Skip to content

aws-ss/terraform-aws-wafv2

Repository files navigation

terraform-aws-wafv2

A Terraform module that creates Web Application Firewall (WAFV2).

Available Features

  • Associate WebACL with one (ALB, API Gateway, Cognito User Pool)
  • Create IPSets
  • Create a WAFv2 Rule Group resource
  • Custom Response Body
  • Logging Configuration
  • Statements
    • AndStatement
    • ByteMatchStatement
    • GeoMatchStatement
    • IPSetReferenceStatement
    • LabelMatchStatement
    • ManagedRuleGroupStatement
    • NotStatement
    • OrStatement
    • RateBasedStatement
    • RegexPatternSetStatement
    • SizeConstraintStatement
    • SqliMatchStatement
    • XssMatchStatement

Examples

Requirements

Name Version
terraform >= 1.3.6
aws >= 4.51.0

Providers

Name Version
aws 4.62.0

Modules

No modules.

Resources

Name Type
aws_wafv2_web_acl.this resource
aws_wafv2_web_acl_association.this resource
aws_wafv2_web_acl_logging_configuration.this resource

Inputs

Name Description Type Default Required
custom_response_body (Optional) Defines custom response bodies that can be referenced by custom_response actions. map(any) {} no
default_action (Required) Action to perform if none of the rules contained in the WebACL match. string n/a yes
description (Optional) Friendly description of the WebACL. string null no
enabled_logging_configuration (Optional) Whether to create logging configuration. bool false no
enabled_web_acl_association (Optional) Whether to create ALB association with WebACL. bool true no
log_destination_configs (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. string null no
logging_filter (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. any null no
name (Required) Friendly name of the WebACL. string n/a yes
redacted_fields (Optional) The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. map(any) null no
resource_arn (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. list(string) n/a yes
rule (Optional) Rule blocks used to identify the web requests that you want to allow, block, or count. any n/a yes
scope (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application string n/a yes
tags (Optional) Map of key-value pairs to associate with the resource. map(string) null no
visibility_config (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. map(string) n/a yes

Outputs

Name Description
aws_wafv2_arn The ARN of the WAF WebACL.
aws_wafv2_capacity Web ACL capacity units (WCUs) currently being used by this web ACL.
aws_wafv2_id The ID of the WAF WebACL.
aws_wafv2_tags_all Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
aws_wafv2_web_acl_logging_configuration_id The Amazon Resource Name (ARN) of the WAFv2 Web ACL.