{"id":31921713,"url":"https://github.com/cruxstack/terraform-aws-waf-webaclv2","last_synced_at":"2026-02-19T06:01:34.403Z","repository":{"id":318369889,"uuid":"1071014597","full_name":"cruxstack/terraform-aws-waf-webaclv2","owner":"cruxstack","description":"Terraform module to configure WAF Web ACL V2 for Application Load Balancer or Cloudfront distribution.","archived":false,"fork":false,"pushed_at":"2025-10-21T17:07:37.000Z","size":107,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-21T17:44:11.355Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cruxstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-06T18:42:05.000Z","updated_at":"2025-10-21T17:07:23.000Z","dependencies_parsed_at":"2025-10-21T17:31:13.838Z","dependency_job_id":"70b11406-d985-447b-b4a1-b1e83cea1f66","html_url":"https://github.com/cruxstack/terraform-aws-waf-webaclv2","commit_stats":null,"previous_names":["cruxstack/terraform-aws-waf-webaclv2"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/cruxstack/terraform-aws-waf-webaclv2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-aws-waf-webaclv2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-aws-waf-webaclv2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-aws-waf-webaclv2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-aws-waf-webaclv2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cruxstack","download_url":"https://codeload.github.com/cruxstack/terraform-aws-waf-webaclv2/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-aws-waf-webaclv2/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29604552,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T05:11:50.834Z","status":"ssl_error","status_checked_at":"2026-02-19T05:11:38.921Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T22:50:18.607Z","updated_at":"2026-02-19T06:01:34.394Z","avatar_url":"https://github.com/cruxstack.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-waf-webaclv2\n\nTerraform module to configure WAF Web ACL V2 for Application Load Balancer or\nCloudfront distribution.\n\nSupported WAF v2 components:\n\n- [AWS-managed rules](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)\n- Associating WAFv2 ACL with one or more Application Load Balancers (ALB)\n- Blocking IP Sets\n- Rate limiting IPs (and optional scope down statements)\n- Byte Match statements\n- Geo set statements\n- Logical Statements (AND, OR, NOT)\n- Size constraint statements\n- Label Match statements\n- Regex Match statements\n- Regex Pattern Match statements\n- Custom responses\n- Attach Custom Rule Groups\n\n## Usage\n\n```hcl\nmodule \"waf\" {\n  source = \"github.com/cruxstack/terraform-aws-waf-webaclv2?ref=v1.x.x\"\n\n  name_prefix          = \"test-waf-setup\"\n  scope                = \"REGIONAL\"\n  allow_default_action = true # set to allow if not specified\n\n  visibility_config = {\n    metric_name = \"test-waf-setup-waf-main-metrics\"\n  }\n\n  rules = [\n    {\n      name     = \"AWSManagedRulesCommonRuleSet-rule-1\"\n      priority = \"1\"\n\n      override_action = \"none\"\n\n      visibility_config = {\n        metric_name                = \"AWSManagedRulesCommonRuleSet-metric\"\n      }\n\n      managed_rule_group_statement = {\n        name        = \"AWSManagedRulesCommonRuleSet\"\n        vendor_name = \"AWS\"\n        rule_action_overrides = [\n          {\n            action_to_use = {\n              count = {}\n            }\n\n            name = \"SizeRestrictions_QUERYSTRING\"\n          },\n          {\n            action_to_use = {\n              count = {}\n            }\n\n            name = \"SizeRestrictions_BODY\"\n          },\n          {\n            action_to_use = {\n              count = {}\n            }\n\n            name = \"GenericRFI_QUERYARGUMENTS\"\n          }\n        ]\n      }\n    },\n\n    {\n      name     = \"AWSManagedRulesKnownBadInputsRuleSet-rule-2\"\n      priority = \"2\"\n\n      override_action = \"count\"\n\n      visibility_config = {\n        metric_name = \"AWSManagedRulesKnownBadInputsRuleSet-metric\"\n      }\n\n      managed_rule_group_statement = {\n        name        = \"AWSManagedRulesKnownBadInputsRuleSet\"\n        vendor_name = \"AWS\"\n      }\n    },\n\n    {\n      name     = \"AWSManagedRulesPHPRuleSet-rule-3\"\n      priority = \"3\"\n\n      override_action = \"none\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"AWSManagedRulesPHPRuleSet-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      managed_rule_group_statement = {\n        name        = \"AWSManagedRulesPHPRuleSet\"\n        vendor_name = \"AWS\"\n      }\n    },\n\n    ### Byte Match Rule example\n    # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#byte-match-statement\n    # for all of the options available.\n    # Additional examples available in the examples directory\n    {\n      name     = \"ByteMatchRule-4\"\n      priority = \"4\"\n\n      action = \"count\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"ByteMatchRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      byte_match_statement = {\n        field_to_match = {\n          uri_path = \"{}\"\n        }\n        positional_constraint = \"STARTS_WITH\"\n        search_string         = \"/path/to/match\"\n        priority              = 0\n        type                  = \"NONE\"\n      }\n    },\n\n    ### Geo Match Rule example\n    {\n      name     = \"GeoMatchRule-5\"\n      priority = \"5\"\n\n      action = \"allow\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"GeoMatchRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      geo_match_statement = {\n        country_codes = [\"NL\", \"GB\", \"US\"]\n      }\n    },\n\n    ### IP Set Rule example\n    {\n      name     = \"IpSetRule-6\"\n      priority = \"6\"\n\n      action = \"allow\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"IpSetRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      ip_set_reference_statement = {\n        arn = \"arn:aws:wafv2:eu-west-1:111122223333:regional/ipset/ip-set-test/a1bcdef2-1234-123a-abc0-1234a5bc67d8\"\n      }\n    },\n\n    ### IP Rate Based Rule example\n    {\n      name     = \"IpRateBasedRule-7\"\n      priority = \"7\"\n\n      action = \"block\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"IpRateBasedRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      rate_based_statement = {\n        limit              = 100\n        aggregate_key_type = \"IP\"\n        # Optional scope_down_statement to refine what gets rate limited\n        scope_down_statement = {\n          not_statement = {\n            byte_match_statement = {\n              field_to_match = {\n                uri_path = \"{}\"\n              }\n              positional_constraint = \"STARTS_WITH\"\n              search_string         = \"/path/to/match\"\n              priority              = 0\n              type                  = \"NONE\"\n            }\n          }\n        }\n      }\n    },\n\n    ### NOT rule example (can be applied to byte_match, geo_match, and ip_set rules)\n    {\n      name     = \"NotByteMatchRule-8\"\n      priority = \"8\"\n\n      action = \"count\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"NotByteMatchRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      not_statement = {\n        byte_match_statement = {\n          field_to_match = {\n            uri_path = \"{}\"\n          }\n          positional_constraint = \"STARTS_WITH\"\n          search_string         = \"/path/to/match\"\n          priority              = 0\n          type                  = \"NONE\"\n        }\n      }\n    },\n\n    ### Regex Match Rule example\n    {\n      name     = \"RegexMatchRule-9\"\n      priority = \"9\"\n\n      action = \"allow\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"RegexMatchRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      byte_match_statement = {\n          field_to_match = {\n            uri_path = \"{}\"\n          }\n          regex_string         = \"/foo/\"\n          priority              = 0\n          type                  = \"NONE\"\n        }\n\n    ### Attach Custom Rule Group example\n    {\n      name     = \"CustomRuleGroup-1\"\n      priority = \"9\"\n\n      override_action = \"none\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"CustomRuleGroup-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      rule_group_reference_statement = {\n        arn = \"arn:aws:wafv2:eu-west-1:111122223333:regional/rulegroup/rulegroup-test/a1bcdef2-1234-123a-abc0-1234a5bc67d8\"\n      }\n\n    ### Regex Match Rule example\n    {\n      name     = \"RegexMatchRule-9\"\n      priority = \"9\"\n\n      action = \"allow\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"RegexMatchRule-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      byte_match_statement = {\n          field_to_match = {\n            uri_path = \"{}\"\n          }\n          regex_string         = \"/foo/\"\n          priority              = 0\n          type                  = \"NONE\"\n        }\n\n    ### Attach Custom Rule Group example\n    {\n      name     = \"CustomRuleGroup-1\"\n      priority = \"9\"\n\n      override_action = \"none\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = false\n        metric_name                = \"CustomRuleGroup-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      rule_group_reference_statement = {\n        arn = \"arn:aws:wafv2:eu-west-1:111122223333:regional/rulegroup/rulegroup-test/a1bcdef2-1234-123a-abc0-1234a5bc67d8\"\n      }\n    },\n\n    ### Size constraint Rule example\n    # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#size-constraint-statement\n    # for all of the options available.\n    # Additional examples available in the examples directory\n    {\n      name     = \"BodySizeConstraint\"\n      priority = 0\n      size_constraint_statement = {\n        field_to_match = {\n          body = \"{}\"\n        }\n        comparison_operator = \"GT\"\n        size                = 8192\n        priority            = 0\n        type                = \"NONE\"\n      }\n\n      action = \"count\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = true\n        metric_name                = \"BodySizeConstraint\"\n        sampled_requests_enabled   = true\n      }\n    },\n\n    ### Regex Pattern Set Reference Rule example\n    # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#regex-pattern-set-reference-statement\n    # for all of the options available.\n    # Additional examples available in the examples directory\n    {\n      name = \"MatchRegexRule-1\"\n      priority = \"1\"\n\n      action = \"none\"\n\n      visibility_config = {\n        cloudwatch_metrics_enabled = true\n        metric_name                = \"RegexBadBotsUserAgent-metric\"\n        sampled_requests_enabled   = false\n      }\n\n      # You need to previously create you regex pattern\n      # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set\n      # for all of the options available.\n      regex_pattern_set_reference_statement = {\n        arn       = aws_wafv2_regex_pattern_set.example.arn\n        field_to_match = {\n          single_header = {\n            name = \"user-agent\"\n          }\n        }\n        priority  = 0\n        type      = \"LOWERCASE\" # The text transformation type\n      }\n    }\n  ]\n\n  tags = {\n    \"Name\" = \"test-waf-setup\"\n    \"Env\"  = \"test\"\n  }\n}\n```\n\n### WAFv2 for CloudFront\n\n```hcl\nmodule \"waf\" {\n  source = \"github.com/cruxstack/terraform-aws-waf-webaclv2?ref=v1.x.x\"\n\n  name_prefix = \"test-waf-setup-cloudfront\"\n  scope       = \"CLOUDFRONT\"\n\n  // ...\n}\n```\n\n## Logging configuration\n\nWhen you enable logging configuration for WAFv2. Remember to follow the naming\nconvention defined in [AWS's documentation](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html).\nImportantly, make sure that Amazon Kinesis Data Firehose is using a name\nstarting with the prefix `aws-waf-logs-`.\n\n## Acknowledgment\n\nThis module was initially derived from [uMotif’s terraform-aws-waf-webaclv2](https://github.com/umotif-public/terraform-aws-waf-webaclv2).\nSignificant modifications and refactoring have been made in this repository.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcruxstack%2Fterraform-aws-waf-webaclv2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcruxstack%2Fterraform-aws-waf-webaclv2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcruxstack%2Fterraform-aws-waf-webaclv2/lists"}