Creates AWS WAFv2 ACL and supports the following
- AWS Managed Rule Sets
- Associating with Application Load Balancers (ALB)
- Blocking IP Sets
- Global IP Rate limiting
- Custom IP rate limiting for different URLs
As of 12/2/2020, AWS GovCloud does not support the AWSManagedRulesAmazonIpReputationList managed rule set,
which is enabled by default in this module. Until AWS supports that rule set, you will need to define your own managed_rules.
Terraform 0.13 and newer. Pin module version to ~> 2.0. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 1.0. Submit pull-requests to terraform012 branch.
Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.
module "cloudfront_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "cloudfront-web-acl"
scope = "CLOUDFRONT"
}module "alb_wafv2" {
source = "trussworks/wafv2/aws"
version = "0.0.1"
name = "alb-web-acl"
scope = "REGIONAL"
alb_arn = aws_lb.alb.arn
associate_alb = true
}resource "aws_wafv2_ip_set" "ipset" {
name = "blocked_ips"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
module "wafv2" {
source = "../../"
name = "wafv2"
scope = "REGIONAL"
ip_sets_rule = [
{
name = "blocked_ips"
action = "block"
priority = 1
ip_set_arn = aws_wafv2_ip_set.ipset.arn
}
]
}| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_arn | ARN of the ALB to be associated with the WAFv2 ACL. | string |
"" |
no |
| associate_alb | Whether to associate an ALB with the WAFv2 ACL. | bool |
false |
no |
| filtered_header_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | object({ |
{ |
no |
| ip_rate_based_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | object({ |
null |
no |
| ip_rate_url_based_rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | list(object({ |
[] |
no |
| ip_sets_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | list(object({ |
[] |
no |
| managed_rules | List of Managed WAF rules. | list(object({ |
[ |
no |
| name | A friendly name of the WebACL. | string |
n/a | yes |
| scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | string |
n/a | yes |
| tags | A mapping of tags to assign to the WAFv2 ACL. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| web_acl_id | The ARN of the WAF WebACL. |
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooksTerratest is being used for
automated testing with this module. Tests in the test folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![kodiakhq[bot] avatar](https://avatars.githubusercontent.com/in/29196?v=4 "kodiakhq[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent