cloudposse · Sytten · Aug 17, 2023 · Aug 17, 2023 · Aug 17, 2023 · Aug 17, 2023
@@ -67,6 +67,9 @@ references:
   - name: aws_wafv2_web_acl_logging_configuration
     description: Creates a WAFv2 Web ACL Logging Configuration
     url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration.html
+  - name: aws_wafv2_ip_set
+    description: Creates a WAFv2 Web ACL resource
+    url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set
 
 description: |-
   Terraform module to create and manage AWS WAFv2 rules. 

@@ -254,5 +254,26 @@ module "waf" {
     }
   ]
 
+  ip_set_reference_statement_rules = [
+    {
+      name     = "rule-100"
+      priority = 100
+      action   = "block"
+
+      statement = {
+        ip_set = {
+          ip_address_version = "IPV4"
+          addresses          = ["17.0.0.0/8"]
+        }
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        sampled_requests_enabled   = false
+        metric_name                = "rule-100-metric"
+      }
+    }
+  ]
+
   context = module.this.context
 }
@@ -0,0 +1,34 @@
+locals {
+  ip_sets = local.enabled && var.ip_set_reference_statement_rules != null ? {
+    for indx, rule in flatten(var.ip_set_reference_statement_rules) :
+    lookup(rule, "name", null) != null ? format("%s-ip-set", rule.name) : format("ip-set-%d", rule.priority)
+    => rule.statement.ip_set if try(rule.statement.ip_set, null) != null && try(rule.statement.arn, null) == null
+  } : {}
+
+  ip_rule_to_ip_set = local.enabled && local.ip_set_reference_statement_rules != null ? {
+    for name, rule in local.ip_set_reference_statement_rules :
+    name => lookup(rule, "name", null) != null ? format("%s-ip-set", rule.name) : format("ip-set-%d", rule.priority)
+  } : {}
+}
+
+module "ip_set_label" {
+  for_each = local.ip_sets
+
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  attributes = [each.key]
+  context    = module.this.context
+}
+
+resource "aws_wafv2_ip_set" "default" {
+  for_each = local.ip_sets
+
+  name               = module.ip_set_label[each.key].id
+  description        = lookup(each.value, "description", null)
+  scope              = var.scope
+  ip_address_version = each.value.ip_address_version
+  addresses          = each.value.addresses
+
+  tags = module.this.tags
+}
@@ -420,7 +420,7 @@ resource "aws_wafv2_web_acl" "default" {
           for_each = lookup(rule.value, "statement", null) != null ? [rule.value.statement] : []
 
           content {
-            arn = ip_set_reference_statement.value.arn
+            arn = try(aws_wafv2_ip_set.default[local.ip_rule_to_ip_set[rule.key]], null) != null ? aws_wafv2_ip_set.default[local.ip_rule_to_ip_set[rule.key]] : ip_set_reference_statement.value.arn
 
             dynamic "ip_set_forwarded_ip_config" {
               for_each = lookup(ip_set_reference_statement.value, "ip_set_forwarded_ip_config", null) != null ? [ip_set_reference_statement.value.ip_set_forwarded_ip_config] : []

@@ -329,6 +329,16 @@ variable "ip_set_reference_statement_rules" {
     statement:
       arn:
         The ARN of the IP Set that this statement references.
+      ip_set:
+        Defines a new IP Set
+
+        description:
+          A friendly description of the IP Set
+        addresses:
+          Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.
+          All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.
+        ip_address_version:
+          Specify `IPV4` or `IPV6`
       ip_set_forwarded_ip_config:
         fallback_behavior:
           The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.