terraform-aws-wafv2-module

Terraform Module for AWS WAFv2 creation.

Github Workflows · Repository Configuration · Versioning

About

This Terraform module creates an AWS WAFv2 WebACL with associated rules and conditions.

Limitations

1. Regional vs Global rules: This module only supports regional rules for now.
2. Recursive rules are not supported by this module(and_statement, not_statement and or_statement).
3. Statements not yet implemented:
   • label_match_statement
   • regex_match_statement
   • size_constraint_statement
   • sqli_match_statement
   • xss_match_statement
   • managed_rule_group_statement
   • rule_group_reference_statement

Contact

Github mBlomsterberg

Repository overview

File	description
.github/ISSUE_TEMPLATE	Configuring issue templates for your repository
.github/pull_request_template.yml	Configuring default PR template for your repository
.github/dependabot.yml	Customize how Dependabot maintains your repositories
CODE_OF_CONDUCT.md	Defines standards for how to engage in a community
CONTRIBUTING.md	Contribution guidelines to your project's repository
SECURITY.md	To give people instructions on how to report security vulnerabilities
SUPPORT.md	Let people know about ways to get help with your project
CODEOWNERS	Define individuals or teams that are responsible for code in a repository
LICENSE	A software license tells others what they can and can't do with your source code

Contribution guidelines

Should your repository be open to an external or onboarding new members you can create guidelines to communicate how people should contribute to your project. Example.

Code of Conduct

This project has adopted the Hanayama Co. Code of Conduct. For more information see the Code of Conduct FAQ or contact mBlomsterberg with any additional questions or comments.

License

Copyright (c) mBlomsterberg All rights reserved.

Licensed under the MIT license.

(back to top)

Requirements

Name	Version
terraform	<= 1.5.5
aws	~> 5.57.0

Providers

Name	Version
aws	~> 5.57.0

Modules

No modules.

