terraform-aws-waf
This terraform module creates two type of WAFv2 Web ACL rules:
- CLOUDFRONT is a Global rule used in CloudFront Distribution only
- REGIONAL rules can be used in ALB, API Gateway or AppSync GraphQL API
Follow a commum list of Web ACL rules that can be used by this module and how to setup it, also a link of the documentation with a full list of AWS WAF Rules, you need to use the “Name” of the Rule Groups and take care with WCUs, it’s why Web ACL rules can’t exceed 1500 WCUs.
- byte_match_statement
- geo_match_statement
- ip_set_reference_statement
- managed_rule_group_statement
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesAmazonIpReputationList
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesSQLiRuleSet
- AWSManagedRulesLinuxRuleSet
- AWSManagedRulesUnixRuleSet
- rate_based_statement
- regex_pattern_set_reference_statement
- size_constraint_statement
- sqli_match_statement
- xss_match_statement
Usage
module "terraform_aws_wafv2_global" {
source = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
for_each = { for rule in try(local.workspace.wafv2_global.rules, []) : rule.global_rule => rule }
waf_cloudfront_enable = try(each.value.waf_cloudfront_enable, false)
web_acl_id = try(each.value.web_acl_id, "") # Optional WEB ACLs (WAF) to attach to CloudFront
global_rule = try(each.value.global_rule, [])
scope = each.value.scope
default_action = try(each.value.default_action, "block")
### Log Configuration
logs_enable = try(each.value.logs_enable, false)
logs_retension = try(each.value.logs_retension, 90)
logging_redacted_fields = try(each.value.logging_redacted_fields, [])
logging_filter = try(each.value.logging_filter, [])
### Statement Rules
byte_match_statement_rules = try(each.value.byte_match_statement_rules, [])
geo_match_statement_rules = try(each.value.geo_match_statement_rules, [])
ip_set_reference_statement_rules = try(each.value.ip_set_reference_statement_rules, [])
managed_rule_group_statement_rules = try(each.value.managed_rule_group_statement_rules, [])
rate_based_statement_rules = try(each.value.rate_based_statement_rules, [])
regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
size_constraint_statement_rules = try(each.value.size_constraint_statement_rules, [])
sqli_match_statement_rules = try(each.value.sqli_match_statement_rules, [])
xss_match_statement_rules = try(each.value.xss_match_statement_rules, [])
}
data "aws_wafv2_web_acl" "web_acl_arn" {
# count = local.workspace.wafv2.global.waf_cloudfront_web_acl_enable ? 1 : 0
depends_on = [module.terraform_aws_wafv2_global]
provider = aws.us-east-1
name = "waf-${local.workspace.wafv2.global.acls.global_rule_name}"
scope = "CLOUDFRONT"
}
module "terraform_aws_wafv2_regional" {
source = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
for_each = { for rule in try(local.workspace.wafv2_regional.rules, []) : rule.regional_rule => rule }
waf_regional_enable = try(each.value.waf_regional_enable, false)
associate_waf = try(each.value.associate_waf, false)
regional_rule = try(each.value.regional_rule, [])
scope = each.value.scope
resource_arn = try(each.value.resource_arn, [])
default_action = try(each.value.default_action, "block")
### Log Configuration
logs_enable = try(each.value.logs_enable, false)
logs_retension = try(each.value.logs_retension, 90)
logging_redacted_fields = try(each.value.logging_redacted_fields, [])
logging_filter = try(each.value.logging_filter, [])
### Statement Rules
byte_match_statement_rules = try(each.value.byte_match_statement_rules, [])
geo_match_statement_rules = try(each.value.geo_match_statement_rules, [])
ip_set_reference_statement_rules = try(each.value.ip_set_reference_statement_rules, [])
managed_rule_group_statement_rules = try(each.value.managed_rule_group_statement_rules, [])
rate_based_statement_rules = try(each.value.rate_based_statement_rules, [])
regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
size_constraint_statement_rules = try(each.value.size_constraint_statement_rules, [])
sqli_match_statement_rules = try(each.value.sqli_match_statement_rules, [])
xss_match_statement_rules = try(each.value.xss_match_statement_rules, [])
}q
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
Providers
| Name | Version |
