Skip to content

litmus/terraform-aws-wafv2

 
 

Repository files navigation

terraform-aws-wafv2

Creates AWS WAFv2 ACL and supports the following

  • AWS Managed Rule Sets
  • Associating with Application Load Balancers (ALB)
  • Blocking IP Sets
  • Rate limiting IPs

Usage with CloudFront

Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.

module "cloudfront_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "cloudfront-web-acl"
  scope = "CLOUDFRONT"
}

Usage with Application Load Balancer (ALB)

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

  name  = "alb-web-acl"
  scope = "REGIONAL"

  alb_arn       = aws_lb.alb.arn
  associate_alb = true
}

Usage blocking IP Sets

resource "aws_wafv2_ip_set" "ipset" {
  name = "blocked_ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = [
    "1.2.3.4/32",
    "5.6.7.8/32"
  ]
}

module "wafv2" {
  source = "../../"

  name   = "wafv2"
  scope = "REGIONAL"

  ip_set_rules = [
    {
      name       = "blocked_ips"
      action     = "block"
      priority   = 1
      ip_set_arn = aws_wafv2_ip_set.ipset.arn
    }
  ]
}

Requirements

Name Version
terraform ~> 0.12.0
aws ~> 2.70

Providers

Name Version
aws ~> 2.70

Inputs

Name Description Type Default Required
alb_arn ARN of the ALB to be associated with the WAFv2 ACL. string "" no
associate_alb Whether to associate an ALB with the WAFv2 ACL. bool false no
filtered_header_rule HTTP header to filter . Currently supports a single header type and multiple header values.
object({
header_types = list(string)
priority = number
header_value = string
action = string
})
{
"action": "block",
"header_types": [],
"header_value": "",
"priority": 1
}
no
ip_rate_based_rule A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
object({
name = string
priority = number
limit = number
action = string
})
null no
ip_sets_rule A rule to detect web requests coming from particular IP addresses or address ranges.
list(object({
name = string
priority = number
ip_set_arn = string
action = string
}))
[] no
managed_rules List of Managed WAF rules.
list(object({
name = string
priority = number
override_action = string
excluded_rules = list(string)
}))
[
{
"excluded_rules": [],
"name": "AWSManagedRulesCommonRuleSet",
"override_action": "none",
"priority": 10
},
{
"excluded_rules": [],
"name": "AWSManagedRulesAmazonIpReputationList",
"override_action": "none",
"priority": 20
},
{
"excluded_rules": [],
"name": "AWSManagedRulesKnownBadInputsRuleSet",
"override_action": "none",
"priority": 30
},
{
"excluded_rules": [],
"name": "AWSManagedRulesSQLiRuleSet",
"override_action": "none",
"priority": 40
},
{
"excluded_rules": [],
"name": "AWSManagedRulesLinuxRuleSet",
"override_action": "none",
"priority": 50
},
{
"excluded_rules": [],
"name": "AWSManagedRulesUnixRuleSet",
"override_action": "none",
"priority": 60
}
]
no
name A friendly name of the WebACL. string n/a yes
scope The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. string n/a yes
tags A mapping of tags to assign to the WAFv2 ACL. map(string) {} no

Outputs

Name Description
web_acl_id The ARN of the WAF WebACL.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test

About

Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 68.3%
  • Go 17.6%
  • Shell 10.4%
  • Makefile 3.7%