Skip to content

Module Banner

terraform-aws-arc-waf

Module: sourcefuse/arc-waf/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-waf/aws

Category: Security / WAF

Source: https://github.com/sourcefuse/terraform-aws-arc-waf

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Tip

🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓

Overview

Creates AWS WAFv2 web ACLs with managed rule groups, custom rules, IP sets, and resource associations for CloudFront or regional resources.

Architecture

Architecture Diagram

What It Does

  • WAFv2 web ACL with REGIONAL or CLOUDFRONT scope
  • AWS managed rule groups (Core, Known Bad Inputs, SQL injection, etc.)
  • Custom rate-based and byte match rules
  • IP set creation and management
  • Web ACL association with ALB, API Gateway, or CloudFront
  • CloudWatch metrics and sampled requests logging
  • Default allow or block action

For more information about this repository and its usage, please see Terraform AWS ARC WAF Module Usage Guide.

Quickstart

module "waf" {
  source  = "sourcefuse/arc-waf/aws"
  version = "1.0.2"

  ## web acl
  create_web_acl         = true
  web_acl_name           = "${var.namespace}-${var.environment}-waf-web-acl"
  web_acl_description    = "Terraform managed Web ACL Configuration"
  web_acl_scope          = "REGIONAL"
  web_acl_default_action = "block"
  web_acl_visibility_config = {
    metric_name = "${var.namespace}-${var.environment}-waf-web-acl"
  }
  web_acl_rules = var.web_acl_rules

  ## ip set
  ip_set = [
    {
      name               = "example-ip-set"
      description        = "Example description"
      scope              = "REGIONAL"
      ip_address_version = "IPV4"
      addresses          = []
    }
  ]

  tags = module.tags.tags
}

Required Inputs

Name Type Description
web_acl_name string WAF web ACL name
web_acl_scope string REGIONAL or CLOUDFRONT
web_acl_default_action string allow or block
## Key Outputs
Name Description
web_acl_id WAF web ACL ID
web_acl_arn WAF web ACL ARN
web_acl_capacity WAF capacity units consumed
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform >= 1.3, < 2.0.0
aws >= 4.0

Providers

Name Version
aws 5.8.0

Modules

No modules.

Resources

Name Type
aws_wafv2_ip_set.this resource
aws_wafv2_web_acl.this resource
aws_wafv2_web_acl_association.this resource

Inputs

Name Description Type Default Required
association_resource_arns The Amazon Resource Name (ARN) of the resource to associate with the web ACL.
This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool.
list(string) [] no
create_web_acl A Boolean indicates whether to create WAF Web ACL or not bool true no
ip_set Configuration for WAFv2 IP Set.
* name: A friendly name of the IP set.
* description: A friendly description of the IP set. Default is "Terraform managed IP Set configuration."
* scope: Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. Default is "REGIONAL."
* ip_address_version: Specify IPV4 or IPV6. Valid values are IPV4 or IPV6. Default is "IPV4."
* addresses: Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
list(object({
name = string
description = optional(string, "Terraform managed IP Set configuration")
scope = optional(string, "REGIONAL")
ip_address_version = optional(string, "IPV4")
addresses = optional(list(string), [])
}))
[] no
tags A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
web_acl_custom_response_body Defines custom response bodies that can be referenced by custom_response actions
list(object({
key = string
content = string
content_type = string
}))
[] no
web_acl_default_action Action to perform if none of the rules contained in the WebACL match. Options are allow or block string n/a yes
web_acl_description Description of the WebACL string "Terraform managed Web ACL Configuration" no
web_acl_name Name of the WAFv2 Web ACL string n/a yes
web_acl_rules Rule blocks used to identify the web requests that you want to allow, block, or count any [] no
web_acl_scope Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL string "REGIONAL" no
web_acl_visibility_config Defines and enables Amazon CloudWatch metrics and web request sample collection
object({
cloudwatch_metrics_enabled = optional(bool, true)
metric_name = string
sampled_requests_enabled = optional(bool, true)
})
n/a yes

Outputs

Name Description
arn The ARN of the WAF WebACL.
capacity Web ACL capacity units (WCUs) currently being used by this web ACL.
id The ID of the WAF WebACL.
ip_set_arn The IP Set ARN
tags_all Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Git commits

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly

Development

Prerequisites

Configurations

  • Configure pre-commit hooks
    pre-commit install
    

Tests

  • Tests are available in test directory
  • Configure the dependencies
    1
    2
    3
    cd test/
    go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
    go get github.com/gruntwork-io/terratest/modules/terraform
    
  • Now execute the test
    go test -timeout  30m
    

AI Assistant Integration (ARC IaC MCP)

The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.

What you can do with it:

  • Discover — search and filter modules by keyword or AWS resource type.
  • Understand — get inputs, outputs, and resources for any module without leaving your editor.
  • Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
  • Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
  • Compare — diff modules side-by-side to make informed architectural decisions.

Setup (one minute)

The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:

Claude Code CLI:

claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcp

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:

1
2
3
4
5
6
7
{
  "mcpServers": {
    "arc-iac": {
      "url": "https://arc-iac-mcp.sourcef.us/mcp"
    }
  }
}

Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).

Example prompts to try

  • "List all ARC modules sorted by downloads"
  • "What inputs does arc-ecs require?"
  • "Scaffold a production-ready arc-db Aurora setup with Secrets Manager"
  • "Compare arc-eks and arc-ecs for running 10 microservices"
  • "Scan this Terraform before I raise a PR: <paste HCL>"

See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse ARC Team