39 | > Watch demo of using Atmos with Terraform
40 | > 
41 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
42 | >
43 |
44 |
45 |
46 |
47 |
48 | ## Usage
49 |
50 | For a complete example, see [examples/complete](examples/complete).
51 |
52 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
53 | (which tests and deploys the example on AWS), see [test](test).
54 |
55 | ```hcl
56 | module "label" {
57 | source = "cloudposse/label/null"
58 | # Cloud Posse recommends pinning every module to a specific version
59 | # version = "x.x.x"
60 |
61 | namespace = "eg"
62 | stage = "prod"
63 | name = "waf"
64 | delimiter = "-"
65 |
66 | tags = {
67 | "BusinessUnit" = "XYZ",
68 | }
69 | }
70 |
71 | module "waf" {
72 | source = "cloudposse/waf/aws"
73 | # Cloud Posse recommends pinning every module to a specific version
74 | # version = "x.x.x"
75 |
76 | geo_match_statement_rules = [
77 | {
78 | name = "rule-10"
79 | action = "count"
80 | priority = 10
81 |
82 | statement = {
83 | country_codes = ["NL", "GB"]
84 | }
85 |
86 | visibility_config = {
87 | cloudwatch_metrics_enabled = true
88 | sampled_requests_enabled = false
89 | metric_name = "rule-10-metric"
90 | }
91 | },
92 | {
93 | name = "rule-11"
94 | action = "allow"
95 | priority = 11
96 |
97 | statement = {
98 | country_codes = ["US"]
99 | }
100 |
101 | visibility_config = {
102 | cloudwatch_metrics_enabled = true
103 | sampled_requests_enabled = false
104 | metric_name = "rule-11-metric"
105 | }
106 | }
107 | ]
108 |
109 | context = module.label.context
110 | }
111 | ```
112 |
113 | > [!IMPORTANT]
114 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
115 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
116 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
117 | > approach for updating versions to avoid unexpected changes.
118 |
119 |
120 |
121 |
122 |
123 | ## Examples
124 |
125 | Here is an example of using this module:
126 | - [`examples/complete`](examples/complete) - complete example of using this module
127 |
128 |
129 |
130 |
131 |
132 | ## Requirements
133 |
134 | | Name | Version |
135 | |------|---------|
136 | | [terraform](#requirement\_terraform) | >= 1.3.0 |
137 | | [aws](#requirement\_aws) | >= 5.0 |
138 |
139 | ## Providers
140 |
141 | | Name | Version |
142 | |------|---------|
143 | | [aws](#provider\_aws) | >= 5.0 |
144 |
145 | ## Modules
146 |
147 | | Name | Source | Version |
148 | |------|--------|---------|
149 | | [ip\_set\_label](#module\_ip\_set\_label) | cloudposse/label/null | 0.25.0 |
150 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
151 |
152 | ## Resources
153 |
154 | | Name | Type |
155 | |------|------|
156 | | [aws_wafv2_ip_set.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource |
157 | | [aws_wafv2_web_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
158 | | [aws_wafv2_web_acl_association.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource |
159 | | [aws_wafv2_web_acl_logging_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration) | resource |
160 |
161 | ## Inputs
162 |
163 | | Name | Description | Type | Default | Required |
164 | |------|-------------|------|---------|:--------:|
165 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
166 | | [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer, Amazon API Gateway stage, or AWS AppSync.
Do not use this variable to associate a Cloudfront Distribution.
Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.
For more details, refer to https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html | `list(string)` | `[]` | no |
167 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
168 | | [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
positional\_constraint:
Area within the portion of a web request that you want AWS WAF to search for search\_string. Valid values include the following: EXACTLY, STARTS\_WITH, ENDS\_WITH, CONTAINS, CONTAINS\_WORD.
search\_string
String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field\_to\_match.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
169 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
170 | | [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.
The map keys are used as the `key` attribute which is a unique key identifying the custom response body.
content:
Payload of the custom response.
The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.
content\_type:
Content Type of Response Body.
Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. | map(object({
content = string
content_type = string
})) | `{}` | no |
171 | | [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no |
172 | | [default\_block\_custom\_response\_body\_key](#input\_default\_block\_custom\_response\_body\_key) | References the default response body that you want AWS WAF to return to the web request client.
This must reference a key defined in a custom\_response\_body block of this resource.
Only takes effect if default\_action is set to `block`. | `string` | `null` | no |
173 | | [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default block action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no |
174 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
175 | | [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no |
176 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
177 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
178 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
179 | | [geo\_allowlist\_statement\_rules](#input\_geo\_allowlist\_statement\_rules) | A rule statement used to identify a list of allowed countries which should not be blocked by the WAF.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
180 | | [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
181 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
182 | | [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
arn:
The ARN of the IP Set that this statement references.
ip\_set:
Defines a new IP Set
description:
A friendly description of the IP Set
addresses:
Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.
All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.
ip\_address\_version:
Specify `IPV4` or `IPV6`
ip\_set\_forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
183 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
184 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
185 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
186 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
187 | | [log\_destination\_configs](#input\_log\_destination\_configs) | The Amazon Kinesis Data Firehose, CloudWatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL | `list(string)` | `[]` | no |
188 | | [logging\_filter](#input\_logging\_filter) | A configuration block that specifies which web requests are kept in the logs and which are dropped.
You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | object({
default_behavior = string
filter = list(object({
behavior = string
requirement = string
condition = list(object({
action_condition = optional(object({
action = string
}), null)
label_name_condition = optional(object({
label_name = string
}), null)
}))
}))
}) | `null` | no |
189 | | [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
name:
The name of the managed rule group.
vendor\_name:
The name of the managed rule group vendor.
version:
The version of the managed rule group.
You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.
rule\_action\_override:
Action settings to use in the place of the rule actions that are configured inside the rule group.
You specify one override for each rule whose action you want to change.
managed\_rule\_group\_configs:
Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.
Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
override_action = optional(string)
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = object({
name = string
vendor_name = string
version = optional(string)
rule_action_override = optional(map(object({
action = string
custom_request_handling = optional(object({
insert_header = object({
name = string
value = string
})
}), null)
custom_response = optional(object({
response_code = string
response_header = optional(object({
name = string
value = string
}), null)
}), null)
})), null)
managed_rule_group_configs = optional(list(object({
aws_managed_rules_bot_control_rule_set = optional(object({
inspection_level = string
enable_machine_learning = optional(bool, true)
}), null)
aws_managed_rules_atp_rule_set = optional(object({
enable_regex_in_path = optional(bool)
login_path = string
request_inspection = optional(object({
payload_type = string
password_field = object({
identifier = string
})
username_field = object({
identifier = string
})
}), null)
response_inspection = optional(object({
body_contains = optional(object({
success_strings = list(string)
failure_strings = list(string)
}), null)
header = optional(object({
name = string
success_values = list(string)
failure_values = list(string)
}), null)
json = optional(object({
identifier = string
success_strings = list(string)
failure_strings = list(string)
}), null)
status_code = optional(object({
success_codes = list(string)
failure_codes = list(string)
}), null)
}), null)
}), null)
})), null)
})
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
190 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
191 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
192 | | [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
evaluation\_window\_sec:
The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
byte\_match\_statement:
field\_to\_match:
Part of a web request that you want AWS WAF to inspect.
positional\_constraint:
Area within the portion of a web request that you want AWS WAF to search for search\_string.
Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.
search\_string:
String value that you want AWS WAF to search for.
AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.
The maximum length of the value is 50 bytes.
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = object({
limit = number
aggregate_key_type = string
evaluation_window_sec = optional(number)
forwarded_ip_config = optional(object({
fallback_behavior = string
header_name = string
}), null)
scope_down_statement = optional(object({
byte_match_statement = object({
positional_constraint = string
search_string = string
field_to_match = object({
all_query_arguments = optional(bool)
body = optional(bool)
method = optional(bool)
query_string = optional(bool)
single_header = optional(object({ name = string }))
single_query_argument = optional(object({ name = string }))
uri_path = optional(bool)
})
text_transformation = list(object({
priority = number
type = string
}))
})
}), null)
})
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
193 | | [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.
You can only specify one of the following: `method`, `query_string`, `single_header`, or `uri_path`
method:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | map(object({
method = optional(bool, false)
uri_path = optional(bool, false)
query_string = optional(bool, false)
single_header = optional(list(string), null)
})) | `{}` | no |
194 | | [regex\_match\_statement\_rules](#input\_regex\_match\_statement\_rules) | A rule statement used to search web request components for a match against a single regular expression.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
regex\_string:
String representing the regular expression. Minimum of 1 and maximum of 512 characters.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#field_to_match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
195 | | [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
196 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
197 | | [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
rule\_action\_override:
Action settings to use in the place of the rule actions that are configured inside the rule group.
You specify one override for each rule whose action you want to change.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
override_action = optional(string)
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = object({
arn = string
rule_action_override = optional(map(object({
action = string
custom_request_handling = optional(object({
insert_header = object({
name = string
value = string
})
}), null)
custom_response = optional(object({
response_code = string
response_header = optional(object({
name = string
value = string
}), null)
}), null)
})), null)
})
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
198 | | [scope](#input\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no |
199 | | [size\_constraint\_statement\_rules](#input\_size\_constraint\_statement\_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
comparison\_operator:
The operator to use to compare the request part to the size setting.
Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
size:
The size, in bytes, to compare to the request part, after any transformations.
Valid values are integers between `0` and `21474836480`, inclusive.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
200 | | [sqli\_match\_statement\_rules](#input\_sqli\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
201 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
202 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
203 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
204 | | [token\_domains](#input\_token\_domains) | Specifies the domains that AWS WAF should accept in a web request token.
This enables the use of tokens across multiple protected websites.
When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting.
If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource.
With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list,
including their prefixed subdomains. | `list(string)` | `null` | no |
205 | | [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | object({
cloudwatch_metrics_enabled = bool
metric_name = string
sampled_requests_enabled = bool
}) | n/a | yes |
206 | | [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
captcha\_config:
Specifies how AWS WAF should handle CAPTCHA evaluations.
immunity\_time\_property:
Defines custom immunity time.
immunity\_time:
The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
rule\_label:
A List of labels to apply to web requests that match the rule match statement
statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | list(object({
name = string
priority = number
action = string
captcha_config = optional(object({
immunity_time_property = object({
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
})) | `null` | no |
207 |
208 | ## Outputs
209 |
210 | | Name | Description |
211 | |------|-------------|
212 | | [arn](#output\_arn) | The ARN of the WAF WebACL. |
213 | | [capacity](#output\_capacity) | The web ACL capacity units (WCUs) currently being used by this web ACL. |
214 | | [id](#output\_id) | The ID of the WAF WebACL. |
215 | | [logging\_config\_id](#output\_logging\_config\_id) | The ARN of the WAFv2 Web ACL logging configuration. |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 | ## Related Projects
225 |
226 | Check out these related projects.
227 |
228 | - [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])
229 | - [terraform-aws-network-firewall](https://github.com/cloudposse/terraform-aws-network-firewall) - Terraform module to provision AWS Network Firewall resources
230 | - [terraform-aws-route53-resolver-dns-firewall](https://github.com/cloudposse/terraform-aws-route53-resolver-dns-firewall) - Terraform module to provision Route 53 Resolver DNS Firewall, domain lists, firewall rules, rule groups, and logging configurations
231 | - [terraform-aws-config](https://github.com/cloudposse/terraform-aws-config) - Terraform module to provision [AWS Config](https://aws.amazon.com/config/) and optionally set up an SNS topic to receive notifications of its findings
232 | - [terraform-aws-config-storage](https://github.com/cloudposse/terraform-aws-config-storage) - Terraform module that creates an S3 bucket suitable for storing AWS Config data
233 | - [terraform-aws-guardduty](https://github.com/cloudposse/terraform-aws-guardduty) - Terraform module that enables and configures AWS GuardDuty
234 | - [terraform-aws-security-hub](https://github.com/cloudposse/terraform-aws-security-hub) - Terraform module that enables and configures AWS Security Hub
235 |
236 |
237 | ## References
238 |
239 | For additional context, refer to some of these links.
240 |
241 | - [AWS WAF](https://aws.amazon.com/waf) - Protect your web applications from common exploits
242 | - [terraform-provider-aws](https://registry.terraform.io/providers/hashicorp/aws/latest) - Terraform AWS provider
243 | - [aws_wafv2_web_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html) - Creates a WAFv2 Web ACL resource
244 | - [aws_wafv2_web_acl_logging_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration.html) - Creates a WAFv2 Web ACL Logging Configuration
245 | - [aws_wafv2_ip_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) - Creates a WAFv2 Web ACL resource
246 |
247 |
248 |
249 | > [!TIP]
250 | > #### Use Terraform Reference Architectures for AWS
251 | >
252 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
253 | >
254 | > ✅ We build it together with your team.
255 | > ✅ Your team owns everything.
256 | > ✅ 100% Open Source and backed by fanatical support.
257 | >
258 | > 
259 | > 📚 Learn More
260 | >
261 | >
262 | >
263 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-waf&utm_content=commercial_support) for funded startups and enterprises.
264 | >
265 | > *Your team can operate like a pro today.*
266 | >
267 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
268 | > #### Day-0: Your Foundation for Success
269 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
270 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
271 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
272 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
273 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
274 | >
275 | >
276 | >
277 | > #### Day-2: Your Operational Mastery
278 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
279 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
280 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
281 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
282 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
283 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
284 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
285 | >
286 | >
287 | > 
299 |
300 |
301 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-waf/issues).
302 |
303 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
304 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-waf/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
305 | 2. **Fork** the repo on GitHub
306 | 3. **Clone** the project to your own machine
307 | 4. **Commit** changes to your own branch
308 | 5. **Push** your work back up to your fork
309 | 6. Submit a **Pull Request** so that we can review your changes
310 |
311 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
312 |
313 | ### 🌎 Slack Community
314 |
315 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-waf&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
316 |
317 | ### 📰 Newsletter
318 |
319 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-waf&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
320 | Dropped straight into your Inbox every week — and usually a 5-minute read.
321 |
322 | ### 📆 Office Hours 
323 |
324 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-waf&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
325 | It's **FREE** for everyone!
326 | ## License
327 |
328 | 
329 |
330 |
331 | Preamble to the Apache License, Version 2.0
332 |
333 |
334 |
335 | Complete license is available in the [`LICENSE`](LICENSE) file.
336 |
337 | ```text
338 | Licensed to the Apache Software Foundation (ASF) under one
339 | or more contributor license agreements. See the NOTICE file
340 | distributed with this work for additional information
341 | regarding copyright ownership. The ASF licenses this file
342 | to you under the Apache License, Version 2.0 (the
343 | "License"); you may not use this file except in compliance
344 | with the License. You may obtain a copy of the License at
345 |
346 | https://www.apache.org/licenses/LICENSE-2.0
347 |
348 | Unless required by applicable law or agreed to in writing,
349 | software distributed under the License is distributed on an
350 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
351 | KIND, either express or implied. See the License for the
352 | specific language governing permissions and limitations
353 | under the License.
354 | ```
355 |
356 |
357 | ## Trademarks
358 |
359 | All other trademarks referenced herein are the property of their respective owners.
360 |
361 |
362 | ## Copyrights
363 |
364 | Copyright © 2021-2025 [Cloud Posse, LLC](https://cloudposse.com)
365 |
366 |
367 |
368 | 
369 |
370 | 
371 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-waf
8 |
9 | # Logo for this project
10 | #logo: docs/logo.png
11 |
12 | # License of this project
13 | license: APACHE2
14 |
15 | # Copyrights
16 | copyrights:
17 | - name: Cloud Posse, LLC
18 | url: https://cloudposse.com
19 | year: '2021'
20 |
21 | # Canonical GitHub repo
22 | github_repo: cloudposse/terraform-aws-waf
23 |
24 | # Badges to display
25 | badges:
26 | - name: Latest Release
27 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-waf.svg?style=for-the-badge
28 | url: https://github.com/cloudposse/terraform-aws-waf/releases/latest
29 | - name: Last Updated
30 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-waf.svg?style=for-the-badge
31 | url: https://github.com/cloudposse/terraform-aws-waf/commits
32 | - name: Slack Community
33 | image: https://slack.cloudposse.com/for-the-badge.svg
34 | url: https://cloudposse.com/slack
35 |
36 | # List any related terraform modules that this module may be used with or that this module depends on.
37 | related:
38 | - name: terraform-null-label
39 | description: Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])
40 | url: https://github.com/cloudposse/terraform-null-label
41 | - name: terraform-aws-network-firewall
42 | description: Terraform module to provision AWS Network Firewall resources
43 | url: https://github.com/cloudposse/terraform-aws-network-firewall
44 | - name: terraform-aws-route53-resolver-dns-firewall
45 | description: Terraform module to provision Route 53 Resolver DNS Firewall, domain lists, firewall rules, rule groups, and logging configurations
46 | url: https://github.com/cloudposse/terraform-aws-route53-resolver-dns-firewall
47 | - name: terraform-aws-config
48 | description: Terraform module to provision [AWS Config](https://aws.amazon.com/config/) and optionally set up an SNS topic to receive notifications of its findings
49 | url: https://github.com/cloudposse/terraform-aws-config
50 | - name: terraform-aws-config-storage
51 | description: Terraform module that creates an S3 bucket suitable for storing AWS Config data
52 | url: https://github.com/cloudposse/terraform-aws-config-storage
53 | - name: terraform-aws-guardduty
54 | description: Terraform module that enables and configures AWS GuardDuty
55 | url: https://github.com/cloudposse/terraform-aws-guardduty
56 | - name: terraform-aws-security-hub
57 | description: Terraform module that enables and configures AWS Security Hub
58 | url: https://github.com/cloudposse/terraform-aws-security-hub
59 |
60 | references:
61 | - name: AWS WAF
62 | description: Protect your web applications from common exploits
63 | url: https://aws.amazon.com/waf
64 | - name: terraform-provider-aws
65 | description: Terraform AWS provider
66 | url: https://registry.terraform.io/providers/hashicorp/aws/latest
67 | - name: aws_wafv2_web_acl
68 | description: Creates a WAFv2 Web ACL resource
69 | url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html
70 | - name: aws_wafv2_web_acl_logging_configuration
71 | description: Creates a WAFv2 Web ACL Logging Configuration
72 | url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration.html
73 | - name: aws_wafv2_ip_set
74 | description: Creates a WAFv2 Web ACL resource
75 | url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set
76 |
77 | description: |-
78 | Terraform module to create and manage AWS WAFv2 rules.
79 |
80 | # Introduction to the project
81 | #introduction: |-
82 | # This is an introduction.
83 |
84 | # How to use this module. Should be an easy example to copy and paste.
85 | usage: |-
86 | For a complete example, see [examples/complete](examples/complete).
87 |
88 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
89 | (which tests and deploys the example on AWS), see [test](test).
90 |
91 | ```hcl
92 | module "label" {
93 | source = "cloudposse/label/null"
94 | # Cloud Posse recommends pinning every module to a specific version
95 | # version = "x.x.x"
96 |
97 | namespace = "eg"
98 | stage = "prod"
99 | name = "waf"
100 | delimiter = "-"
101 |
102 | tags = {
103 | "BusinessUnit" = "XYZ",
104 | }
105 | }
106 |
107 | module "waf" {
108 | source = "cloudposse/waf/aws"
109 | # Cloud Posse recommends pinning every module to a specific version
110 | # version = "x.x.x"
111 |
112 | geo_match_statement_rules = [
113 | {
114 | name = "rule-10"
115 | action = "count"
116 | priority = 10
117 |
118 | statement = {
119 | country_codes = ["NL", "GB"]
120 | }
121 |
122 | visibility_config = {
123 | cloudwatch_metrics_enabled = true
124 | sampled_requests_enabled = false
125 | metric_name = "rule-10-metric"
126 | }
127 | },
128 | {
129 | name = "rule-11"
130 | action = "allow"
131 | priority = 11
132 |
133 | statement = {
134 | country_codes = ["US"]
135 | }
136 |
137 | visibility_config = {
138 | cloudwatch_metrics_enabled = true
139 | sampled_requests_enabled = false
140 | metric_name = "rule-11-metric"
141 | }
142 | }
143 | ]
144 |
145 | context = module.label.context
146 | }
147 | ```
148 |
149 | # Example usage
150 | examples: |-
151 | Here is an example of using this module:
152 | - [`examples/complete`](examples/complete) - complete example of using this module
153 |
154 | # How to get started quickly
155 | #quickstart: |-
156 | # Here's how to get started...
157 |
158 | # Other files to include in this README from the project folder
159 | include: []
160 | contributors: []
161 |
--------------------------------------------------------------------------------
/atmos.yaml:
--------------------------------------------------------------------------------
1 | # Atmos Configuration — powered by https://atmos.tools
2 | #
3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos.
4 | #
5 | # Included features:
6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands
7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate
8 | #
9 |
10 | # Import shared configuration used by all modules
11 | import:
12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml
13 |
--------------------------------------------------------------------------------
/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | region = "us-east-2"
2 |
3 | namespace = "eg"
4 |
5 | environment = "ue2"
6 |
7 | stage = "test"
8 |
9 | name = "waf"
10 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | module "waf" {
6 | source = "../.."
7 |
8 | visibility_config = {
9 | cloudwatch_metrics_enabled = false
10 | metric_name = "rules-example-metric"
11 | sampled_requests_enabled = false
12 | }
13 |
14 | # https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
15 | managed_rule_group_statement_rules = [
16 | {
17 | name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
18 | priority = 1
19 |
20 | statement = {
21 | name = "AWSManagedRulesAdminProtectionRuleSet"
22 | vendor_name = "AWS"
23 | }
24 |
25 | visibility_config = {
26 | cloudwatch_metrics_enabled = true
27 | sampled_requests_enabled = true
28 | metric_name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
29 | }
30 | },
31 | {
32 | name = "AWS-AWSManagedRulesAmazonIpReputationList"
33 | priority = 2
34 |
35 | statement = {
36 | name = "AWSManagedRulesAmazonIpReputationList"
37 | vendor_name = "AWS"
38 | }
39 |
40 | visibility_config = {
41 | cloudwatch_metrics_enabled = true
42 | sampled_requests_enabled = true
43 | metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"
44 | }
45 | },
46 | {
47 | name = "AWS-AWSManagedRulesCommonRuleSet"
48 | priority = 3
49 |
50 | statement = {
51 | name = "AWSManagedRulesCommonRuleSet"
52 | vendor_name = "AWS"
53 | }
54 |
55 | visibility_config = {
56 | cloudwatch_metrics_enabled = true
57 | sampled_requests_enabled = true
58 | metric_name = "AWS-AWSManagedRulesCommonRuleSet"
59 | }
60 | },
61 | {
62 | name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
63 | priority = 4
64 |
65 | statement = {
66 | name = "AWSManagedRulesKnownBadInputsRuleSet"
67 | vendor_name = "AWS"
68 | }
69 |
70 | visibility_config = {
71 | cloudwatch_metrics_enabled = true
72 | sampled_requests_enabled = true
73 | metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
74 | }
75 | },
76 | # https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html
77 | {
78 | name = "AWS-AWSManagedRulesBotControlRuleSet"
79 | priority = 5
80 |
81 | statement = {
82 | name = "AWSManagedRulesBotControlRuleSet"
83 | vendor_name = "AWS"
84 |
85 | rule_action_override = {
86 | CategoryHttpLibrary = {
87 | action = "block"
88 | custom_response = {
89 | response_code = "404"
90 | response_header = {
91 | name = "example-1"
92 | value = "example-1"
93 | }
94 | }
95 | }
96 | SignalNonBrowserUserAgent = {
97 | action = "count"
98 | custom_request_handling = {
99 | insert_header = {
100 | name = "example-2"
101 | value = "example-2"
102 | }
103 | }
104 | }
105 | }
106 |
107 | managed_rule_group_configs = [
108 | {
109 | aws_managed_rules_bot_control_rule_set = {
110 | inspection_level = "COMMON"
111 | }
112 | }
113 | ]
114 | }
115 |
116 | visibility_config = {
117 | cloudwatch_metrics_enabled = true
118 | sampled_requests_enabled = true
119 | metric_name = "AWS-AWSManagedRulesBotControlRuleSet"
120 | }
121 | }
122 | ]
123 |
124 | byte_match_statement_rules = [
125 | {
126 | name = "rule-30"
127 | action = "allow"
128 | priority = 30
129 |
130 | statement = {
131 | positional_constraint = "EXACTLY"
132 | search_string = "/cp-key"
133 |
134 | text_transformation = [
135 | {
136 | priority = 30
137 | type = "COMPRESS_WHITE_SPACE"
138 | }
139 | ]
140 |
141 | field_to_match = {
142 | uri_path = {}
143 | }
144 | }
145 |
146 | visibility_config = {
147 | cloudwatch_metrics_enabled = false
148 | sampled_requests_enabled = false
149 | metric_name = "rule-30-metric"
150 | }
151 | }
152 | ]
153 |
154 | rate_based_statement_rules = [
155 | {
156 | name = "rule-40"
157 | action = "block"
158 | priority = 40
159 |
160 | statement = {
161 | limit = 100
162 | aggregate_key_type = "IP"
163 | evaluation_window_sec = 300
164 | scope_down_statement = {
165 | byte_match_statement = {
166 | positional_constraint = "STARTS_WITH"
167 | search_string = "example-scope-down-statement"
168 | field_to_match = {
169 | uri_path = true
170 | }
171 | text_transformation = [
172 | {
173 | priority = 40
174 | type = "NONE"
175 | }
176 | ]
177 | }
178 | }
179 | }
180 |
181 | visibility_config = {
182 | cloudwatch_metrics_enabled = false
183 | sampled_requests_enabled = false
184 | metric_name = "rule-40-metric"
185 | }
186 | }
187 | ]
188 |
189 | size_constraint_statement_rules = [
190 | {
191 | name = "rule-50"
192 | action = "block"
193 | priority = 50
194 |
195 | statement = {
196 | comparison_operator = "GT"
197 | size = 15
198 |
199 | field_to_match = {
200 | all_query_arguments = {}
201 | }
202 |
203 | text_transformation = [
204 | {
205 | type = "COMPRESS_WHITE_SPACE"
206 | priority = 1
207 | }
208 | ]
209 |
210 | }
211 |
212 | visibility_config = {
213 | cloudwatch_metrics_enabled = false
214 | sampled_requests_enabled = false
215 | metric_name = "rule-50-metric"
216 | }
217 | }
218 | ]
219 |
220 | xss_match_statement_rules = [
221 | {
222 | name = "rule-60"
223 | action = "block"
224 | priority = 60
225 |
226 | statement = {
227 | field_to_match = {
228 | uri_path = {}
229 | }
230 |
231 | text_transformation = [
232 | {
233 | type = "URL_DECODE"
234 | priority = 1
235 | },
236 | {
237 | type = "HTML_ENTITY_DECODE"
238 | priority = 2
239 | }
240 | ]
241 |
242 | }
243 |
244 | visibility_config = {
245 | cloudwatch_metrics_enabled = false
246 | sampled_requests_enabled = false
247 | metric_name = "rule-60-metric"
248 | }
249 | }
250 | ]
251 |
252 | sqli_match_statement_rules = [
253 | {
254 | name = "rule-70"
255 | action = "block"
256 | priority = 70
257 |
258 | statement = {
259 |
260 | field_to_match = {
261 | query_string = {}
262 | }
263 |
264 | text_transformation = [
265 | {
266 | type = "URL_DECODE"
267 | priority = 1
268 | },
269 | {
270 | type = "HTML_ENTITY_DECODE"
271 | priority = 2
272 | }
273 | ]
274 |
275 | }
276 |
277 | visibility_config = {
278 | cloudwatch_metrics_enabled = false
279 | sampled_requests_enabled = false
280 | metric_name = "rule-70-metric"
281 | }
282 | }
283 | ]
284 |
285 | geo_match_statement_rules = [
286 | {
287 | name = "rule-80"
288 | action = "count"
289 | priority = 80
290 |
291 | statement = {
292 | country_codes = ["NL", "GB"]
293 | }
294 |
295 | visibility_config = {
296 | cloudwatch_metrics_enabled = false
297 | sampled_requests_enabled = false
298 | metric_name = "rule-80-metric"
299 | }
300 | },
301 | {
302 | name = "rule-11"
303 | action = "allow"
304 | priority = 11
305 |
306 | statement = {
307 | country_codes = ["US"]
308 | }
309 |
310 | visibility_config = {
311 | cloudwatch_metrics_enabled = false
312 | sampled_requests_enabled = false
313 | metric_name = "rule-11-metric"
314 | }
315 | }
316 | ]
317 |
318 | geo_allowlist_statement_rules = [
319 | {
320 | name = "rule-90"
321 | priority = 90
322 | action = "count"
323 |
324 | statement = {
325 | country_codes = ["US"]
326 | }
327 |
328 | visibility_config = {
329 | cloudwatch_metrics_enabled = false
330 | sampled_requests_enabled = false
331 | metric_name = "rule-90-metric"
332 | }
333 | },
334 | {
335 | name = "rule-95"
336 | priority = 95
337 | action = "block"
338 |
339 | statement = {
340 | country_codes = ["US"]
341 | }
342 |
343 | visibility_config = {
344 | cloudwatch_metrics_enabled = false
345 | sampled_requests_enabled = false
346 | metric_name = "rule-95-metric"
347 | }
348 | }
349 | ]
350 |
351 | regex_match_statement_rules = [
352 | {
353 | name = "rule-100"
354 | priority = 100
355 | action = "block"
356 |
357 | statement = {
358 | regex_string = "^/admin"
359 |
360 | text_transformation = [
361 | {
362 | priority = 90
363 | type = "COMPRESS_WHITE_SPACE"
364 | }
365 | ]
366 |
367 | field_to_match = {
368 | uri_path = {}
369 | }
370 | }
371 |
372 | visibility_config = {
373 | cloudwatch_metrics_enabled = false
374 | sampled_requests_enabled = false
375 | metric_name = "rule-100-metric"
376 | }
377 | }
378 | ]
379 |
380 | ip_set_reference_statement_rules = [
381 | {
382 | name = "rule-110"
383 | priority = 110
384 | action = "block"
385 |
386 | statement = {
387 | ip_set = {
388 | ip_address_version = "IPV4"
389 | addresses = ["17.0.0.0/8"]
390 | }
391 | }
392 |
393 | visibility_config = {
394 | cloudwatch_metrics_enabled = false
395 | sampled_requests_enabled = false
396 | metric_name = "rule-110-metric"
397 | }
398 | }
399 | ]
400 |
401 | context = module.this.context
402 | }
403 |
--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
1 | output "id" {
2 | description = "The ID of the WAF WebACL."
3 | value = module.waf.id
4 | }
5 |
6 | output "arn" {
7 | description = "The ARN of the WAF WebACL."
8 | value = module.waf.arn
9 | }
10 |
11 | output "capacity" {
12 | description = "The web ACL capacity units (WCUs) currently being used by this web ACL."
13 | value = module.waf.capacity
14 | }
15 |
--------------------------------------------------------------------------------
/examples/complete/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | type = string
3 | description = "AWS region"
4 | }
5 |
--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.0"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/ipset.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | ip_sets = local.enabled && var.ip_set_reference_statement_rules != null ? {
3 | for indx, rule in flatten(var.ip_set_reference_statement_rules) :
4 | lookup(rule, "name", null) != null ? format("%s-ip-set", rule.name) : format("ip-set-%d", rule.priority)
5 | => rule.statement.ip_set if try(rule.statement.ip_set, null) != null && try(rule.statement.arn, null) == null
6 | } : {}
7 |
8 | ip_rule_to_ip_set = local.enabled && local.ip_set_reference_statement_rules != null ? {
9 | for name, rule in local.ip_set_reference_statement_rules :
10 | name => lookup(rule, "name", null) != null ? format("%s-ip-set", rule.name) : format("ip-set-%d", rule.priority)
11 | } : {}
12 | }
13 |
14 | module "ip_set_label" {
15 | for_each = local.ip_sets
16 |
17 | source = "cloudposse/label/null"
18 | version = "0.25.0"
19 |
20 | attributes = [each.key]
21 | context = module.this.context
22 | }
23 |
24 | resource "aws_wafv2_ip_set" "default" {
25 | for_each = local.ip_sets
26 |
27 | name = module.ip_set_label[each.key].id
28 | description = lookup(each.value, "description", null)
29 | scope = var.scope
30 | ip_address_version = each.value.ip_address_version
31 | addresses = each.value.addresses
32 |
33 | tags = module.this.tags
34 | }
35 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | enabled = module.this.enabled
3 | }
4 |
5 | # Do not use this resource to associate a WAFv2 Web ACL with a Cloudfront Distribution.
6 | # The AWS API call backing this resource notes that you should use the `web_acl_id` property on the `cloudfront_distribution` instead.
7 | # For more details, refer to:
8 | # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association
9 | # https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html
10 | resource "aws_wafv2_web_acl_association" "default" {
11 | count = local.enabled && length(var.association_resource_arns) > 0 ? length(var.association_resource_arns) : 0
12 |
13 | resource_arn = var.association_resource_arns[count.index]
14 | web_acl_arn = one(aws_wafv2_web_acl.default[*].arn)
15 | }
16 |
17 | # To start logging from a WAFv2 Web ACL, you need to create an Amazon Kinesis Data Firehose resource,
18 | # such as the `aws_kinesis_firehose_delivery_stream` resource.
19 | # Make sure to create the firehose with a PUT source (not a stream) in the region where you are operating.
20 | # If you are capturing logs for Amazon CloudFront, create the firehose in the US East (N. Virginia) region.
21 | # It is important to name the data firehose, CloudWatch log group, and/or S3 bucket with a prefix of `aws-waf-logs-`.
22 | resource "aws_wafv2_web_acl_logging_configuration" "default" {
23 | count = local.enabled && length(var.log_destination_configs) > 0 ? 1 : 0
24 |
25 | resource_arn = one(aws_wafv2_web_acl.default[*].arn)
26 | log_destination_configs = var.log_destination_configs
27 |
28 | dynamic "redacted_fields" {
29 | for_each = var.redacted_fields
30 |
31 | content {
32 | dynamic "method" {
33 | for_each = redacted_fields.value.method ? [true] : []
34 | content {}
35 | }
36 |
37 | dynamic "query_string" {
38 | for_each = redacted_fields.value.query_string ? [true] : []
39 | content {}
40 | }
41 |
42 | dynamic "uri_path" {
43 | for_each = redacted_fields.value.uri_path ? [true] : []
44 | content {}
45 | }
46 |
47 | dynamic "single_header" {
48 | for_each = lookup(redacted_fields.value, "single_header", null) != null ? toset(redacted_fields.value.single_header) : []
49 | content {
50 | name = single_header.value
51 | }
52 | }
53 | }
54 | }
55 |
56 | dynamic "logging_filter" {
57 | for_each = var.logging_filter != null ? [true] : []
58 |
59 | content {
60 | default_behavior = var.logging_filter.default_behavior
61 |
62 | dynamic "filter" {
63 | for_each = var.logging_filter.filter
64 |
65 | content {
66 | behavior = filter.value.behavior
67 | requirement = filter.value.requirement
68 |
69 | dynamic "condition" {
70 | for_each = filter.value.condition
71 |
72 | content {
73 | dynamic "action_condition" {
74 | for_each = condition.value.action_condition != null ? [true] : []
75 | content {
76 | action = condition.value.action_condition.action
77 | }
78 | }
79 | dynamic "label_name_condition" {
80 | for_each = condition.value.label_name_condition != null ? [true] : []
81 | content {
82 | label_name = condition.value.label_name_condition.label_name
83 | }
84 | }
85 | }
86 | }
87 | }
88 | }
89 | }
90 | }
91 | }
92 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "id" {
2 | description = "The ID of the WAF WebACL."
3 | value = one(aws_wafv2_web_acl.default[*].id)
4 | }
5 |
6 | output "arn" {
7 | description = "The ARN of the WAF WebACL."
8 | value = one(aws_wafv2_web_acl.default[*].arn)
9 | }
10 |
11 | output "capacity" {
12 | description = "The web ACL capacity units (WCUs) currently being used by this web ACL."
13 | value = one(aws_wafv2_web_acl.default[*].capacity)
14 | }
15 |
16 | output "logging_config_id" {
17 | description = "The ARN of the WAFv2 Web ACL logging configuration."
18 | value = one(aws_wafv2_web_acl_logging_configuration.default[*].id)
19 | }
20 |
--------------------------------------------------------------------------------
/test/.gitignore:
--------------------------------------------------------------------------------
1 | .test-harness
2 |
--------------------------------------------------------------------------------
/test/Makefile:
--------------------------------------------------------------------------------
1 | TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git
2 | TEST_HARNESS_BRANCH ?= master
3 | TEST_HARNESS_PATH = $(realpath .test-harness)
4 | BATS_ARGS ?= --tap
5 | BATS_LOG ?= test.log
6 |
7 | # Define a macro to run the tests
8 | define RUN_TESTS
9 | @echo "Running tests in $(1)"
10 | @cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS)))
11 | endef
12 |
13 | default: all
14 |
15 | -include Makefile.*
16 |
17 | ## Provision the test-harnesss
18 | .test-harness:
19 | [ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@
20 |
21 | ## Initialize the tests
22 | init: .test-harness
23 |
24 | ## Install all dependencies (OS specific)
25 | deps::
26 | @exit 0
27 |
28 | ## Clean up the test harness
29 | clean:
30 | [ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH)
31 |
32 | ## Run all tests
33 | all: module examples/complete
34 |
35 | ## Run basic sanity checks against the module itself
36 | module: export TESTS ?= installed lint get-modules module-pinning get-plugins provider-pinning validate terraform-docs input-descriptions output-descriptions
37 | module: deps
38 | $(call RUN_TESTS, ../)
39 |
40 | ## Run tests against example
41 | examples/complete: export TESTS ?= installed lint get-modules get-plugins validate
42 | examples/complete: deps
43 | $(call RUN_TESTS, ../$@)
44 |
--------------------------------------------------------------------------------
/test/Makefile.alpine:
--------------------------------------------------------------------------------
1 | ifneq (,$(wildcard /sbin/apk))
2 | ## Install all dependencies for alpine
3 | deps:: init
4 | @apk add --update terraform-docs@cloudposse json2hcl@cloudposse
5 | endif
6 |
--------------------------------------------------------------------------------
/test/src/.gitignore:
--------------------------------------------------------------------------------
1 | .gopath
2 | vendor/
3 |
--------------------------------------------------------------------------------
/test/src/Makefile:
--------------------------------------------------------------------------------
1 | export TF_CLI_ARGS_init ?= -get-plugins=true
2 | export TERRAFORM_VERSION ?= $(shell curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version' | cut -d. -f1-2)
3 |
4 | .DEFAULT_GOAL : all
5 | .PHONY: all
6 |
7 | ## Default target
8 | all: test
9 |
10 | .PHONY : init
11 | ## Initialize tests
12 | init:
13 | @exit 0
14 |
15 | .PHONY : test
16 | ## Run tests
17 | test: init
18 | go mod download
19 | go test -v -timeout 30m
20 |
21 | ## Run tests in docker container
22 | docker/test:
23 | docker run --name terratest --rm -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e GITHUB_TOKEN \
24 | -e PATH="/usr/local/terraform/$(TERRAFORM_VERSION)/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
25 | -v $(CURDIR)/../../:/module/ cloudposse/test-harness:latest -C /module/test/src test
26 |
27 | .PHONY : clean
28 | ## Clean up files
29 | clean:
30 | rm -rf ../../examples/complete/*.tfstate*
31 |
--------------------------------------------------------------------------------
/test/src/examples_complete_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "regexp"
5 | "strings"
6 | "testing"
7 |
8 | "github.com/gruntwork-io/terratest/modules/random"
9 | "github.com/gruntwork-io/terratest/modules/terraform"
10 | testStructure "github.com/gruntwork-io/terratest/modules/test-structure"
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | // Test the Terraform module in examples/complete using Terratest.
15 | func TestExamplesComplete(t *testing.T) {
16 | t.Parallel()
17 | randID := strings.ToLower(random.UniqueId())
18 | attributes := []string{randID}
19 |
20 | rootFolder := "../../"
21 | terraformFolderRelativeToRoot := "examples/complete"
22 | varFiles := []string{"fixtures.us-east-2.tfvars"}
23 |
24 | tempTestFolder := testStructure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
25 |
26 | terraformOptions := &terraform.Options{
27 | // The path to where our Terraform code is located
28 | TerraformDir: tempTestFolder,
29 | Upgrade: true,
30 | // Variables to pass to our Terraform code using -var-file options
31 | VarFiles: varFiles,
32 | Vars: map[string]interface{}{
33 | "attributes": attributes,
34 | },
35 | }
36 |
37 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
38 | defer cleanup(t, terraformOptions, tempTestFolder)
39 |
40 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
41 | terraform.InitAndApply(t, terraformOptions)
42 |
43 | id := terraform.Output(t, terraformOptions, "id")
44 | arn := terraform.Output(t, terraformOptions, "arn")
45 | capacity := terraform.Output(t, terraformOptions, "capacity")
46 |
47 | assert.NotEmpty(t, id)
48 | assert.Contains(t, arn, "arn:aws:wafv2:")
49 | assert.NotEmpty(t, capacity)
50 | }
51 |
52 | func TestExamplesCompleteDisabled(t *testing.T) {
53 | t.Parallel()
54 | randID := strings.ToLower(random.UniqueId())
55 | attributes := []string{randID}
56 |
57 | rootFolder := "../../"
58 | terraformFolderRelativeToRoot := "examples/complete"
59 | varFiles := []string{"fixtures.us-east-2.tfvars"}
60 |
61 | tempTestFolder := testStructure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
62 |
63 | terraformOptions := &terraform.Options{
64 | // The path to where our Terraform code is located
65 | TerraformDir: tempTestFolder,
66 | Upgrade: true,
67 | // Variables to pass to our Terraform code using -var-file options
68 | VarFiles: varFiles,
69 | Vars: map[string]interface{}{
70 | "attributes": attributes,
71 | "enabled": false,
72 | },
73 | }
74 |
75 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
76 | defer cleanup(t, terraformOptions, tempTestFolder)
77 |
78 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
79 | results := terraform.InitAndApply(t, terraformOptions)
80 |
81 | // Should complete successfully without creating or changing any resources.
82 | // Extract the "Resources:" section of the output to make the error message more readable.
83 | re := regexp.MustCompile(`Resources: [^.]+\.`)
84 | match := re.FindString(results)
85 | assert.Equal(t, "Resources: 0 added, 0 changed, 0 destroyed.", match, "Re-applying the same configuration should not change any resources")
86 | }
87 |
--------------------------------------------------------------------------------
/test/src/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/cloudposse/terraform-aws-waf
2 |
3 | go 1.21
4 |
5 | toolchain go1.22.3
6 |
7 | require (
8 | github.com/gruntwork-io/terratest v0.46.15
9 | github.com/stretchr/testify v1.8.4
10 | )
11 |
12 | require (
13 | cloud.google.com/go v0.110.0 // indirect
14 | cloud.google.com/go/compute v1.19.1 // indirect
15 | cloud.google.com/go/compute/metadata v0.2.3 // indirect
16 | cloud.google.com/go/iam v0.13.0 // indirect
17 | cloud.google.com/go/storage v1.28.1 // indirect
18 | github.com/agext/levenshtein v1.2.3 // indirect
19 | github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
20 | github.com/aws/aws-sdk-go v1.44.122 // indirect
21 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
22 | github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
23 | github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
24 | github.com/davecgh/go-spew v1.1.1 // indirect
25 | github.com/emicklei/go-restful/v3 v3.9.0 // indirect
26 | github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
27 | github.com/go-logr/logr v1.2.4 // indirect
28 | github.com/go-openapi/jsonpointer v0.19.6 // indirect
29 | github.com/go-openapi/jsonreference v0.20.2 // indirect
30 | github.com/go-openapi/swag v0.22.3 // indirect
31 | github.com/go-sql-driver/mysql v1.4.1 // indirect
32 | github.com/gogo/protobuf v1.3.2 // indirect
33 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
34 | github.com/golang/protobuf v1.5.3 // indirect
35 | github.com/google/gnostic-models v0.6.8 // indirect
36 | github.com/google/go-cmp v0.5.9 // indirect
37 | github.com/google/gofuzz v1.2.0 // indirect
38 | github.com/google/uuid v1.3.0 // indirect
39 | github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
40 | github.com/googleapis/gax-go/v2 v2.7.1 // indirect
41 | github.com/gruntwork-io/go-commons v0.8.0 // indirect
42 | github.com/hashicorp/errwrap v1.0.0 // indirect
43 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
44 | github.com/hashicorp/go-getter v1.7.4 // indirect
45 | github.com/hashicorp/go-multierror v1.1.0 // indirect
46 | github.com/hashicorp/go-safetemp v1.0.0 // indirect
47 | github.com/hashicorp/go-version v1.6.0 // indirect
48 | github.com/hashicorp/hcl/v2 v2.9.1 // indirect
49 | github.com/hashicorp/terraform-json v0.13.0 // indirect
50 | github.com/imdario/mergo v0.3.11 // indirect
51 | github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
52 | github.com/jmespath/go-jmespath v0.4.0 // indirect
53 | github.com/josharian/intern v1.0.0 // indirect
54 | github.com/json-iterator/go v1.1.12 // indirect
55 | github.com/klauspost/compress v1.15.11 // indirect
56 | github.com/mailru/easyjson v0.7.7 // indirect
57 | github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
58 | github.com/mitchellh/go-homedir v1.1.0 // indirect
59 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect
60 | github.com/mitchellh/go-wordwrap v1.0.1 // indirect
61 | github.com/moby/spdystream v0.2.0 // indirect
62 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
63 | github.com/modern-go/reflect2 v1.0.2 // indirect
64 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
65 | github.com/pmezard/go-difflib v1.0.0 // indirect
66 | github.com/pquerna/otp v1.2.0 // indirect
67 | github.com/russross/blackfriday/v2 v2.1.0 // indirect
68 | github.com/spf13/pflag v1.0.5 // indirect
69 | github.com/tmccombs/hcl2json v0.3.3 // indirect
70 | github.com/ulikunitz/xz v0.5.10 // indirect
71 | github.com/urfave/cli v1.22.2 // indirect
72 | github.com/zclconf/go-cty v1.9.1 // indirect
73 | go.opencensus.io v0.24.0 // indirect
74 | golang.org/x/crypto v0.21.0 // indirect
75 | golang.org/x/net v0.23.0 // indirect
76 | golang.org/x/oauth2 v0.8.0 // indirect
77 | golang.org/x/sys v0.18.0 // indirect
78 | golang.org/x/term v0.18.0 // indirect
79 | golang.org/x/text v0.14.0 // indirect
80 | golang.org/x/time v0.3.0 // indirect
81 | golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
82 | google.golang.org/api v0.114.0 // indirect
83 | google.golang.org/appengine v1.6.7 // indirect
84 | google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
85 | google.golang.org/grpc v1.56.3 // indirect
86 | google.golang.org/protobuf v1.33.0 // indirect
87 | gopkg.in/inf.v0 v0.9.1 // indirect
88 | gopkg.in/yaml.v2 v2.4.0 // indirect
89 | gopkg.in/yaml.v3 v3.0.1 // indirect
90 | k8s.io/api v0.28.4 // indirect
91 | k8s.io/apimachinery v0.28.4 // indirect
92 | k8s.io/client-go v0.28.4 // indirect
93 | k8s.io/klog/v2 v2.100.1 // indirect
94 | k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
95 | k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
96 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
97 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
98 | sigs.k8s.io/yaml v1.3.0 // indirect
99 | )
100 |
--------------------------------------------------------------------------------
/test/src/utils.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "github.com/gruntwork-io/terratest/modules/terraform"
5 | "github.com/stretchr/testify/assert"
6 | "os"
7 | "testing"
8 | )
9 |
10 | func cleanup(t *testing.T, terraformOptions *terraform.Options, tempTestFolder string) {
11 | terraform.Destroy(t, terraformOptions)
12 | err := os.RemoveAll(tempTestFolder)
13 | assert.NoError(t, err)
14 | }
15 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "description" {
2 | type = string
3 | default = "Managed by Terraform"
4 | description = "A friendly description of the WebACL."
5 | }
6 |
7 | variable "default_action" {
8 | type = string
9 | default = "block"
10 | description = "Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`."
11 | nullable = false
12 | validation {
13 | condition = contains(["allow", "block"], var.default_action)
14 | error_message = "Allowed values: `allow`, `block`."
15 | }
16 | }
17 |
18 | variable "custom_response_body" {
19 | type = map(object({
20 | content = string
21 | content_type = string
22 | }))
23 |
24 | description = <<-DOC
25 | Defines custom response bodies that can be referenced by custom_response actions.
26 | The map keys are used as the `key` attribute which is a unique key identifying the custom response body.
27 | content:
28 | Payload of the custom response.
29 | The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.
30 | content_type:
31 | Content Type of Response Body.
32 | Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`.
33 | DOC
34 | default = {}
35 | nullable = false
36 | }
37 |
38 | variable "scope" {
39 | type = string
40 | default = "REGIONAL"
41 | description = <<-DOC
42 | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
43 | Possible values are `CLOUDFRONT` or `REGIONAL`.
44 | To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
45 | DOC
46 | nullable = false
47 | validation {
48 | condition = contains(["CLOUDFRONT", "REGIONAL"], var.scope)
49 | error_message = "Allowed values: `CLOUDFRONT`, `REGIONAL`."
50 | }
51 | }
52 |
53 | variable "visibility_config" {
54 | type = object({
55 | cloudwatch_metrics_enabled = bool
56 | metric_name = string
57 | sampled_requests_enabled = bool
58 | })
59 | description = <<-DOC
60 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
61 |
62 | cloudwatch_metrics_enabled:
63 | Whether the associated resource sends metrics to CloudWatch.
64 | metric_name:
65 | A friendly name of the CloudWatch metric.
66 | sampled_requests_enabled:
67 | Whether AWS WAF should store a sampling of the web requests that match the rules.
68 | DOC
69 | nullable = false
70 | }
71 |
72 | variable "token_domains" {
73 | type = list(string)
74 | description = <<-DOC
75 | Specifies the domains that AWS WAF should accept in a web request token.
76 | This enables the use of tokens across multiple protected websites.
77 | When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting.
78 | If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource.
79 | With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list,
80 | including their prefixed subdomains.
