A Terraform module that creates Web Application Firewall (WAFV2).
- Associate WebACL with one (ALB, API Gateway, Cognito User Pool)
- Create IPSets
- Create a WAFv2 Rule Group resource
- Custom Response Body
- Logging Configuration
- Statements
- AndStatement
- ByteMatchStatement
- GeoMatchStatement
- IPSetReferenceStatement
- LabelMatchStatement
- ManagedRuleGroupStatement
- NotStatement
- OrStatement
- RateBasedStatement
- RegexPatternSetStatement
- SizeConstraintStatement
- SqliMatchStatement
- XssMatchStatement
- See Example Codes for full details.
| Name | Version |
|---|---|
| terraform | >= 1.3.6 |
| aws | >= 4.51.0 |
| Name | Version |
|---|---|
| aws | 4.62.0 |
No modules.
| Name | Type |
|---|---|
| aws_wafv2_web_acl.this | resource |
| aws_wafv2_web_acl_association.this | resource |
| aws_wafv2_web_acl_logging_configuration.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_response_body | (Optional) Defines custom response bodies that can be referenced by custom_response actions. | map(any) |
{} |
no |
| default_action | (Required) Action to perform if none of the rules contained in the WebACL match. | string |
n/a | yes |
| description | (Optional) Friendly description of the WebACL. | string |
null |
no |
| enabled_logging_configuration | (Optional) Whether to create logging configuration. | bool |
false |
no |
| enabled_web_acl_association | (Optional) Whether to create ALB association with WebACL. | bool |
true |
no |
| log_destination_configs | (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. | string |
null |
no |
| logging_filter | (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | any |
null |
no |
| name | (Required) Friendly name of the WebACL. | string |
n/a | yes |
| redacted_fields | (Optional) The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. | map(any) |
null |
no |
| resource_arn | (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. | list(string) |
n/a | yes |
| rule | (Optional) Rule blocks used to identify the web requests that you want to allow, block, or count. | any |
n/a | yes |
| scope | (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application | string |
n/a | yes |
| tags | (Optional) Map of key-value pairs to associate with the resource. | map(string) |
null |
no |
| visibility_config | (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| aws_wafv2_arn | The ARN of the WAF WebACL. |
| aws_wafv2_capacity | Web ACL capacity units (WCUs) currently being used by this web ACL. |
| aws_wafv2_id | The ID of the WAF WebACL. |
| aws_wafv2_tags_all | Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
| aws_wafv2_web_acl_logging_configuration_id | The Amazon Resource Name (ARN) of the WAFv2 Web ACL. |