This terraform module creates WAF resources on AWS.
This module has the following features;
- Creates both classic WAF and WAFv2 resources
- Ability to create WAF ACLs
- Specify both IPv4 and IPv6 Ipsets
- Simple to use with easy to understand examples
- Adheres to AWS best security practices by using checkov to scan for security loopholes
Examples available here
NOTE: These examples use the latest version of this module
module "miniumum" {
source = "boldlink/waf/aws"
name = "minimum-example-waf-acl"
scope = "REGIONAL"
}
Terraform WAF module documentation
Terraform WAF classic module documentation
Name | Version |
---|---|
terraform | >= 0.14.11 |
aws | >= 4.55.0 |
Name | Version |
---|---|
aws | 4.63.0 |
No modules.
Name | Type |
---|---|
aws_wafv2_ip_set.ipset_v4 | resource |
aws_wafv2_ip_set.ipset_v6 | resource |
aws_wafv2_web_acl.main | resource |
aws_wafv2_web_acl_association.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudwatch_metrics_enabled | Whether to enable cloudwatch metrics | bool |
false |
no |
create_acl_association | Whether to create acl association | bool |
false |
no |
custom_response_body | Defines custom response bodies that can be referenced by custom_response actions |
any |
[] |
no |
default_action | COnfiguration block for action to take when no actions are specified | any |
{} |
no |
description | Friendly description of the WebACL. | string |
null |
no |
ip_set_reference_statement | A rule statement used to detect web requests coming from particular IP addresses or address ranges. | any |
{} |
no |
ip_set_v4 | IPV4 IP set | any |
[] |
no |
ip_set_v6 | IPV6 IP set | any |
[] |
no |
metric_name | The name of the metric | string |
"sample-name-1" |
no |
name | Friendly name of the WebACL. | string |
n/a | yes |
rules | Rule blocks used to identify the web requests that you want to allow , block , or count |
any |
[] |
no |
sampled_requests_enabled | Whether to enable sample requests | bool |
false |
no |
scope | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL . To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. |
string |
"REGIONAL" |
no |
tags | Map of key-value pairs to associate with the resource. | map(string) |
{} |
no |
web_acl_resource_arn | The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool. | string |
null |
no |
No outputs.
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit
- Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs
- Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint
- Manually use via pre-commit
- Install with
The example stacks are used by BOLDLink developers to validate the modules by building an actual stack on AWS.
Some of the modules have dependencies on other modules (ex. Ec2 instance depends on the VPC module) so we create them first and use data sources on the examples to use the stacks.
Any supporting resources will be available on the tests/supportingResources
and the lifecycle is managed by the Makefile
targets.
Resources on the tests/supportingResources
folder are not intended for demo or actual implementation purposes, and can be used for reference.
The makefile contained in this repo is optimized for linux paths and the main purpose is to execute testing for now.
- Create all tests stacks including any supporting resources:
make tests
- Clean all tests except existing supporting resources:
make clean
- Clean supporting resources - this is done separately so you can test your module build/modify/destroy independently.
make cleansupporting
- !!!DANGER!!! Clean the state files from examples and test/supportingResources - use with CAUTION!!!
make cleanstatefiles