A Terraform module that creates Web Application Firewall (WAFV2).
- Associate WebACL with one (ALB, API Gateway, Cognito User Pool)
- Create IPSets
- Create a WAFv2 Rule Group resource
- Custom Response Body
- Logging Configuration
- Statements
- AndStatement
- ByteMatchStatement
- GeoMatchStatement
- IPSetReferenceStatement
- LabelMatchStatement
- ManagedRuleGroupStatemen
- AWSManagedRulesACFPRuleSet
- AWSManagedRulesATPRuleSet
- AWSManagedRulesBotControlRuleSet
- NotStatement
- OrStatement
- RateBasedStatement
- RegexPatternSetStatement
- SizeConstraintStatement
- SqliMatchStatement
- XssMatchStatement
- See Example Codes for full details.
| Name | Version |
|---|---|
| terraform | >= 1.4.6 |
| aws | >= 5.82.2 |
| Name | Version |
|---|---|
| aws | 4.62.0 |
No modules.
| Name | Type |
|---|---|
| aws_wafv2_web_acl.this | resource |
| aws_wafv2_web_acl_association.this | resource |
| aws_wafv2_web_acl_logging_configuration.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| captcha_config | (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. | number |
300 |
no |
| challenge_config | (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. | number |
300 |
no |
| custom_response_body | (Optional) Defines custom response bodies that can be referenced by custom_response actions. | map(any) |
{} |
no |
| default_action | (Required) Action to perform if none of the rules contained in the WebACL match. | string |
n/a | yes |
| description | (Optional) Friendly description of the WebACL. | string |
null |
no |
| enabled_logging_configuration | (Optional) Whether to create logging configuration. | bool |
false |
no |
| enabled_web_acl_association | (Optional) Whether to create ALB association with WebACL. | bool |
true |
no |
| log_destination_configs | (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. | string |
null |
no |
| logging_filter | (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | any |
null |
no |
| name | (Required) Friendly name of the WebACL. | string |
n/a | yes |
| redacted_fields | (Optional) The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. | map(any) |
null |
no |
| resource_arn | (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. | list(string) |
n/a | yes |
| rule | (Optional) Rule blocks used to identify the web requests that you want to allow, block, or count. | any |
n/a | yes |
| scope | (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application | string |
n/a | yes |
| tags | (Optional) Map of key-value pairs to associate with the resource. | map(string) |
null |
no |
| token_domains | (Optional) Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains. | list(string) |
[] |
no |
| visibility_config | (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| aws_wafv2_arn | The ARN of the WAF WebACL. |
| aws_wafv2_capacity | Web ACL capacity units (WCUs) currently being used by this web ACL. |
| aws_wafv2_id | The ID of the WAF WebACL. |
| aws_wafv2_tags_all | Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
| aws_wafv2_web_acl_logging_configuration_id | The Amazon Resource Name (ARN) of the WAFv2 Web ACL. |
