Skip to content

terraform-aws-arc-waf

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Test

Overview

SourceFuse's AWS Reference Architecture Terraform module for AWS WAF (Web Application Firewall) simplifies the setup and management of web access controls. Leveraging the hashicorp/aws Terraform provider, this module allows users to define and deploy WAF configurations, including web ACLs and IP sets, with ease. The module supports customizable rules, default actions, and visibility configurations, empowering users to tailor WAF policies based on their specific security requirements. By associating web ACLs with designated resources through the aws_wafv2_web_acl_association resource, the module ensures seamless integration and protection for web applications against various threats. With support for tags and dependency management, this WAF module provides a robust foundation for enhancing the security posture of AWS-hosted web applications.

For more information about this repository and its usage, please see Terraform AWS ARC WAF Module Usage Guide.

Usage

To see a full example, check out the main.tf file in the example folder. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
module "waf" {
  source  = "sourcefuse/arc-waf/aws"
  version = "1.0.2"

  ## web acl
  create_web_acl         = true
  web_acl_name           = "${var.namespace}-${var.environment}-waf-web-acl"
  web_acl_description    = "Terraform managed Web ACL Configuration"
  web_acl_scope          = "REGIONAL"
  web_acl_default_action = "block"
  web_acl_visibility_config = {
    metric_name = "${var.namespace}-${var.environment}-waf-web-acl"
  }
  web_acl_rules = var.web_acl_rules

  ## ip set
  ip_set = [
    {
      name               = "example-ip-set"
      description        = "Example description"
      scope              = "REGIONAL"
      ip_address_version = "IPV4"
      addresses          = []
    }
  ]

  tags = module.tags.tags
}

Requirements

Name Version
terraform >= 1.3, < 2.0.0
aws >= 4.0

Providers

Name Version
aws 5.8.0

Modules

No modules.

Resources

Name Type
aws_wafv2_ip_set.this resource
aws_wafv2_web_acl.this resource
aws_wafv2_web_acl_association.this resource

Inputs

Name Description Type Default Required
association_resource_arns The Amazon Resource Name (ARN) of the resource to associate with the web ACL.
This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool.		 list(string) [] no
create_web_acl A Boolean indicates whether to create WAF Web ACL or not bool true no
ip_set Configuration for WAFv2 IP Set.
* name: A friendly name of the IP set.
* description: A friendly description of the IP set. Default is "Terraform managed IP Set configuration."
* scope: Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. Default is "REGIONAL."
* ip_address_version: Specify IPV4 or IPV6. Valid values are IPV4 or IPV6. Default is "IPV4."
* addresses: Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.		 
list(object({
    name               = string
    description        = optional(string, "Terraform managed IP Set configuration")
    scope              = optional(string, "REGIONAL")
    ip_address_version = optional(string, "IPV4")
    addresses          = optional(list(string), [])
  }))
 [] no
tags A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
web_acl_custom_response_body Defines custom response bodies that can be referenced by custom_response actions 
list(object({
    key          = string
    content      = string
    content_type = string
  }))
 [] no
web_acl_default_action Action to perform if none of the rules contained in the WebACL match. Options are allow or block string n/a yes
web_acl_description Description of the WebACL string "Terraform managed Web ACL Configuration" no
web_acl_name Name of the WAFv2 Web ACL string n/a yes
web_acl_rules Rule blocks used to identify the web requests that you want to allow, block, or count any [] no
web_acl_scope Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL string "REGIONAL" no
web_acl_visibility_config Defines and enables Amazon CloudWatch metrics and web request sample collection 
object({
    cloudwatch_metrics_enabled = optional(bool, true)
    metric_name                = string
    sampled_requests_enabled   = optional(bool, true)
  })
 n/a yes

Outputs

Name Description
arn The ARN of the WAF WebACL.
capacity Web ACL capacity units (WCUs) currently being used by this web ACL.
id The ID of the WAF WebACL.
ip_set_arn The IP Set ARN
tags_all Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Git commits

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

1
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test
    1
    go test -timeout  30m

Authors

This project is authored by: - SourceFuse ARC Team