SourceFuse's AWS Reference Architecture Terraform module for AWS WAF (Web Application Firewall) simplifies the setup and management of web access controls. Leveraging the hashicorp/aws Terraform provider, this module allows users to define and deploy WAF configurations, including web ACLs and IP sets, with ease. The module supports customizable rules, default actions, and visibility configurations, empowering users to tailor WAF policies based on their specific security requirements. By associating web ACLs with designated resources through the aws_wafv2_web_acl_association resource, the module ensures seamless integration and protection for web applications against various threats. With support for tags and dependency management, this WAF module provides a robust foundation for enhancing the security posture of AWS-hosted web applications.
For more information about this repository and its usage, please see Terraform AWS ARC WAF Module Usage Guide.
To see a full example, check out the main.tf file in the example folder.
module "waf" {
source = "sourcefuse/arc-waf/aws"
version = "1.0.2"
## web acl
create_web_acl = true
web_acl_name = "${var.namespace}-${var.environment}-waf-web-acl"
web_acl_description = "Terraform managed Web ACL Configuration"
web_acl_scope = "REGIONAL"
web_acl_default_action = "block"
web_acl_visibility_config = {
metric_name = "${var.namespace}-${var.environment}-waf-web-acl"
}
web_acl_rules = var.web_acl_rules
## ip set
ip_set = [
{
name = "example-ip-set"
description = "Example description"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = []
}
]
tags = module.tags.tags
}
Name | Version |
---|---|
terraform | >= 1.3, < 2.0.0 |
aws | >= 4.0 |
Name | Version |
---|---|
aws | 5.8.0 |
No modules.
Name | Type |
---|---|
aws_wafv2_ip_set.this | resource |
aws_wafv2_web_acl.this | resource |
aws_wafv2_web_acl_association.this | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
association_resource_arns | The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool. |
list(string) |
[] |
no |
create_web_acl | A Boolean indicates whether to create WAF Web ACL or not | bool |
true |
no |
ip_set | Configuration for WAFv2 IP Set. * name: A friendly name of the IP set. * description: A friendly description of the IP set. Default is "Terraform managed IP Set configuration." * scope: Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. Default is "REGIONAL." * ip_address_version: Specify IPV4 or IPV6. Valid values are IPV4 or IPV6. Default is "IPV4." * addresses: Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0. |
list(object({ |
[] |
no |
tags | A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
web_acl_custom_response_body | Defines custom response bodies that can be referenced by custom_response actions | list(object({ |
[] |
no |
web_acl_default_action | Action to perform if none of the rules contained in the WebACL match. Options are allow or block |
string |
n/a | yes |
web_acl_description | Description of the WebACL | string |
"Terraform managed Web ACL Configuration" |
no |
web_acl_name | Name of the WAFv2 Web ACL | string |
n/a | yes |
web_acl_rules | Rule blocks used to identify the web requests that you want to allow, block, or count | any |
[] |
no |
web_acl_scope | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL | string |
"REGIONAL" |
no |
web_acl_visibility_config | Defines and enables Amazon CloudWatch metrics and web request sample collection | object({ |
n/a | yes |
Name | Description |
---|---|
arn | The ARN of the WAF WebACL. |
capacity | Web ACL capacity units (WCUs) currently being used by this web ACL. |
id | The ID of the WAF WebACL. |
ip_set_arn | The IP Set ARN |
tags_all | Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly
- Configure pre-commit hooks
pre-commit install
- Tests are available in
test
directory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name> go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
This project is authored by:
- SourceFuse ARC Team