Terraform module which creates an AWS Web Application Firewall (WebACL with managed rules and IP Whitelist) on AWS.
Terraform 0.12 and newer.
module "waf" {
source = "/path/to/terraform-aws-waf"
name = var.name
scope = "REGIONAL"
allow_default_action = true
arn_list = var.arn_list
create_alb_association = true
name_prefix = "test-waf-setup"
rules = [
{
name = "AWS-AWSManagedRulesAmazonIpReputationList"
priority = "10"
override_action = "block"
managed_rule_group_statement = {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
visibility_config = {
metric_name = "AWSManagedRulesCommonRuleSet-metric"
}
},
{
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = "11"
override_action = "count"
managed_rule_group_statement = {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
visibility_config = {
metric_name = "AWSManagedRulesCommonRuleSet-metric"
}
}
]
ip_set_list = [
{
name = "waf-ipset-1"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
},
{
name = "waf-ipset-2"
ip_address_version = "IPV4"
addresses = [
"4.3.2.1/32",
"8.7.6.5/32"
]
}
]
visibility_config = {
metric_name = format("%s-main-metrics", var.name)
}
tags = {
Name = var.name
Env = var.environment
}
}An existing IP set which was provisioned with this module cannot be destroyed, because it won't be removed from the rule group actually.
Error: Error deleting WAFv2 IPSet: WAFAssociatedItemException: AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource.
Solution: Remove (detach) IP set manually from rule group and run terraform afterwards. Terraform then will remove the IP set.
| Name | Version |
|---|---|
| terraform | >= 0.12.6 |
| aws | >= 2.65 |
| Name | Version |
|---|---|
| aws | >= 2.65 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_wafv2_ip_set.this | resource |
| aws_wafv2_rule_group.ip_whitelist | resource |
| aws_wafv2_web_acl.this | resource |
| aws_wafv2_web_acl_association.this | resource |
| aws_wafv2_web_acl_logging_configuration.cloudwatch | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_default_action | Set to true for WAF to allow requests by default. Set to false for WAF to block requests by default. |
bool |
true |
no |
| arn_list | List of ARN from that are associated with Web ACL | list(string) |
null |
no |
| create_alb_association | Whether to create alb association with WAF web acl | bool |
true |
no |
| enabled | Whether to create the resources. Set to false to prevent the module from creating any resources |
bool |
true |
no |
| ip_set_list | List of IP Sets with IP addresses for WAF IP set | any |
[] |
no |
| ip_whitelist_capacity | Capacity of the IP whitelist rule group. See https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statements-list.html | number |
5 |
no |
| ip_whitelist_cloudwatch_metrics_enabled | Whether to enabled the IP whitelist Cloudwatch metrics | bool |
true |
no |
| ip_whitelist_enabled | Whether to enabled the IP whitelist | bool |
false |
no |
| ip_whitelist_sampled_requests_enabled | Whether to enabled the IP whitelist sample requests | bool |
true |
no |
| logging_destination_kms_key_arn | The KMS key id for encrypting the logging destination | string |
null |
no |
| logging_destination_retention | Number of days to keep the logs | number |
14 |
no |
| logging_destination_type | The Amazon Kinesis Data Firehose ('kinesis'), Cloudwatch Log log group ('cloudwatch'), or S3 bucket('s3') that you want to associate with the Web ACL | string |
"cloudwatch" |
no |
| logging_enabled | A boolean flag to enable/disable Web ACL logging | bool |
false |
no |
| name | Name to be used on all resources as prefix | string |
n/a | yes |
| prefix_ip_whitelist_metric_name | Name to be used on IP Whitelist's CLoudwatch metric name as prefix | string |
null |
no |
| prefix_ip_whitelist_rule_group_name | Name to be used on IP Whitelist's rule group name as prefix | string |
null |
no |
| prefix_web_acl_name | Name to be used on Web ACL name as prefix | string |
null |
no |
| rule_group_capacity_ip_whitelist | Capacity of IP Whitelisting rule group for external WAF. | number |
50 |
no |
| rule_group_name_ip_whitelist | Name of IP Whitelisting rule group for external WAF. | string |
"CUSTOM-IP-Whitelist" |
no |
| rule_group_priority_ip_whitelist | Priority of the IP whitelist rule group. | number |
5 |
no |
| rules_managed | List of managed WAF rules. | any |
[] |
no |
| scope | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | string |
"REGIONAL" |
no |
| tags | A map of tags (key-value pairs) passed to resources. | map(string) |
{} |
no |
| visibility_config | Visibility config for WAFv2 web acl. https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#visibility-configuration | map(string) |
{} |
no |
No outputs.
Module managed by Marcel Emmert. Inspired by umotif-public.
Apache 2 Licensed. See LICENSE for full details.