81 | DOC
82 | default = null
83 | }
84 |
85 | # Rules
86 | variable "byte_match_statement_rules" {
87 | type = list(object({
88 | name = string
89 | priority = number
90 | action = string
91 | captcha_config = optional(object({
92 | immunity_time_property = object({
93 | immunity_time = number
94 | })
95 | }), null)
96 | rule_label = optional(list(string), null)
97 | statement = any
98 | visibility_config = optional(object({
99 | cloudwatch_metrics_enabled = optional(bool)
100 | metric_name = string
101 | sampled_requests_enabled = optional(bool)
102 | }), null)
103 | }))
104 | default = null
105 | description = <<-DOC
106 | A rule statement that defines a string match search for AWS WAF to apply to web requests.
107 |
108 | action:
109 | The action that AWS WAF should take on a web request when it matches the rule's statement.
110 | name:
111 | A friendly name of the rule.
112 | priority:
113 | If you define more than one Rule in a WebACL,
114 | AWS WAF evaluates each request against the rules in order based on the value of priority.
115 | AWS WAF processes rules with lower priority first.
116 |
117 | captcha_config:
118 | Specifies how AWS WAF should handle CAPTCHA evaluations.
119 |
120 | immunity_time_property:
121 | Defines custom immunity time.
122 |
123 | immunity_time:
124 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
125 |
126 | rule_label:
127 | A List of labels to apply to web requests that match the rule match statement
128 |
129 | statement:
130 | positional_constraint:
131 | Area within the portion of a web request that you want AWS WAF to search for search_string. Valid values include the following: EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS, CONTAINS_WORD.
132 | search_string
133 | String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field_to_match.
134 | field_to_match:
135 | The part of a web request that you want AWS WAF to inspect.
136 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
137 | text_transformation:
138 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
139 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
140 |
141 | visibility_config:
142 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
143 |
144 | cloudwatch_metrics_enabled:
145 | Whether the associated resource sends metrics to CloudWatch.
146 | metric_name:
147 | A friendly name of the CloudWatch metric.
148 | sampled_requests_enabled:
149 | Whether AWS WAF should store a sampling of the web requests that match the rules.
150 | DOC
151 | }
152 |
153 | variable "geo_allowlist_statement_rules" {
154 | type = list(object({
155 | name = string
156 | priority = number
157 | action = string
158 | captcha_config = optional(object({
159 | immunity_time_property = object({
160 | immunity_time = number
161 | })
162 | }), null)
163 | rule_label = optional(list(string), null)
164 | statement = any
165 | visibility_config = optional(object({
166 | cloudwatch_metrics_enabled = optional(bool)
167 | metric_name = string
168 | sampled_requests_enabled = optional(bool)
169 | }), null)
170 | }))
171 | default = null
172 | description = <<-DOC
173 | A rule statement used to identify a list of allowed countries which should not be blocked by the WAF.
174 |
175 | action:
176 | The action that AWS WAF should take on a web request when it matches the rule's statement.
177 | name:
178 | A friendly name of the rule.
179 | priority:
180 | If you define more than one Rule in a WebACL,
181 | AWS WAF evaluates each request against the rules in order based on the value of priority.
182 | AWS WAF processes rules with lower priority first.
183 |
184 | captcha_config:
185 | Specifies how AWS WAF should handle CAPTCHA evaluations.
186 |
187 | immunity_time_property:
188 | Defines custom immunity time.
189 |
190 | immunity_time:
191 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
192 |
193 | rule_label:
194 | A List of labels to apply to web requests that match the rule match statement
195 |
196 | statement:
197 | country_codes:
198 | A list of two-character country codes.
199 | forwarded_ip_config:
200 | fallback_behavior:
201 | The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
202 | Possible values: `MATCH`, `NO_MATCH`
203 | header_name:
204 | The name of the HTTP header to use for the IP address.
205 |
206 | visibility_config:
207 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
208 |
209 | cloudwatch_metrics_enabled:
210 | Whether the associated resource sends metrics to CloudWatch.
211 | metric_name:
212 | A friendly name of the CloudWatch metric.
213 | sampled_requests_enabled:
214 | Whether AWS WAF should store a sampling of the web requests that match the rules.
215 | DOC
216 | }
217 |
218 | variable "geo_match_statement_rules" {
219 | type = list(object({
220 | name = string
221 | priority = number
222 | action = string
223 | captcha_config = optional(object({
224 | immunity_time_property = object({
225 | immunity_time = number
226 | })
227 | }), null)
228 | rule_label = optional(list(string), null)
229 | statement = any
230 | visibility_config = optional(object({
231 | cloudwatch_metrics_enabled = optional(bool)
232 | metric_name = string
233 | sampled_requests_enabled = optional(bool)
234 | }), null)
235 | }))
236 | default = null
237 | description = <<-DOC
238 | A rule statement used to identify web requests based on country of origin.
239 |
240 | action:
241 | The action that AWS WAF should take on a web request when it matches the rule's statement.
242 | name:
243 | A friendly name of the rule.
244 | priority:
245 | If you define more than one Rule in a WebACL,
246 | AWS WAF evaluates each request against the rules in order based on the value of priority.
247 | AWS WAF processes rules with lower priority first.
248 |
249 | captcha_config:
250 | Specifies how AWS WAF should handle CAPTCHA evaluations.
251 |
252 | immunity_time_property:
253 | Defines custom immunity time.
254 |
255 | immunity_time:
256 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
257 |
258 | rule_label:
259 | A List of labels to apply to web requests that match the rule match statement
260 |
261 | statement:
262 | country_codes:
263 | A list of two-character country codes.
264 | forwarded_ip_config:
265 | fallback_behavior:
266 | The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
267 | Possible values: `MATCH`, `NO_MATCH`
268 | header_name:
269 | The name of the HTTP header to use for the IP address.
270 |
271 | visibility_config:
272 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
273 |
274 | cloudwatch_metrics_enabled:
275 | Whether the associated resource sends metrics to CloudWatch.
276 | metric_name:
277 | A friendly name of the CloudWatch metric.
278 | sampled_requests_enabled:
279 | Whether AWS WAF should store a sampling of the web requests that match the rules.
280 | DOC
281 | }
282 |
283 | variable "ip_set_reference_statement_rules" {
284 | type = list(object({
285 | name = string
286 | priority = number
287 | action = string
288 | captcha_config = optional(object({
289 | immunity_time_property = object({
290 | immunity_time = number
291 | })
292 | }), null)
293 | rule_label = optional(list(string), null)
294 | statement = any
295 | visibility_config = optional(object({
296 | cloudwatch_metrics_enabled = optional(bool)
297 | metric_name = string
298 | sampled_requests_enabled = optional(bool)
299 | }), null)
300 | }))
301 | default = null
302 | description = <<-DOC
303 | A rule statement used to detect web requests coming from particular IP addresses or address ranges.
304 |
305 | action:
306 | The action that AWS WAF should take on a web request when it matches the rule's statement.
307 | name:
308 | A friendly name of the rule.
309 | priority:
310 | If you define more than one Rule in a WebACL,
311 | AWS WAF evaluates each request against the rules in order based on the value of priority.
312 | AWS WAF processes rules with lower priority first.
313 |
314 | captcha_config:
315 | Specifies how AWS WAF should handle CAPTCHA evaluations.
316 |
317 | immunity_time_property:
318 | Defines custom immunity time.
319 |
320 | immunity_time:
321 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
322 |
323 | rule_label:
324 | A List of labels to apply to web requests that match the rule match statement
325 |
326 | statement:
327 | arn:
328 | The ARN of the IP Set that this statement references.
329 | ip_set:
330 | Defines a new IP Set
331 |
332 | description:
333 | A friendly description of the IP Set
334 | addresses:
335 | Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.
336 | All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.
337 | ip_address_version:
338 | Specify `IPV4` or `IPV6`
339 | ip_set_forwarded_ip_config:
340 | fallback_behavior:
341 | The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
342 | Possible values: `MATCH`, `NO_MATCH`
343 | header_name:
344 | The name of the HTTP header to use for the IP address.
345 | position:
346 | The position in the header to search for the IP address.
347 | Possible values include: `FIRST`, `LAST`, or `ANY`.
348 |
349 | visibility_config:
350 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
351 |
352 | cloudwatch_metrics_enabled:
353 | Whether the associated resource sends metrics to CloudWatch.
354 | metric_name:
355 | A friendly name of the CloudWatch metric.
356 | sampled_requests_enabled:
357 | Whether AWS WAF should store a sampling of the web requests that match the rules.
358 | DOC
359 | }
360 |
361 | variable "managed_rule_group_statement_rules" {
362 | type = list(object({
363 | name = string
364 | priority = number
365 | override_action = optional(string)
366 | captcha_config = optional(object({
367 | immunity_time_property = object({
368 | immunity_time = number
369 | })
370 | }), null)
371 | rule_label = optional(list(string), null)
372 | statement = object({
373 | name = string
374 | vendor_name = string
375 | version = optional(string)
376 | rule_action_override = optional(map(object({
377 | action = string
378 | custom_request_handling = optional(object({
379 | insert_header = object({
380 | name = string
381 | value = string
382 | })
383 | }), null)
384 | custom_response = optional(object({
385 | response_code = string
386 | response_header = optional(object({
387 | name = string
388 | value = string
389 | }), null)
390 | }), null)
391 | })), null)
392 | managed_rule_group_configs = optional(list(object({
393 | aws_managed_rules_bot_control_rule_set = optional(object({
394 | inspection_level = string
395 | enable_machine_learning = optional(bool, true)
396 | }), null)
397 | aws_managed_rules_atp_rule_set = optional(object({
398 | enable_regex_in_path = optional(bool)
399 | login_path = string
400 | request_inspection = optional(object({
401 | payload_type = string
402 | password_field = object({
403 | identifier = string
404 | })
405 | username_field = object({
406 | identifier = string
407 | })
408 | }), null)
409 | response_inspection = optional(object({
410 | body_contains = optional(object({
411 | success_strings = list(string)
412 | failure_strings = list(string)
413 | }), null)
414 | header = optional(object({
415 | name = string
416 | success_values = list(string)
417 | failure_values = list(string)
418 | }), null)
419 | json = optional(object({
420 |
421 | identifier = string
422 | success_strings = list(string)
423 | failure_strings = list(string)
424 | }), null)
425 | status_code = optional(object({
426 | success_codes = list(string)
427 | failure_codes = list(string)
428 | }), null)
429 | }), null)
430 | }), null)
431 | })), null)
432 | })
433 | visibility_config = optional(object({
434 | cloudwatch_metrics_enabled = optional(bool)
435 | metric_name = string
436 | sampled_requests_enabled = optional(bool)
437 | }), null)
438 | }))
439 | default = null
440 | description = <<-DOC
441 | A rule statement used to run the rules that are defined in a managed rule group.