|---|---|
| aws | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| associate_waf | Whether to associate an ALB with the WAFv2 ACL. | bool |
false |
no |
| byte_match_statement_rules | n/a | <pre>list(object({ name = string priority = number action = string byte_matchs = list(object({ positional_constraint = string search_string = string })) byte_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = string type = string })) }))</pre> |
n/a | yes |
| default_action | n/a | string |
"block" |
no |
| geo_match_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string country_codes = list(string) geo_match_statement = list(object({ fallback_behavior = string header_name = string })) }))</pre> |
n/a | yes |
| global_rule | Cloudfront WAF Rule Name | string |
"" |
no |
| ip_set_reference_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string ip_set = list(string) ip_set_reference_statement = list(object({ fallback_behavior = string header_name = string position = string })) }))</pre> |
n/a | yes |
| logging_filter | n/a | <pre>list(object({ default_behavior = string filter = list(object({ behavior = string requirement = string condition = list(object({ action_condition = string label_name_condition = string })) })) }))</pre> |
n/a | yes |
| logging_redacted_fields | n/a | <pre>list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string }))</pre> |
n/a | yes |
| logs_enable | Enable logs | bool |
false |
no |
| logs_retension | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | number |
90 |
no |
| managed_rule_group_statement_rules | n/a | <pre>list(object({ name = string priority = string managed_rule_group_statement = list(object({ name = string vendor_name = string rule_action_override = list(object({ name = string action_to_use = string })) excluded_rule = list(object({ name = string })) })) }))</pre> |
n/a | yes |
| rate_based_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string rate_based = list(object({ aggregate_key_type = string limit = number })) rate_based_statement = list(object({ fallback_behavior = string header_name = string })) }))</pre> |
n/a | yes |
| regex_pattern_set_reference_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string regex_set = list(string) regex_pattern_set_reference_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))</pre> |
n/a | yes |
| regional_rule | Regional WAF Rules for ALB and API Gateway | string |
"" |
no |
| resource_arn | ARN of the ALB to be associated with the WAFv2 ACL. | list(string) |
[] |
no |
| scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL(ALB). | string |
n/a | yes |
| size_constraint_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string comparison_operator = string size = number size_constraint_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))</pre> |
n/a | yes |
| sqli_match_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string sqli_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))</pre> |
n/a | yes |
| waf_cloudfront_enable | Enable WAF for Cloudfront distribution | bool |
false |
no |
| waf_regional_enable | Enable WAFv2 to ALB, API Gateway or AppSync GraphQL API | bool |
false |
no |
| web_acl_id | Specify a web ACL ARN to be associated in CloudFront Distribution / # Optional WEB ACLs (WAF) to attach to CloudFront | string |
null |
no |
| xss_match_statement_rules | n/a | <pre>list(object({ name = string priority = string action = string xss_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))</pre> |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| web_acl_arn | The ARN of the WAFv2 WebACL. |
| web_acl_capacity_cloudfront | The web ACL capacity units (WCUs) currently being used by this web ACL. |
| web_acl_capacity_regional | The web ACL capacity units (WCUs) currently being used by this web ACL. |
| web_acl_id | The ID of the WAFv2 WebACL. |
| web_acl_name_cloudfront | The name of the WAFv2 WebACL. |
| web_acl_name_regional | The name of the WAFv2 WebACL. |
| web_acl_visibility_config_name_cloudfront | The web ACL visibility config name |
| web_acl_visibility_config_name_regional | The web ACL visibility config name |
Authors
Module managed by DNX Solutions.
License
Apache 2 Licensed. See LICENSE for full details.