terraform-aws-waf

This terraform module creates two type of WAFv2 Web ACL rules:

CLOUDFRONT is a Global rule used in CloudFront Distribution only
REGIONAL rules can be used in ALB, API Gateway or AppSync GraphQL API

Follow a commum list of Web ACL rules that can be used by this module and how to setup it, also a link of the documentation with a full list of AWS WAF Rules, you need to use the "Name" of the Rule Groups and take care with WCUs, it's why Web ACL rules can't exceed 1500 WCUs.

byte_match_statement
geo_match_statement
ip_set_reference_statement
managed_rule_group_statement
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesAmazonIpReputationList
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesSQLiRuleSet
- AWSManagedRulesLinuxRuleSet
- AWSManagedRulesUnixRuleSet
rate_based_statement
regex_pattern_set_reference_statement
size_constraint_statement
sqli_match_statement
xss_match_statement

Usage

module "terraform_aws_wafv2_global" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_global.rules, []) : rule.global_rule => rule }

  waf_cloudfront_enable = try(each.value.waf_cloudfront_enable, false)
  web_acl_id            = try(each.value.web_acl_id, "") # Optional WEB ACLs (WAF) to attach to CloudFront
  global_rule           = try(each.value.global_rule, [])
  scope                 = each.value.scope
  default_action        = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}

data "aws_wafv2_web_acl" "web_acl_arn" {
# count = local.workspace.wafv2.global.waf_cloudfront_web_acl_enable ? 1 : 0
depends_on = [module.terraform_aws_wafv2_global]
provider = aws.us-east-1
  name  = "waf-${local.workspace.wafv2.global.acls.global_rule_name}"
  scope = "CLOUDFRONT"
}

module "terraform_aws_wafv2_regional" {
  source   = "git::https://github.com/DNXLabs/terraform-aws-waf.git?ref=1.1.0"
  for_each = { for rule in try(local.workspace.wafv2_regional.rules, []) : rule.regional_rule => rule }

  waf_regional_enable = try(each.value.waf_regional_enable, false)
  associate_waf       = try(each.value.associate_waf, false)
  regional_rule       = try(each.value.regional_rule, [])
  scope               = each.value.scope
  resource_arn        = try(each.value.resource_arn, [])
  default_action      = try(each.value.default_action, "block")

  ### Log Configuration
  logs_enable             = try(each.value.logs_enable, false)
  logs_retension          = try(each.value.logs_retension, 90)
  logging_redacted_fields = try(each.value.logging_redacted_fields, [])
  logging_filter          = try(each.value.logging_filter, [])

  ### Statement Rules
  byte_match_statement_rules                  = try(each.value.byte_match_statement_rules, [])
  geo_match_statement_rules                   = try(each.value.geo_match_statement_rules, [])
  ip_set_reference_statement_rules            = try(each.value.ip_set_reference_statement_rules, [])
  managed_rule_group_statement_rules          = try(each.value.managed_rule_group_statement_rules, [])
  rate_based_statement_rules                  = try(each.value.rate_based_statement_rules, [])
  regex_pattern_set_reference_statement_rules = try(each.value.regex_pattern_set_reference_statement_rules, [])
  size_constraint_statement_rules             = try(each.value.size_constraint_statement_rules, [])
  sqli_match_statement_rules                  = try(each.value.sqli_match_statement_rules, [])
  xss_match_statement_rules                   = try(each.value.xss_match_statement_rules, [])
}q

Requirements

Name	Version
terraform	>= 0.13.0

Providers

Name	Version
aws	n/a

Inputs

Name	Description	Type	Default	Required
associate_waf	Whether to associate an ALB with the WAFv2 ACL.	`bool`	`false`	no
byte_match_statement_rules	n/a	list(object({ name = string priority = number action = string byte_matchs = list(object({ positional_constraint = string search_string = string })) byte_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = string type = string })) }))	n/a	yes
default_action	n/a	`string`	`"block"`	no
geo_match_statement_rules	n/a	list(object({ name = string priority = string action = string country_codes = list(string) geo_match_statement = list(object({ fallback_behavior = string header_name = string })) }))	n/a	yes
global_rule	Cloudfront WAF Rule Name	`string`	`""`	no
ip_set_reference_statement_rules	n/a	list(object({ name = string priority = string action = string ip_set = list(string) ip_set_reference_statement = list(object({ fallback_behavior = string header_name = string position = string })) }))	n/a	yes
logging_filter	n/a	list(object({ default_behavior = string filter = list(object({ behavior = string requirement = string condition = list(object({ action_condition = string label_name_condition = string })) })) }))	n/a	yes
logging_redacted_fields	n/a	list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string }))	n/a	yes
logs_enable	Enable logs	`bool`	`false`	no
logs_retension	Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire.	`number`	`90`	no
managed_rule_group_statement_rules	n/a	list(object({ name = string priority = string managed_rule_group_statement = list(object({ name = string vendor_name = string excluded_rule = list(string) block_rule_action_override = list(string) })) }))	n/a	yes
rate_based_statement_rules	n/a	list(object({ name = string priority = string action = string rate_based = list(object({ aggregate_key_type = string limit = number })) rate_based_statement = list(object({ fallback_behavior = string header_name = string })) }))	n/a	yes
regex_pattern_set_reference_statement_rules	n/a	list(object({ name = string priority = string action = string regex_set = list(string) regex_pattern_set_reference_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
regional_rule	Regional WAF Rules for ALB and API Gateway	`string`	`""`	no
resource_arn	ARN of the ALB to be associated with the WAFv2 ACL.	`list(string)`	`[]`	no
scope	The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL(ALB).	`string`	n/a	yes
size_constraint_statement_rules	n/a	list(object({ name = string priority = string action = string comparison_operator = string size = number size_constraint_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
sqli_match_statement_rules	n/a	list(object({ name = string priority = string action = string sqli_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes
waf_cloudfront_enable	Enable WAF for Cloudfront distribution	`bool`	`false`	no
waf_regional_enable	Enable WAFv2 to ALB, API Gateway or AppSync GraphQL API	`bool`	`false`	no
web_acl_id	Specify a web ACL ARN to be associated in CloudFront Distribution / # Optional WEB ACLs (WAF) to attach to CloudFront	`string`	`null`	no
xss_match_statement_rules	n/a	list(object({ name = string priority = string action = string xss_match_statement = list(object({ all_query_arguments = string body = string method = string query_string = string single_header = string single_query_argument = string uri_path = string })) text_transformation = list(object({ priority = number type = string })) }))	n/a	yes

Outputs

Name	Description
web_acl_arn	The ARN of the WAFv2 WebACL.
web_acl_capacity_cloudfront	The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_capacity_regional	The web ACL capacity units (WCUs) currently being used by this web ACL.
web_acl_id	The ID of the WAFv2 WebACL.
web_acl_name_cloudfront	The name of the WAFv2 WebACL.
web_acl_name_regional	The name of the WAFv2 WebACL.
web_acl_visibility_config_name_cloudfront	The web ACL visibility config name
web_acl_visibility_config_name_regional	The web ACL visibility config name

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.

luizfds / terraform-aws-waf Goto Github PK

terraform-aws-waf's Introduction

terraform-aws-waf

Usage

Requirements

Providers

Inputs

Outputs

Authors

License

terraform-aws-waf's People

Contributors

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent