Skip to content

tfstack/terraform-aws-wafv2

BranchesTags

Repository files navigation

Terraform AWS WAFv2

Terraform module to create and manage AWS WAFv2 Web ACLs and resource associations

Documentation

Requirements

Name Version
terraform >= 1.0
aws >= 6.0.0

Providers

No providers.

Modules

Name Source Version
association ./modules/associate-regional n/a
web_acl ./modules/web-acl n/a

Resources

No resources.

Inputs

Name Description Type Default Required
alarm_sns_topic_arn SNS topic ARN for WAF alarms string null no
alarm_threshold Threshold for WAF rule alarms number 10 no
custom_response_bodies Custom response bodies for WAF rules 
map(object({
    key          = string
    content      = string
    content_type = string
  }))
 {} no
default_action Default action for the Web ACL (allow or block) string "allow" no
default_managed_rule_sets Enable/disable default managed rule sets 
object({
    core_rule_set    = optional(bool, false)
    known_bad_inputs = optional(bool, false)
    sql_injection    = optional(bool, false)
    ip_reputation    = optional(bool, false)
    anonymous_ip     = optional(bool, false)
  })
 {} no
default_rules Enable/disable default security rules 
object({
    block_disallowed_methods = optional(bool, false)
    general_rate_limit       = optional(bool, false)
  })
 {} no
description Description for the Web ACL string null no
enable_monitoring Enable CloudWatch monitoring (alarms + dashboard) for all rules bool false no
ip_sets IP sets that can be referenced in rules 
map(object({
    name               = string
    ip_address_version = optional(string, "IPV4")
    addresses          = list(string)
  }))
 {} no
logging Logging configuration for the Web ACL 
object({
    enabled                   = optional(bool, false)
    cloudwatch_log_group_name = optional(string, null)
    cloudwatch_retention_days = optional(number, 30)
    s3_bucket_name            = optional(string, null)
    s3_bucket_prefix          = optional(string, "")
    kinesis_firehose_arn      = optional(string, null)
    kinesis_firehose_role_arn = optional(string, null)
    redacted_fields           = optional(list(string), [])
    destroy_log_group         = optional(bool, false)
    sampled_requests_enabled  = optional(bool, true)

    # Advanced logging filter configuration
    logging_filter = optional(object({
      default_behavior = string # "KEEP" or "DROP"
      filters = optional(list(object({
        behavior = string # "KEEP" or "DROP"
        conditions = list(object({
          action_condition = optional(object({
            action = string # "ALLOW", "BLOCK", "COUNT"
          }), null)
          label_name_condition = optional(object({
            label_name = string
          }), null)
        }))
        requirement = string # "MEETS_ALL" or "MEETS_ANY"
      })), [])
    }), null)
  })
 
{
  "enabled": false
}
 no
managed_rule_sets AWS managed rule sets to include 
list(object({
    name                  = string
    priority              = number
    rule_group_name       = string
    override_action       = optional(string, "none")
    rule_action_overrides = optional(map(string), {})
  }))
 [] no
name_prefix Name prefix for the Web ACL string n/a yes
resource_arns List of resource ARNs to associate with the Web ACL list(string) [] no
rules WAF rules to apply (in priority order) 
list(object({
    name                     = string
    priority                 = number
    action                   = string
    statement_type           = string
    search_string            = optional(string, null)
    field_to_match           = optional(string, null)
    text_transformation      = optional(string, "NONE")
    positional_constraint    = optional(string, "EXACTLY")
    header_name              = optional(string, null)
    size                     = optional(number, null)
    comparison_operator      = optional(string, null)
    limit                    = optional(number, null)
    aggregate_key_type       = optional(string, null)
    evaluation_window_sec    = optional(number, null)
    ip_set_arn               = optional(string, null)
    country_codes            = optional(list(string), null)
    regex_string             = optional(string, null)
    custom_response_body_key = optional(string, null)
    response_code            = optional(number, null)
    response_headers         = optional(map(string), {})
    negated                  = optional(bool, false)
  }))
 [] no
scope Scope of the Web ACL (REGIONAL or CLOUDFRONT) string "REGIONAL" no
tags Tags to apply to resources map(string) {} no

Outputs

Name Description
associated_resources List of associated resource ARNs
association_ids Map of resource ARN to association ID
dashboard_url CloudWatch dashboard URL
ip_set_arns Map of IP set names to their ARNs
rule_alarms WAF CloudWatch alarms
web_acl_arn ARN of the Web ACL
web_acl_id ID of the Web ACL
web_acl_name Name of the Web ACL

About

Terraform module to create and manage AWS WAFv2 Web ACLs and resource associations

registry.terraform.io/modules/tfstack/wafv2/aws/latest

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 8

v1.0.7 Latest
Oct 4, 2025
+ 7 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages