
terraform-aws-arc-waf¶
Module:
sourcefuse/arc-waf/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-waf/aws
Category: Security / WAF
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶
Creates AWS WAFv2 web ACLs with managed rule groups, custom rules, IP sets, and resource associations for CloudFront or regional resources.
Architecture¶

What It Does¶
- WAFv2 web ACL with REGIONAL or CLOUDFRONT scope
- AWS managed rule groups (Core, Known Bad Inputs, SQL injection, etc.)
- Custom rate-based and byte match rules
- IP set creation and management
- Web ACL association with ALB, API Gateway, or CloudFront
- CloudWatch metrics and sampled requests logging
- Default allow or block action
For more information about this repository and its usage, please see Terraform AWS ARC WAF Module Usage Guide.
Quickstart¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
web_acl_name |
string |
WAF web ACL name |
web_acl_scope |
string |
REGIONAL or CLOUDFRONT |
web_acl_default_action |
string |
allow or block |
| ## Key Outputs |
| Name | Description |
|---|---|
web_acl_id |
WAF web ACL ID |
web_acl_arn |
WAF web ACL ARN |
web_acl_capacity |
WAF capacity units consumed |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0.0 |
| aws | >= 4.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 5.8.0 |
Modules¶
No modules.
Resources¶
| Name | Type |
|---|---|
| aws_wafv2_ip_set.this | resource |
| aws_wafv2_web_acl.this | resource |
| aws_wafv2_web_acl_association.this | resource |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| association_resource_arns | The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool. |
list(string) |
[] |
no |
| create_web_acl | A Boolean indicates whether to create WAF Web ACL or not | bool |
true |
no |
| ip_set | Configuration for WAFv2 IP Set. * name: A friendly name of the IP set. * description: A friendly description of the IP set. Default is "Terraform managed IP Set configuration." * scope: Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. Default is "REGIONAL." * ip_address_version: Specify IPV4 or IPV6. Valid values are IPV4 or IPV6. Default is "IPV4." * addresses: Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0. |
list(object({ |
[] |
no |
| tags | A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
| web_acl_custom_response_body | Defines custom response bodies that can be referenced by custom_response actions | list(object({ |
[] |
no |
| web_acl_default_action | Action to perform if none of the rules contained in the WebACL match. Options are allow or block |
string |
n/a | yes |
| web_acl_description | Description of the WebACL | string |
"Terraform managed Web ACL Configuration" |
no |
| web_acl_name | Name of the WAFv2 Web ACL | string |
n/a | yes |
| web_acl_rules | Rule blocks used to identify the web requests that you want to allow, block, or count | any |
[] |
no |
| web_acl_scope | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL | string |
"REGIONAL" |
no |
| web_acl_visibility_config | Defines and enables Amazon CloudWatch metrics and web request sample collection | object({ |
n/a | yes |
Outputs¶
| Name | Description |
|---|---|
| arn | The ARN of the WAF WebACL. |
| capacity | Web ACL capacity units (WCUs) currently being used by this web ACL. |
| id | The ID of the WAF WebACL. |
| ip_set_arn | The IP Set ARN |
| tags_all | Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
Git commits¶
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
Tests¶
- Tests are available in
testdirectory - Configure the dependencies
- Now execute the test
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse ARC Team