Follow a commum list of Web ACL rules that can be used by this module and how to setup it, also a link of the documentation with a full list of AWS WAF Rules, you need to use the "Name" of the Rule Groups and take care with WCUs, it's why Web ACL rules can't exceed 1500 WCUs.
- byte_match_statement
- geo_match_statement
- ip_set_reference_statement
- managed_rule_group_statement
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesAmazonIpReputationList
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesSQLiRuleSet
- AWSManagedRulesLinuxRuleSet
- AWSManagedRulesUnixRuleSet
- rate_based_statement
- regex_pattern_set_reference_statement
- size_constraint_statement
- sqli_match_statement
- xss_match_statement
module "terraform_aws_wafv2_global" {
source = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
for_each = { for rule in try(local.workspace.wafv2_global.rules, []) : rule.global_rule => rule }
waf_cloudfront_enable = try(each.value.waf_cloudfront_enable, false)
web_acl_id = try(each.value.web_acl_id, "") # Optional WEB ACLs (WAF) to attach to CloudFront
global_rule = try(each.value.global_rule, [])
scope = each.value.scope
default_action = try(each.value.default_action, "block")
### Log Configuration
logs_enable = try(each.value.logs_enable, false)
logs_retension = try(each.value.logs_retension, 90)
logging_redacted_fields = try(each.value.logging_redacted_fields, [])
logging_filter = try(each.value.logging_filter, [])
### Statement Rules
byte_match_statement_rules = try(each.value.byte_match_statement_rules, [])
geo_match_statement_rules = try(each.value.geo_match_statement_rules, [])
ip_set_reference_statement_rules = try(each.value.ip_set_reference_statement_rules, [])
managed_rule_group_statement_rules = try(each.value.managed_rule_group_statement_rules, [])
rate_based_statement_rules = try(each.value.rate_based_statement_rules, [])
regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
size_constraint_statement_rules = try(each.value.size_constraint_statement_rules, [])
sqli_match_statement_rules = try(each.value.sqli_match_statement_rules, [])
xss_match_statement_rules = try(each.value.xss_match_statement_rules, [])
}
data "aws_wafv2_web_acl" "web_acl_arn" {
# count = local.workspace.wafv2.global.waf_cloudfront_web_acl_enable ? 1 : 0
depends_on = [module.terraform_aws_wafv2_global]
provider = aws.us-east-1
name = "waf-${local.workspace.wafv2.global.acls.global_rule_name}"
scope = "CLOUDFRONT"
}
module "terraform_aws_wafv2_regional" {
source = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
for_each = { for rule in try(local.workspace.wafv2_regional.rules, []) : rule.regional_rule => rule }
waf_regional_enable = try(each.value.waf_regional_enable, false)
associate_waf = try(each.value.associate_waf, false)
regional_rule = try(each.value.regional_rule, [])
scope = each.value.scope
resource_arn = try(each.value.resource_arn, [])
default_action = try(each.value.default_action, "block")
### Log Configuration
logs_enable = try(each.value.logs_enable, false)
logs_retension = try(each.value.logs_retension, 90)
logging_redacted_fields = try(each.value.logging_redacted_fields, [])
logging_filter = try(each.value.logging_filter, [])
### Statement Rules
byte_match_statement_rules = try(each.value.byte_match_statement_rules, [])
geo_match_statement_rules = try(each.value.geo_match_statement_rules, [])
ip_set_reference_statement_rules = try(each.value.ip_set_reference_statement_rules, [])
managed_rule_group_statement_rules = try(each.value.managed_rule_group_statement_rules, [])
rate_based_statement_rules = try(each.value.rate_based_statement_rules, [])
regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
size_constraint_statement_rules = try(each.value.size_constraint_statement_rules, [])
sqli_match_statement_rules = try(each.value.sqli_match_statement_rules, [])
xss_match_statement_rules = try(each.value.xss_match_statement_rules, [])
}q
Name | Version |
---|---|
terraform | >= 0.13.0 |
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
associate_waf | Whether to associate an ALB with the WAFv2 ACL. | bool |
false |
no |
byte_match_statement_rules | n/a | list(object({ |
n/a | yes |
default_action | n/a | string |
"block" |
no |
geo_match_statement_rules | n/a | list(object({ |
n/a | yes |
global_rule | Cloudfront WAF Rule Name | string |
"" |
no |
ip_set_reference_statement_rules | n/a | list(object({ |
n/a | yes |
logging_filter | n/a | list(object({ |
n/a | yes |
logging_redacted_fields | n/a | list(object({ |
n/a | yes |
logs_enable | Enable logs | bool |
false |
no |
logs_retension | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | number |
90 |
no |
managed_rule_group_statement_rules | n/a | list(object({ |
n/a | yes |
rate_based_statement_rules | n/a | list(object({ |
n/a | yes |
regex_pattern_set_reference_statement_rules | n/a | list(object({ |
n/a | yes |
regional_rule | Regional WAF Rules for ALB and API Gateway | string |
"" |
no |
resource_arn | ARN of the ALB to be associated with the WAFv2 ACL. | list(string) |
[] |
no |
scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL(ALB). | string |
n/a | yes |
size_constraint_statement_rules | n/a | list(object({ |
n/a | yes |
sqli_match_statement_rules | n/a | list(object({ |
n/a | yes |
waf_cloudfront_enable | Enable WAF for Cloudfront distribution | bool |
false |
no |
waf_regional_enable | Enable WAFv2 to ALB, API Gateway or AppSync GraphQL API | bool |
false |
no |
web_acl_id | Specify a web ACL ARN to be associated in CloudFront Distribution / # Optional WEB ACLs (WAF) to attach to CloudFront | string |
null |
no |
xss_match_statement_rules | n/a | list(object({ |
n/a | yes |
Name | Description |
---|---|
web_acl_arn | The ARN of the WAFv2 WebACL. |
web_acl_capacity_cloudfront | The web ACL capacity units (WCUs) currently being used by this web ACL. |
web_acl_capacity_regional | The web ACL capacity units (WCUs) currently being used by this web ACL. |
web_acl_id | The ID of the WAFv2 WebACL. |
web_acl_name_cloudfront | The name of the WAFv2 WebACL. |
web_acl_name_regional | The name of the WAFv2 WebACL. |
web_acl_visibility_config_name_cloudfront | The web ACL visibility config name |
web_acl_visibility_config_name_regional | The web ACL visibility config name |
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.