Creates AWS WAFv2 ACL and supports the following
- AWS Managed Rule Sets
- Associating with Application Load Balancers (ALB)
- Blocking IP Sets
- Global IP Rate limiting
- Custom IP rate limiting for different URLs
Terraform 0.13 and newer. Pin module version to ~> 2.0. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 1.0. Submit pull-requests to terraform012 branch.
Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.
module "cloudfront_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "cloudfront-web-acl"
scope = "CLOUDFRONT"
}
module "alb_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "alb-web-acl"
scope = "REGIONAL"
alb_arn = aws_lb.alb.arn
associate_alb = true
}
resource "aws_wafv2_ip_set" "ipset" {
name = "blocked_ips"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
module "wafv2" {
source = "../../"
name = "wafv2"
scope = "REGIONAL"
ip_sets_rule = [
{
name = "blocked_ips"
action = "block"
priority = 1
ip_set_arn = aws_wafv2_ip_set.ipset.arn
}
]
}
Name | Version |
---|---|
terraform | >= 0.13.0 |
aws | >= 3.0 |
Name | Version |
---|---|
aws | >= 3.0 |
No modules.
Name | Type |
---|---|
aws_wafv2_web_acl.main | resource |
aws_wafv2_web_acl_association.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
alb_arn | ARN of the ALB to be associated with the WAFv2 ACL. | string |
"" |
no |
associate_alb | Whether to associate an ALB with the WAFv2 ACL. | bool |
false |
no |
default_action | The action to perform if none of the rules contained in the WebACL match. | string |
"allow" |
no |
filtered_header_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | object({ |
{ |
no |
group_rules | List of WAFv2 Rule Groups. | list(object({ |
[] |
no |
ip_rate_based_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | object({ |
null |
no |
ip_rate_url_based_rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | list(object({ |
[] |
no |
ip_sets_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | list(object({ |
[] |
no |
managed_rules | List of Managed WAF rules. | list(object({ |
[ |
no |
name | A friendly name of the WebACL. | string |
n/a | yes |
scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | string |
n/a | yes |
tags | A mapping of tags to assign to the WAFv2 ACL. | map(string) |
{} |
no |
Name | Description |
---|---|
web_acl_id | The ARN of the WAF WebACL. |
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks
Terratest is being used for
automated testing with this module. Tests in the test
folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test