Creates AWS WAFv2 ACL and supports the following
- AWS Managed Rule Sets
- Associating with Application Load Balancers (ALB)
- Blocking IP Sets
- Rate limiting IPs
Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.
module "cloudfront_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "cloudfront-web-acl"
scope = "CLOUDFRONT"
}
module "alb_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "alb-web-acl"
scope = "REGIONAL"
alb_arn = aws_lb.alb.arn
associate_alb = true
}
resource "aws_wafv2_ip_set" "ipset" {
name = "blocked_ips"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
module "wafv2" {
source = "../../"
name = "wafv2"
scope = "REGIONAL"
ip_set_rules = [
{
name = "blocked_ips"
action = "block"
priority = 1
ip_set_arn = aws_wafv2_ip_set.ipset.arn
}
]
}
Name | Version |
---|---|
terraform | ~> 0.12.0 |
aws | ~> 2.70 |
Name | Version |
---|---|
aws | ~> 2.70 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
alb_arn | ARN of the ALB to be associated with the WAFv2 ACL. | string |
"" |
no |
associate_alb | Whether to associate an ALB with the WAFv2 ACL. | bool |
false |
no |
filtered_header_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | object({ |
{ |
no |
ip_rate_based_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | object({ |
null |
no |
ip_sets_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | list(object({ |
[] |
no |
managed_rules | List of Managed WAF rules. | list(object({ |
[ |
no |
name | A friendly name of the WebACL. | string |
n/a | yes |
scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | string |
n/a | yes |
tags | A mapping of tags to assign to the WAFv2 ACL. | map(string) |
{} |
no |
Name | Description |
---|---|
web_acl_id | The ARN of the WAF WebACL. |
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks
Terratest is being used for
automated testing with this module. Tests in the test
folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test