442 |
443 | name:
444 | A friendly name of the rule.
445 | priority:
446 | If you define more than one Rule in a WebACL,
447 | AWS WAF evaluates each request against the rules in order based on the value of priority.
448 | AWS WAF processes rules with lower priority first.
449 |
450 | override_action:
451 | The override action to apply to the rules in a rule group.
452 | Possible values: `count`, `none`
453 |
454 | captcha_config:
455 | Specifies how AWS WAF should handle CAPTCHA evaluations.
456 |
457 | immunity_time_property:
458 | Defines custom immunity time.
459 |
460 | immunity_time:
461 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
462 |
463 | rule_label:
464 | A List of labels to apply to web requests that match the rule match statement
465 |
466 | statement:
467 | name:
468 | The name of the managed rule group.
469 | vendor_name:
470 | The name of the managed rule group vendor.
471 | version:
472 | The version of the managed rule group.
473 | You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.
474 | rule_action_override:
475 | Action settings to use in the place of the rule actions that are configured inside the rule group.
476 | You specify one override for each rule whose action you want to change.
477 | managed_rule_group_configs:
478 | Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.
479 | Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.
480 |
481 | visibility_config:
482 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
483 |
484 | cloudwatch_metrics_enabled:
485 | Whether the associated resource sends metrics to CloudWatch.
486 | metric_name:
487 | A friendly name of the CloudWatch metric.
488 | sampled_requests_enabled:
489 | Whether AWS WAF should store a sampling of the web requests that match the rules.
490 | DOC
491 | }
492 |
493 | variable "rate_based_statement_rules" {
494 | type = list(object({
495 | name = string
496 | priority = number
497 | action = string
498 | captcha_config = optional(object({
499 | immunity_time_property = object({
500 | immunity_time = number
501 | })
502 | }), null)
503 | rule_label = optional(list(string), null)
504 | statement = object({
505 | limit = number
506 | aggregate_key_type = string
507 | evaluation_window_sec = optional(number)
508 | forwarded_ip_config = optional(object({
509 | fallback_behavior = string
510 | header_name = string
511 | }), null)
512 | scope_down_statement = optional(object({
513 | byte_match_statement = object({
514 | positional_constraint = string
515 | search_string = string
516 | field_to_match = object({
517 | all_query_arguments = optional(bool)
518 | body = optional(bool)
519 | method = optional(bool)
520 | query_string = optional(bool)
521 | single_header = optional(object({ name = string }))
522 | single_query_argument = optional(object({ name = string }))
523 | uri_path = optional(bool)
524 | })
525 | text_transformation = list(object({
526 | priority = number
527 | type = string
528 | }))
529 | })
530 | }), null)
531 | })
532 | visibility_config = optional(object({
533 | cloudwatch_metrics_enabled = optional(bool)
534 | metric_name = string
535 | sampled_requests_enabled = optional(bool)
536 | }), null)
537 | }))
538 | default = null
539 | description = <<-DOC
540 | A rate-based rule tracks the rate of requests for each originating IP address,
541 | and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.
542 |
543 | action:
544 | The action that AWS WAF should take on a web request when it matches the rule's statement.
545 | name:
546 | A friendly name of the rule.
547 | priority:
548 | If you define more than one Rule in a WebACL,
549 | AWS WAF evaluates each request against the rules in order based on the value of priority.
550 | AWS WAF processes rules with lower priority first.
551 |
552 | captcha_config:
553 | Specifies how AWS WAF should handle CAPTCHA evaluations.
554 |
555 | immunity_time_property:
556 | Defines custom immunity time.
557 |
558 | immunity_time:
559 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
560 |
561 | rule_label:
562 | A List of labels to apply to web requests that match the rule match statement
563 |
564 | statement:
565 | aggregate_key_type:
566 | Setting that indicates how to aggregate the request counts.
567 | Possible values include: `FORWARDED_IP` or `IP`
568 | limit:
569 | The limit on requests per 5-minute period for a single originating IP address.
570 | evaluation_window_sec:
571 | The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
572 | Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).
573 | forwarded_ip_config:
574 | fallback_behavior:
575 | The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
576 | Possible values: `MATCH`, `NO_MATCH`
577 | header_name:
578 | The name of the HTTP header to use for the IP address.
579 | byte_match_statement:
580 | field_to_match:
581 | Part of a web request that you want AWS WAF to inspect.
582 | positional_constraint:
583 | Area within the portion of a web request that you want AWS WAF to search for search_string.
584 | Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.
585 | search_string:
586 | String value that you want AWS WAF to search for.
587 | AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.
588 | The maximum length of the value is 50 bytes.
589 | text_transformation:
590 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
591 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
592 |
593 | visibility_config:
594 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
595 |
596 | cloudwatch_metrics_enabled:
597 | Whether the associated resource sends metrics to CloudWatch.
598 | metric_name:
599 | A friendly name of the CloudWatch metric.
600 | sampled_requests_enabled:
601 | Whether AWS WAF should store a sampling of the web requests that match the rules.
602 | DOC
603 | }
604 |
605 |
606 | variable "regex_pattern_set_reference_statement_rules" {
607 | type = list(object({
608 | name = string
609 | priority = number
610 | action = string
611 | captcha_config = optional(object({
612 | immunity_time_property = object({
613 | immunity_time = number
614 | })
615 | }), null)
616 | rule_label = optional(list(string), null)
617 | statement = any
618 | visibility_config = optional(object({
619 | cloudwatch_metrics_enabled = optional(bool)
620 | metric_name = string
621 | sampled_requests_enabled = optional(bool)
622 | }), null)
623 | }))
624 | default = null
625 | description = <<-DOC
626 | A rule statement used to search web request components for matches with regular expressions.
627 |
628 | action:
629 | The action that AWS WAF should take on a web request when it matches the rule's statement.
630 | name:
631 | A friendly name of the rule.
632 | priority:
633 | If you define more than one Rule in a WebACL,
634 | AWS WAF evaluates each request against the rules in order based on the value of priority.
635 | AWS WAF processes rules with lower priority first.
636 |
637 | captcha_config:
638 | Specifies how AWS WAF should handle CAPTCHA evaluations.
639 |
640 | immunity_time_property:
641 | Defines custom immunity time.
642 |
643 | immunity_time:
644 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
645 |
646 | rule_label:
647 | A List of labels to apply to web requests that match the rule match statement
648 |
649 | statement:
650 | arn:
651 | The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
652 | field_to_match:
653 | The part of a web request that you want AWS WAF to inspect.
654 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
655 | text_transformation:
656 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
657 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
658 |
659 | visibility_config:
660 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
661 |
662 | cloudwatch_metrics_enabled:
663 | Whether the associated resource sends metrics to CloudWatch.
664 | metric_name:
665 | A friendly name of the CloudWatch metric.
666 | sampled_requests_enabled:
667 | Whether AWS WAF should store a sampling of the web requests that match the rules.
668 | DOC
669 | }
670 |
671 | variable "regex_match_statement_rules" {
672 | type = list(object({
673 | name = string
674 | priority = number
675 | action = string
676 | captcha_config = optional(object({
677 | immunity_time_property = object({
678 | immunity_time = number
679 | })
680 | }), null)
681 | rule_label = optional(list(string), null)
682 | statement = any
683 | visibility_config = optional(object({
684 | cloudwatch_metrics_enabled = optional(bool)
685 | metric_name = string
686 | sampled_requests_enabled = optional(bool)
687 | }), null)
688 | }))
689 | default = null
690 | description = <<-DOC
691 | A rule statement used to search web request components for a match against a single regular expression.
692 |
693 | action:
694 | The action that AWS WAF should take on a web request when it matches the rule's statement.
695 | name:
696 | A friendly name of the rule.
697 | priority:
698 | If you define more than one Rule in a WebACL,
699 | AWS WAF evaluates each request against the rules in order based on the value of priority.
700 | AWS WAF processes rules with lower priority first.
701 |
702 | captcha_config:
703 | Specifies how AWS WAF should handle CAPTCHA evaluations.
704 |
705 | immunity_time_property:
706 | Defines custom immunity time.
707 |
708 | immunity_time:
709 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
710 |
711 | rule_label:
712 | A List of labels to apply to web requests that match the rule match statement
713 |
714 | statement:
715 | regex_string:
716 | String representing the regular expression. Minimum of 1 and maximum of 512 characters.
717 | field_to_match:
718 | The part of a web request that you want AWS WAF to inspect.
719 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#field_to_match
720 | text_transformation:
721 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required.
722 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
723 |
724 | visibility_config:
725 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
726 |
727 | cloudwatch_metrics_enabled:
728 | Whether the associated resource sends metrics to CloudWatch.
729 | metric_name:
730 | A friendly name of the CloudWatch metric.
731 | sampled_requests_enabled:
732 | Whether AWS WAF should store a sampling of the web requests that match the rules.
733 | DOC
734 | }
735 |
736 | variable "rule_group_reference_statement_rules" {
737 | type = list(object({
738 | name = string
739 | priority = number
740 | override_action = optional(string)
741 | captcha_config = optional(object({
742 | immunity_time_property = object({
743 | immunity_time = number
744 | })
745 | }), null)
746 | rule_label = optional(list(string), null)
747 | statement = object({
748 | arn = string
749 | rule_action_override = optional(map(object({
750 | action = string
751 | custom_request_handling = optional(object({
752 | insert_header = object({
753 | name = string
754 | value = string
755 | })
756 | }), null)
757 | custom_response = optional(object({
758 | response_code = string
759 | response_header = optional(object({
760 | name = string
761 | value = string
762 | }), null)
763 | }), null)
764 | })), null)
765 | })
766 | visibility_config = optional(object({
767 | cloudwatch_metrics_enabled = optional(bool)
768 | metric_name = string
769 | sampled_requests_enabled = optional(bool)
770 | }), null)
771 | }))
772 | default = null
773 | description = <<-DOC
774 | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.
