Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mblomsterberg/terraform-aws-wafv2-module
Terraform module to create a WAFv2 WebACL with pre-configured rules
https://github.com/mblomsterberg/terraform-aws-wafv2-module
aws terraform-module wafv2
Last synced: 1 day ago
JSON representation
Terraform module to create a WAFv2 WebACL with pre-configured rules
- Host: GitHub
- URL: https://github.com/mblomsterberg/terraform-aws-wafv2-module
- Owner: mBlomsterberg
- License: mit
- Created: 2024-07-11T11:17:42.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2024-08-08T08:09:58.000Z (about 2 months ago)
- Last Synced: 2024-09-26T18:42:48.958Z (1 day ago)
- Topics: aws, terraform-module, wafv2
- Language: HCL
- Homepage: https://blomsterberg.org
- Size: 135 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
- Security: SECURITY.md
- Support: SUPPORT.md
Awesome Lists containing this project
README
terraform-aws-wafv2-module
Terraform Module for AWS WAFv2 creation.
Github Workflows
·
Repository Configuration
·
Versioning
# About
This Terraform module creates an AWS WAFv2 WebACL with associated rules and conditions.
## Limitations
1. Regional vs Global rules: This module only supports `regional` rules for now.
2. Recursive rules are not supported by this module(`and_statement`, `not_statement` and `or_statement`).
3. Statements not yet implemented:
* `label_match_statement`
* `regex_match_statement`
* `size_constraint_statement`
* `sqli_match_statement`
* `xss_match_statement`
* `managed_rule_group_statement`
* `rule_group_reference_statement`
# Contact
**Github** [mBlomsterberg](https://github.com/mBlomsterberg)
# Repository overview
| `File` | `description` |
| ------------------ | ------------- |
| .github/ISSUE_TEMPLATE | Configuring issue templates for your repository |
| .github/pull_request_template.yml | Configuring default PR template for your repository |
| .github/dependabot.yml | Customize how Dependabot maintains your repositories |
| CODE_OF_CONDUCT.md | Defines standards for how to engage in a community |
| CONTRIBUTING.md | Contribution guidelines to your project's repository |
| SECURITY.md | To give people instructions on how to report security vulnerabilities |
| SUPPORT.md | Let people know about ways to get help with your project |
| CODEOWNERS | Define individuals or teams that are responsible for code in a repository |
| LICENSE | A software license tells others what they can and can't do with your source code |
# Contribution guidelines
Should your repository be open to an external or onboarding new members you can create guidelines to communicate how people should contribute to your project. [Example](https://github.com/github/docs/blob/main/CONTRIBUTING.md).
# Code of Conduct
This project has adopted the Hanayama Co. Code of Conduct. For more information see the Code of Conduct FAQ or contact [mBlomsterberg](https://github.com/mBlomsterberg) with any additional questions or comments.
# License
Copyright (c) mBlomsterberg All rights reserved.
Licensed under the MIT license.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | <= 1.5.5 |
| [aws](#requirement\_aws) | ~> 5.57.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | ~> 5.57.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_wafv2_web_acl.regional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [association\_config](#input\_association\_config) | (Optional) Configuration block defining the association configuration. |
object({
request_body = optional(object({
cloudfront = optional(object({
default_size_inspection_limit = string
}), null)
api_gateway = optional(object({
default_size_inspection_limit = string
}), null)
app_runner_service = optional(object({
default_size_inspection_limit = string
}), null)
cognito_user_pool = optional(object({
default_size_inspection_limit = string
}), null)
verified_access_instance = optional(object({
default_size_inspection_limit = string
}), null)
}), null)
}) | `null` | no |
| [captcha\_config](#input\_captcha\_config) | (Optional) Configuration block defining the captcha configuration. | object({
immunity_time_property = optional(object({
immunity_time = optional(number, 300)
}), null)
}) | `null` | no |
| [challenge\_config](#input\_challenge\_config) | (Optional) Configuration block defining the challenge configuration. | object({
immunity_time_property = optional(object({
immunity_time = optional(number, 300)
}), null)
}) | `null` | no |
| [custom\_response\_bodies](#input\_custom\_response\_bodies) | (Optional) Configuration block to define custom response body. | list(object({
key = string
content = string
content_type = string
})) | `[]` | no |
| [default\_action](#input\_default\_action) | (Required) Configuration block defining the default action to take when a request doesn't match any rule. | object({
allow = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
block = optional(object({
custom_response = optional(object({
custom_response_body_key = string
response_code = string
response_header = optional(map(any), null)
}), null)
}), null)
}) | {
"allow": null,
"block": {}
} | no |
| [description](#input\_description) | (Optional) The description of the WAF WebACL. | `string` | `null` | no |
| [name](#input\_name) | (Required) The name of the WAF WebACL. | `string` | n/a | yes |
| [rules](#input\_rules) | (Optional) Configuration block defining a rule. | list(object({
name = string
captcha_config = optional(object({
immunity_time_property = optional(object({
immunity_time = optional(number, 300)
}), null)
}), null)
action = optional(object({
allow = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
block = optional(object({
custom_response = optional(object({
custom_response_body_key = string
response_code = string
response_header = optional(map(any), null)
}), null)
}), null)
captcha = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
challenge = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
count = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
}), null)
priority = number
override_action = optional(object({
count = optional(object({}), null)
none = optional(object({}), null)
}), null)
rule_label = optional(object({
name = string
}), null)
statement = object({
rate_based_statement = optional(object({
limit = number
aggregate_key_type = string
evaluation_window_sec = optional(number, null)
custom_key = optional(object({
cookies = optional(object({}), null)
query_string_keys = optional(list(string), null)
single_header = optional(list(string), null)
single_query_arg = optional(list(string), null)
uri_path = optional(list(string), null)
}), null)
scope_down_statement = optional(object({
geo_match_statement = optional(object({
country_codes = optional(list(string), null)
forward_ip_config = optional(object({
header_name = optional(string, null)
position = optional(string, null)
}), null)
}), null)
byte_match_statement = optional(object({
field_to_match = optional(object({
data = optional(string, null)
type = optional(string, null)
}), null)
positional_constraint = optional(string, null)
search_string = optional(string, null)
}), null)
}), null)
forwarded_ip_config = optional(object({
header_name = optional(string, null)
fallback_behavior = optional(string, null)
}), null)
}), null)
ip_set_reference_statement = optional(object({
arn = string
forward_ip_config = optional(object({
header_name = optional(string, null)
fallback_behavior = optional(string, null)
}), null)
}), null)
rule_group_reference_statement = optional(object({
arn = string
rule_action_override = optional(object({
name = string
action_to_use = object({
allow = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
block = optional(object({
custom_response = optional(object({
custom_response_body_key = string
response_code = string
response_header = optional(map(any), null)
}), null)
}), null)
captcha = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
challenge = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
count = optional(object({
custom_request_handling = optional(object({
insert_header = optional(object({
name = string
value = string
}), null)
}), null)
}), null)
})
}), null)
}), null)
byte_match_statement = optional(object({
field_to_match = optional(object({
all_query_arguments = optional(object({}), null)
body = optional(object({
oversize_handling = optional(string, null)
}), null)
cookies = optional(object({
match_pattern = optional(object({
all = optional(object({}), null)
included_cookies = optional(list(string), null)
excluded_cookies = optional(list(string), null)
}), null)
match_scope = optional(string, null)
oversize_handling = optional(string, null)
}), null)
header_order = optional(object({
oversize_handling = optional(string, null)
}), null)
headers = optional(object({
match_pattern = optional(object({
all = optional(object({}), null)
included_headers = optional(list(string), null)
excluded_headers = optional(list(string), null)
}), null)
match_scope = optional(string, null)
oversize_handling = optional(string, null)
}), null)
ja3_fingerprint = optional(object({
fallback_behavior = string
}), null)
json_body = optional(object({
match_pattern = optional(object({
all = optional(object({}), null)
included_paths = optional(list(string), null)
}), null)
match_scope = optional(string, null)
invalid_fallback_behavior = optional(string, null)
oversize_handling = optional(string, null)
}), null)
method = optional(object({}), null)
query_string = optional(object({
match_pattern = optional(object({
all = optional(list(object({})), null)
included_query_strings = optional(list(string), null)
excluded_query_strings = optional(list(string), null)
}), null)
oversize_handling = optional(string, null)
}), null)
single_header = optional(object({
name = string
}), null)
single_query_argument = optional(object({
name = string
}), null)
uri_path = optional(object({}), null)
}), null)
positional_constraint = optional(string, null)
search_string = optional(string, null)
text_transformation = optional(list(object({
priority = optional(number, null)
type = optional(string, null)
})), null)
}), null)
geo_match_statement = optional(object({
country_codes = optional(list(string), null)
forward_ip_config = optional(object({
header_name = optional(string, null)
position = optional(string, null)
}), null)
}), null)
})
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool, false)
sampled_requests_enabled = optional(bool, false)
metric_name = optional(string, "test_allowed_ips")
}), null)
})) | `null` | no |
| [scope](#input\_scope) | (Optional) The scope of the WAF WebACL. Valid values are REGIONAL or CLOUDFRONT. Defaults to REGIONAL. | `string` | `"REGIONAL"` | no |
| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |
| [visibility\_config](#input\_visibility\_config) | (Optional) Configuration block to enable CloudWatch metrics and sample requests. | object({
cloudwatch_metrics_enabled = bool
sampled_requests_enabled = bool
metric_name = string
}) | {
"cloudwatch_metrics_enabled": false,
"metric_name": "test_allowed_ips",
"sampled_requests_enabled": false
} | no |
## Outputs
No outputs.