Resources

Name	Type
aws_wafv2_web_acl.regional	resource

Inputs

Name	Description	Type	Default	Required
association_config	(Optional) Configuration block defining the association configuration.	object({ request_body = optional(object({ cloudfront = optional(object({ default_size_inspection_limit = string }), null) api_gateway = optional(object({ default_size_inspection_limit = string }), null) app_runner_service = optional(object({ default_size_inspection_limit = string }), null) cognito_user_pool = optional(object({ default_size_inspection_limit = string }), null) verified_access_instance = optional(object({ default_size_inspection_limit = string }), null) }), null) })	null	no
captcha_config	(Optional) Configuration block defining the captcha configuration.	object({ immunity_time_property = optional(object({ immunity_time = optional(number, 300) }), null) })	null	no
challenge_config	(Optional) Configuration block defining the challenge configuration.	object({ immunity_time_property = optional(object({ immunity_time = optional(number, 300) }), null) })	null	no
custom_response_bodies	(Optional) Configuration block to define custom response body.	list(object({ key = string content = string content_type = string }))	[]	no
default_action	(Required) Configuration block defining the default action to take when a request doesn't match any rule.	object({ allow = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) block = optional(object({ custom_response = optional(object({ custom_response_body_key = string response_code = string response_header = optional(map(any), null) }), null) }), null) })	{ "allow": null, "block": {} }	no
description	(Optional) The description of the WAF WebACL.	string	null	no
name	(Required) The name of the WAF WebACL.	string	n/a	yes
rules	(Optional) Configuration block defining a rule.	list(object({ name = string captcha_config = optional(object({ immunity_time_property = optional(object({ immunity_time = optional(number, 300) }), null) }), null) action = optional(object({ allow = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) block = optional(object({ custom_response = optional(object({ custom_response_body_key = string response_code = string response_header = optional(map(any), null) }), null) }), null) captcha = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) challenge = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) count = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) }), null) priority = number override_action = optional(object({ count = optional(object({}), null) none = optional(object({}), null) }), null) rule_label = optional(object({ name = string }), null) statement = object({ rate_based_statement = optional(object({ limit = number aggregate_key_type = string evaluation_window_sec = optional(number, null) custom_key = optional(object({ cookies = optional(object({}), null) query_string_keys = optional(list(string), null) single_header = optional(list(string), null) single_query_arg = optional(list(string), null) uri_path = optional(list(string), null) }), null) scope_down_statement = optional(object({ geo_match_statement = optional(object({ country_codes = optional(list(string), null) forward_ip_config = optional(object({ header_name = optional(string, null) position = optional(string, null) }), null) }), null) byte_match_statement = optional(object({ field_to_match = optional(object({ data = optional(string, null) type = optional(string, null) }), null) positional_constraint = optional(string, null) search_string = optional(string, null) }), null) }), null) forwarded_ip_config = optional(object({ header_name = optional(string, null) fallback_behavior = optional(string, null) }), null) }), null) ip_set_reference_statement = optional(object({ arn = string forward_ip_config = optional(object({ header_name = optional(string, null) fallback_behavior = optional(string, null) }), null) }), null) rule_group_reference_statement = optional(object({ arn = string rule_action_override = optional(object({ name = string action_to_use = object({ allow = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) block = optional(object({ custom_response = optional(object({ custom_response_body_key = string response_code = string response_header = optional(map(any), null) }), null) }), null) captcha = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) challenge = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) count = optional(object({ custom_request_handling = optional(object({ insert_header = optional(object({ name = string value = string }), null) }), null) }), null) }) }), null) }), null) byte_match_statement = optional(object({ field_to_match = optional(object({ all_query_arguments = optional(object({}), null) body = optional(object({ oversize_handling = optional(string, null) }), null) cookies = optional(object({ match_pattern = optional(object({ all = optional(object({}), null) included_cookies = optional(list(string), null) excluded_cookies = optional(list(string), null) }), null) match_scope = optional(string, null) oversize_handling = optional(string, null) }), null) header_order = optional(object({ oversize_handling = optional(string, null) }), null) headers = optional(object({ match_pattern = optional(object({ all = optional(object({}), null) included_headers = optional(list(string), null) excluded_headers = optional(list(string), null) }), null) match_scope = optional(string, null) oversize_handling = optional(string, null) }), null) ja3_fingerprint = optional(object({ fallback_behavior = string }), null) json_body = optional(object({ match_pattern = optional(object({ all = optional(object({}), null) included_paths = optional(list(string), null) }), null) match_scope = optional(string, null) invalid_fallback_behavior = optional(string, null) oversize_handling = optional(string, null) }), null) method = optional(object({}), null) query_string = optional(object({ match_pattern = optional(object({ all = optional(list(object({})), null) included_query_strings = optional(list(string), null) excluded_query_strings = optional(list(string), null) }), null) oversize_handling = optional(string, null) }), null) single_header = optional(object({ name = string }), null) single_query_argument = optional(object({ name = string }), null) uri_path = optional(object({}), null) }), null) positional_constraint = optional(string, null) search_string = optional(string, null) text_transformation = optional(list(object({ priority = optional(number, null) type = optional(string, null) })), null) }), null) geo_match_statement = optional(object({ country_codes = optional(list(string), null) forward_ip_config = optional(object({ header_name = optional(string, null) position = optional(string, null) }), null) }), null) }) visibility_config = optional(object({ cloudwatch_metrics_enabled = optional(bool, false) sampled_requests_enabled = optional(bool, false) metric_name = optional(string, "test_allowed_ips") }), null) }))	null	no
scope	(Optional) The scope of the WAF WebACL. Valid values are REGIONAL or CLOUDFRONT. Defaults to REGIONAL.	string	"REGIONAL"	no
tags	(Optional) A mapping of tags to assign to the resource.	map(string)	{}	no
visibility_config	(Optional) Configuration block to enable CloudWatch metrics and sample requests.	object({ cloudwatch_metrics_enabled = bool sampled_requests_enabled = bool metric_name = string })	{ "cloudwatch_metrics_enabled": false, "metric_name": "test_allowed_ips", "sampled_requests_enabled": false }	no

Outputs

Name	Description
application_integration_url	n/a
arn	n/a
capacity	n/a
id	n/a
tags_all	n/a