terraform-aws-waf

This terraform module creates two type of WAFv2 Web ACL rules:

• CLOUDFRONT is a Global rule used in CloudFront Distribution only
• REGIONAL rules can be used in ALB, API Gateway or AppSync GraphQL API

Follow a commum list of Web ACL rules that can be used by this module and how to setup it, also a link of the documentation with a full list of AWS WAF Rules, you need to use the "Name" of the Rule Groups and take care with WCUs, it's why Web ACL rules can't exceed 1500 WCUs.

• byte_match_statement
• geo_match_statement
• ip_set_reference_statement
• managed_rule_group_statement
  • AWSManagedRulesCommonRuleSet
  • AWSManagedRulesAmazonIpReputationList
  • AWSManagedRulesKnownBadInputsRuleSet
  • AWSManagedRulesSQLiRuleSet
  • AWSManagedRulesLinuxRuleSet
  • AWSManagedRulesUnixRuleSet
• rate_based_statement
• regex_pattern_set_reference_statement
• size_constraint_statement
• sqli_match_statement
• xss_match_statement

Usage

module "terraform_aws_wafv2_global" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_global.rules, []) : rule.global_rule => rule }

  waf_cloudfront_enable = try(each.value.waf_cloudfront_enable, false)
  web_acl_id            = try(each.value.web_acl_id, "") # Optional WEB ACLs (WAF) to attach to CloudFront
  global_rule           = try(each.value.global_rule, [])
  scope                 = each.value.scope
  default_action        = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}

data "aws_wafv2_web_acl" "web_acl_arn" {
# count = local.workspace.wafv2.global.waf_cloudfront_web_acl_enable ? 1 : 0
depends_on = [module.terraform_aws_wafv2_global]
provider = aws.us-east-1
  name  = "waf-${local.workspace.wafv2.global.acls.global_rule_name}"
  scope = "CLOUDFRONT"
}

module "terraform_aws_wafv2_regional" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_regional.rules, []) : rule.regional_rule => rule }

  waf_regional_enable = try(each.value.waf_regional_enable, false)
  associate_waf       = try(each.value.associate_waf, false)
  regional_rule       = try(each.value.regional_rule, [])
  scope               = each.value.scope
  resource_arn        = try(each.value.resource_arn, [])
  default_action      = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}q

Requirements

Name	Version
terraform	>= 0.13.0

Providers

Name	Version
aws	n/a

Inputs

Name	Description	Type	Default	Required
associate_waf	Whether to associate an ALB with the WAFv2 ACL.	bool	false	no
byte_match_statement_rules	n/a	list(object({ name = string priority = number action = string byte_matchs = list(object({ positional_constraint = string search_string = string })) byte_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = string type = string })) }))	n/a	yes
default_action	n/a	string	"block"	no
geo_match_statement_rules	n/a	list(object({ name = string priority = string action = string country_codes = list(string) geo_match_statement = list(object({ fallback_behavior = string header_name = string })) }))	n/a	yes
global_rule	Cloudfront WAF Rule Name	string	""	no
ip_set_reference_statement_rules	n/a	list(object({ name = string priority = string action = string ip_set = list(string) ip_set_reference_statement = list(object({ fallback_behavior = string header_name = string position = string })) }))	n/a	yes
logging_filter	n/a	list(object({ default_behavior = string filter = list(object({ behavior = string requirement = string condition = list(object({ action_condition = string label_name_condition = string })) })) }))	n/a	yes
logging_redacted_fields	n/a	list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string }))	n/a	yes
logs_enable	Enable logs	bool	false	no
logs_retension	Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire.	number	90	no
managed_rule_group_statement_rules	n/a	list(object({ name = string priority = string managed_rule_group_statement = list(object({ name = string vendor_name = string excluded_rule = list(string) block_rule_action_override = list(string) })) }))	n/a	yes
rate_based_statement_rules	n/a	list(object({ name = string priority = string action = string rate_based = list(object({ aggregate_key_type = string limit = number })) rate_based_statement = list(object({ fallback_behavior = string header_name = string })) }))	n/a	yes
regex_pattern_set_reference_statement_rules	n/a	list(object({ name = string priority = string action = string regex_set = list(string) regex_pattern_set_reference_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
regional_rule	Regional WAF Rules for ALB and API Gateway	string	""	no
resource_arn	ARN of the ALB to be associated with the WAFv2 ACL.	list(string)	[]	no
scope	The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL(ALB).	string	n/a	yes
size_constraint_statement_rules	n/a	list(object({ name = string priority = string action = string comparison_operator = string size = number size_constraint_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
sqli_match_statement_rules	n/a	list(object({ name = string priority = string action = string sqli_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
waf_cloudfront_enable	Enable WAF for Cloudfront distribution	bool	false	no
waf_regional_enable	Enable WAFv2 to ALB, API Gateway or AppSync GraphQL API	bool	false	no
web_acl_id	Specify a web ACL ARN to be associated in CloudFront Distribution / # Optional WEB ACLs (WAF) to attach to CloudFront	string	null	no
xss_match_statement_rules	n/a	list(object({ name = string priority = string action = string xss_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes

Outputs

Name	Description
web_acl_arn	The ARN of the WAFv2 WebACL.
web_acl_capacity_cloudfront	The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_capacity_regional	The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_id	The ID of the WAFv2 WebACL.
web_acl_name_cloudfront	The name of the WAFv2 WebACL.
web_acl_name_regional	The name of the WAFv2 WebACL.
web_acl_visibility_config_name_cloudfront	The web ACL visibility config name
web_acl_visibility_config_name_regional	The web ACL visibility config name

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.