Skip to content

aws-ss/terraform-aws-wafv2

BranchesTags

Repository files navigation

terraform-aws-wafv2

A Terraform module that creates Web Application Firewall (WAFV2).

Available Features

  • Associate WebACL with one (ALB, API Gateway, Cognito User Pool)
  • Create IPSets
  • Create a WAFv2 Rule Group resource
  • Custom Response Body
  • Logging Configuration
  • Statements
    • AndStatement
    • AsnMatchStatement
    • ByteMatchStatement
    • GeoMatchStatement
    • IPSetReferenceStatement
    • LabelMatchStatement
    • ManagedRuleGroupStatement
      • AWSManagedRulesACFPRuleSet
      • AWSManagedRulesATPRuleSet
      • AWSManagedRulesBotControlRuleSet
      • AWSManagedRulesAntiDDoSRuleSet
    • NotStatement
    • OrStatement
    • RateBasedStatement
    • RegexPatternSetStatement
    • SizeConstraintStatement
    • SqliMatchStatement
    • XssMatchStatement

Examples

Requirements

Name Version
terraform >= 1.4.6
aws >= 6.1.0

Providers

Name Version
aws 6.30.0

Modules

No modules.

Resources

Name Type
aws_wafv2_web_acl.this resource
aws_wafv2_web_acl_association.this resource
aws_wafv2_web_acl_logging_configuration.this resource

Inputs

Name Description Type Default Required
association_config (Optional) Customizes the request body that your protected resource forward to AWS WAF for inspection. map(any) null no
captcha_config (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. number 300 no
challenge_config (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. number 300 no
custom_response_body (Optional) Defines custom response bodies that can be referenced by custom_response actions. 
list(object({
    content      = string
    content_type = string
    key          = string
  }))
 [] no
default_action (Required) Action to perform if none of the rules contained in the WebACL match. string n/a yes
default_custom_response (Optional) Customise the response when the default action is block 
object({
    response_code            = optional(number, 403)
    custom_response_body_key = optional(string)
    response_header = optional(list(object({
      name  = string
      value = string
    })), [])
  })
 null no
description (Optional) Friendly description of the WebACL. string null no
enabled_logging_configuration (Optional) Whether to create logging configuration. bool false no
enabled_web_acl_association (Optional) Whether to create ALB association with WebACL. bool true no
log_destination_configs (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. string null no
logging_filter (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. any null no
name (Required) Friendly name of the WebACL. string n/a yes
redacted_fields (Optional) The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. list(any) null no
region (Optional) Region where this resource will be managed. Defaults to the Region set in the provider configuration. string null no
resource_arn (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. list(string) n/a yes
rule (Optional) Rule blocks used to identify the web requests that you want to allow, block, or count. any [] no
scope (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application string n/a yes
tags (Optional) Map of key-value pairs to associate with the resource. map(string) null no
token_domains (Optional) Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains. list(string) [] no
visibility_config (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. map(string) n/a yes

Outputs

Name Description
aws_wafv2_arn The ARN of the WAF WebACL.
aws_wafv2_capacity Web ACL capacity units (WCUs) currently being used by this web ACL.
aws_wafv2_custom_response_body The custom response body configuration of the WAF WebACL.
aws_wafv2_default_action The default action of the WAF WebACL.
aws_wafv2_id The ID of the WAF WebACL.
aws_wafv2_name The name of the WAF WebACL.
aws_wafv2_rule The rules configuration of the WAF WebACL.
aws_wafv2_scope The scope of the WAF WebACL.
aws_wafv2_tags_all Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
aws_wafv2_visibility_config The visibility configuration of the WAF WebACL.
aws_wafv2_web_acl_logging_configuration_id The Amazon Resource Name (ARN) of the WAFv2 Web ACL.

About

A Terraform module that creates Web Application Firewall (WAFV2).

registry.terraform.io/modules/aws-ss/wafv2/aws/latest

Topics

aws terraform wafv2

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

21 stars

Watchers

0 watching

Forks

15 forks
Report repository

Releases 40

v4.1.3 Latest
Feb 1, 2026
+ 39 releases

Packages

 
 
 

Contributors

Languages