775 |
776 | name:
777 | A friendly name of the rule.
778 | priority:
779 | If you define more than one Rule in a WebACL,
780 | AWS WAF evaluates each request against the rules in order based on the value of priority.
781 | AWS WAF processes rules with lower priority first.
782 |
783 | override_action:
784 | The override action to apply to the rules in a rule group.
785 | Possible values: `count`, `none`
786 |
787 | captcha_config:
788 | Specifies how AWS WAF should handle CAPTCHA evaluations.
789 |
790 | immunity_time_property:
791 | Defines custom immunity time.
792 |
793 | immunity_time:
794 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
795 |
796 | rule_label:
797 | A List of labels to apply to web requests that match the rule match statement
798 |
799 | statement:
800 | arn:
801 | The ARN of the `aws_wafv2_rule_group` resource.
802 | rule_action_override:
803 | Action settings to use in the place of the rule actions that are configured inside the rule group.
804 | You specify one override for each rule whose action you want to change.
805 |
806 | visibility_config:
807 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
808 |
809 | cloudwatch_metrics_enabled:
810 | Whether the associated resource sends metrics to CloudWatch.
811 | metric_name:
812 | A friendly name of the CloudWatch metric.
813 | sampled_requests_enabled:
814 | Whether AWS WAF should store a sampling of the web requests that match the rules.
815 | DOC
816 | }
817 |
818 | variable "size_constraint_statement_rules" {
819 | type = list(object({
820 | name = string
821 | priority = number
822 | action = string
823 | captcha_config = optional(object({
824 | immunity_time_property = object({
825 | immunity_time = number
826 | })
827 | }), null)
828 | rule_label = optional(list(string), null)
829 | statement = any
830 | visibility_config = optional(object({
831 | cloudwatch_metrics_enabled = optional(bool)
832 | metric_name = string
833 | sampled_requests_enabled = optional(bool)
834 | }), null)
835 | }))
836 | default = null
837 | description = <<-DOC
838 | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.
839 |
840 | action:
841 | The action that AWS WAF should take on a web request when it matches the rule's statement.
842 | name:
843 | A friendly name of the rule.
844 | priority:
845 | If you define more than one Rule in a WebACL,
846 | AWS WAF evaluates each request against the rules in order based on the value of priority.
847 | AWS WAF processes rules with lower priority first.
848 |
849 | captcha_config:
850 | Specifies how AWS WAF should handle CAPTCHA evaluations.
851 |
852 | immunity_time_property:
853 | Defines custom immunity time.
854 |
855 | immunity_time:
856 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
857 |
858 | rule_label:
859 | A List of labels to apply to web requests that match the rule match statement
860 |
861 | statement:
862 | comparison_operator:
863 | The operator to use to compare the request part to the size setting.
864 | Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
865 | size:
866 | The size, in bytes, to compare to the request part, after any transformations.
867 | Valid values are integers between `0` and `21474836480`, inclusive.
868 | field_to_match:
869 | The part of a web request that you want AWS WAF to inspect.
870 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
871 | text_transformation:
872 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
873 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
874 |
875 | visibility_config:
876 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
877 |
878 | cloudwatch_metrics_enabled:
879 | Whether the associated resource sends metrics to CloudWatch.
880 | metric_name:
881 | A friendly name of the CloudWatch metric.
882 | sampled_requests_enabled:
883 | Whether AWS WAF should store a sampling of the web requests that match the rules.
884 | DOC
885 | }
886 |
887 | variable "sqli_match_statement_rules" {
888 | type = list(object({
889 | name = string
890 | priority = number
891 | action = string
892 | captcha_config = optional(object({
893 | immunity_time_property = object({
894 | immunity_time = number
895 | })
896 | }), null)
897 | rule_label = optional(list(string), null)
898 | statement = any
899 | visibility_config = optional(object({
900 | cloudwatch_metrics_enabled = optional(bool)
901 | metric_name = string
902 | sampled_requests_enabled = optional(bool)
903 | }), null)
904 | }))
905 | default = null
906 | description = <<-DOC
907 | An SQL injection match condition identifies the part of web requests,
908 | such as the URI or the query string, that you want AWS WAF to inspect.
909 |
910 | action:
911 | The action that AWS WAF should take on a web request when it matches the rule's statement.
912 | name:
913 | A friendly name of the rule.
914 | priority:
915 | If you define more than one Rule in a WebACL,
916 | AWS WAF evaluates each request against the rules in order based on the value of priority.
917 | AWS WAF processes rules with lower priority first.
918 |
919 | rule_label:
920 | A List of labels to apply to web requests that match the rule match statement
921 |
922 | captcha_config:
923 | Specifies how AWS WAF should handle CAPTCHA evaluations.
924 |
925 | immunity_time_property:
926 | Defines custom immunity time.
927 |
928 | immunity_time:
929 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
930 |
931 | statement:
932 | field_to_match:
933 | The part of a web request that you want AWS WAF to inspect.
934 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
935 | text_transformation:
936 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
937 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
938 |
939 | visibility_config:
940 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
941 |
942 | cloudwatch_metrics_enabled:
943 | Whether the associated resource sends metrics to CloudWatch.
944 | metric_name:
945 | A friendly name of the CloudWatch metric.
946 | sampled_requests_enabled:
947 | Whether AWS WAF should store a sampling of the web requests that match the rules.
948 | DOC
949 | }
950 |
951 | variable "xss_match_statement_rules" {
952 | type = list(object({
953 | name = string
954 | priority = number
955 | action = string
956 | captcha_config = optional(object({
957 | immunity_time_property = object({
958 | immunity_time = number
959 | })
960 | }), null)
961 | rule_label = optional(list(string), null)
962 | statement = any
963 | visibility_config = optional(object({
964 | cloudwatch_metrics_enabled = optional(bool)
965 | metric_name = string
966 | sampled_requests_enabled = optional(bool)
967 | }), null)
968 | }))
969 | default = null
970 | description = <<-DOC
971 | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.
972 |
973 | action:
974 | The action that AWS WAF should take on a web request when it matches the rule's statement.
975 | name:
976 | A friendly name of the rule.
977 | priority:
978 | If you define more than one Rule in a WebACL,
979 | AWS WAF evaluates each request against the rules in order based on the value of priority.
980 | AWS WAF processes rules with lower priority first.
981 |
982 | captcha_config:
983 | Specifies how AWS WAF should handle CAPTCHA evaluations.
984 |
985 | immunity_time_property:
986 | Defines custom immunity time.
987 |
988 | immunity_time:
989 | The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
990 |
991 | rule_label:
992 | A List of labels to apply to web requests that match the rule match statement
993 |
994 | statement:
995 | field_to_match:
996 | The part of a web request that you want AWS WAF to inspect.
997 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
998 | text_transformation:
999 | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
1000 | See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
1001 |
1002 | visibility_config:
1003 | Defines and enables Amazon CloudWatch metrics and web request sample collection.
1004 |
1005 | cloudwatch_metrics_enabled:
1006 | Whether the associated resource sends metrics to CloudWatch.
1007 | metric_name:
1008 | A friendly name of the CloudWatch metric.
1009 | sampled_requests_enabled:
1010 | Whether AWS WAF should store a sampling of the web requests that match the rules.
1011 | DOC
1012 | }
1013 |
1014 | # Logging configuration
1015 | # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration.html
1016 | variable "log_destination_configs" {
1017 | type = list(string)
1018 | default = []
1019 | description = "The Amazon Kinesis Data Firehose, CloudWatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL"
1020 | }
1021 |
1022 | variable "redacted_fields" {
1023 | type = map(object({
1024 | method = optional(bool, false)
1025 | uri_path = optional(bool, false)
1026 | query_string = optional(bool, false)
1027 | single_header = optional(list(string), null)
1028 | }))
1029 | default = {}
1030 | description = <<-DOC
1031 | The parts of the request that you want to keep out of the logs.
1032 | You can only specify one of the following: `method`, `query_string`, `single_header`, or `uri_path`
1033 |
1034 | method:
1035 | Whether to enable redaction of the HTTP method.
1036 | The method indicates the type of operation that the request is asking the origin to perform.
1037 | uri_path:
1038 | Whether to enable redaction of the URI path.
1039 | This is the part of a web request that identifies a resource.
1040 | query_string:
1041 | Whether to enable redaction of the query string.
1042 | This is the part of a URL that appears after a `?` character, if any.
1043 | single_header:
1044 | The list of names of the query headers to redact.
1045 | DOC
1046 | nullable = false
1047 | }
1048 |
1049 | variable "logging_filter" {
1050 | type = object({
1051 | default_behavior = string
1052 | filter = list(object({
1053 | behavior = string
1054 | requirement = string
1055 | condition = list(object({
1056 | action_condition = optional(object({
1057 | action = string
1058 | }), null)
1059 | label_name_condition = optional(object({
1060 | label_name = string
1061 | }), null)
1062 | }))
1063 | }))
1064 | })
1065 | default = null
1066 | description = <<-DOC
1067 | A configuration block that specifies which web requests are kept in the logs and which are dropped.
1068 | You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
1069 | DOC
1070 | }
1071 |
1072 | # Association resource ARNs
1073 | variable "association_resource_arns" {
1074 | type = list(string)
1075 | default = []
1076 | description = <<-DOC
1077 | A list of ARNs of the resources to associate with the web ACL.
1078 | This must be an ARN of an Application Load Balancer, Amazon API Gateway stage, or AWS AppSync.
1079 |
1080 | Do not use this variable to associate a Cloudfront Distribution.
1081 | Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.
1082 | For more details, refer to https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html
1083 | DOC
1084 | nullable = false
1085 | }
1086 |
1087 | variable "default_block_response" {
1088 | type = string
1089 | default = null
1090 | description = <<-DOC
1091 | A HTTP response code that is sent when default block action is used. Only takes effect if default_action is set to `block`.
1092 | DOC
1093 | nullable = true
1094 | }
1095 |
1096 | variable "default_block_custom_response_body_key" {
1097 | type = string
1098 | default = null
1099 | description = <<-DOC
1100 | References the default response body that you want AWS WAF to return to the web request client.
1101 | This must reference a key defined in a custom_response_body block of this resource.
1102 | Only takes effect if default_action is set to `block`.
1103 | DOC
1104 | nullable = true
1105 | }
1106 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.0"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
