subcategory | layout | page_title | description |
---|---|---|---|
WAF Classic Regional |
aws |
AWS: aws_wafregional_web_acl |
Provides a AWS WAF Regional web access control group (ACL) resource for use with ALB. |
Provides a WAF Regional Web ACL Resource for use with Application Load Balancer.
resource "aws_wafregional_ipset" "ipset" {
name = "tfIPSet"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_rule" "wafrule" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
data_id = aws_wafregional_ipset.ipset.id
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_web_acl" "wafacl" {
name = "tfWebACL"
metric_name = "tfWebACL"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = aws_wafregional_rule.wafrule.id
type = "REGULAR"
}
}
resource "aws_wafregional_web_acl" "example" {
name = "example"
metric_name = "example"
default_action {
type = "ALLOW"
}
rule {
priority = 1
rule_id = aws_wafregional_rule_group.example.id
type = "GROUP"
override_action {
type = "NONE"
}
}
}
~> NOTE: The Kinesis Firehose Delivery Stream name must begin with aws-waf-logs-
. See the AWS WAF Developer Guide for more information about enabling WAF logging.
resource "aws_wafregional_web_acl" "example" {
# ... other configuration ...
logging_configuration {
log_destination = aws_kinesis_firehose_delivery_stream.example.arn
redacted_fields {
field_to_match {
type = "URI"
}
field_to_match {
data = "referer"
type = "HEADER"
}
}
}
}
This resource supports the following arguments:
default_action
- (Required) The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.metric_name
- (Required) The name or description for the Amazon CloudWatch metric of this web ACL.name
- (Required) The name or description of the web ACL.logging_configuration
- (Optional) Configuration block to enable WAF logging. Detailed below.rule
- (Optional) Set of configuration blocks containing rules for the web ACL. Detailed below.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefault_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type
- (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g.,ALLOW
,BLOCK
orCOUNT
log_destination
- (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Streamredacted_fields
- (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
field_to_match
- (Required) Set of configuration blocks for fields to redact. Detailed below.
-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.
data
- (Optional) When the value oftype
isHEADER
, enter the name of the header that you want the WAF to search, for example,User-Agent
orReferer
. If the value oftype
is any other value, omitdata
.type
- (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g.,HEADER
orMETHOD
-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.
priority
- (Required) Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.rule_id
- (Required) ID of the associated WAF (Regional) rule (e.g.,aws_wafregional_rule
). WAF (Global) rules cannot be used.action
- (Optional) Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used iftype
isGROUP
. Detailed below.override_action
- (Optional) Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used iftype
isGROUP
. Detailed below.type
- (Optional) The rule type, eitherREGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to settype
asRATE_BASED
. If you add a GROUP rule, you need to settype
asGROUP
.
type
- (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values foraction
areALLOW
,BLOCK
orCOUNT
. Valid values foroverride_action
areCOUNT
andNONE
.
This resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) of the WAF Regional WebACL.id
- The ID of the WAF Regional WebACL.tags_all
- A map of tags assigned to the resource, including those inherited from the providerdefault_tags
configuration block.
In Terraform v1.5.0 and later, use an import
block to import WAF Regional Web ACL using the id. For example:
import {
to = aws_wafregional_web_acl.wafacl
id = "a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc"
}
Using terraform import
, import WAF Regional Web ACL using the id. For example:
% terraform import aws_wafregional_web_acl.wafacl a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc