AWS WAF v2 Terraform Module
Upstream version 2.1.0
0 controls from Registry requirements
Terraform Module Source
registry.compliance.tf/terraform-aws-modules/wafv2/aws23 unique
| Name | Type | Default | Description |
|---|---|---|---|
| Optional | |||
association_config | map({...}) | {} | Configuration for body inspection size limits per resource type. Keys are resource types (e.g., `CLOUDFRONT`, `API_GATEWAY`, `COGNITO_USER_POOL`, `APP_RUNNER_SERVICE`, `VERIFIED_ACCESS_INSTANCE`) |
association_resource_arns | map(string) | {} | Map of resource ARNs to associate with the Web ACL. Key is a friendly name, value is the resource ARN |
captcha_config | object({...}) | null | CAPTCHA configuration for the Web ACL. Specifies how long a CAPTCHA timestamp is considered valid |
challenge_config | object({...}) | null | Challenge configuration for the Web ACL. Specifies how long a challenge timestamp is considered valid |
create | bool | true | Controls if resources should be created (affects all resources) |
create_logging_configuration | bool | false | Controls if a logging configuration should be created for the Web ACL |
custom_response_bodies | map({...}) | {} | Map of custom response body configurations. Key is the reference key, used in custom responses |
data_protection_config | any | null | Data protection configuration. `data_protections` is a list of objects with `field` (object with `field_keys` list and `field_type` one of `SINGLE_HEADER`/`SINGLE_COOKIE`/`SINGLE_QUERY_ARGUMENT`/`QUERY_STRING`/`BODY`), `action` (`HASH` or `SUBSTITUTION`), `exclude_rate_based_details` (bool, optional), and `exclude_rule_match_details` (bool, optional) |
default_action | any | "allow" | Action to perform if none of the rules contained in the Web ACL match. Use `allow` or `block` for simple actions, or provide an object for custom request handling/response. See examples for object structure |
description | string | null | A friendly description of the Web ACL |
logging_filter | object({...}) | null | A configuration block that specifies which web requests are kept in the logs and which are dropped |
logging_log_destination_configs | list(string) | [] | The Amazon Kinesis Data Firehose, CloudWatch Log Group, or S3 Bucket ARNs for the logging destination. Names must be prefixed with `aws-waf-logs-` |
logging_redacted_fields | list({...}) | [] | The parts of the request that you want to keep out of the logs. Each entry must specify exactly one of `method`, `query_string`, `uri_path`, or `single_header` |
logging_region | string | null | Region where the WAF logging configuration will be managed. Defaults to the provider region |
name | string | null | A friendly name of the Web ACL. Mutually exclusive with `name_prefix` |
name_prefix | string | null | Creates a unique name beginning with the specified prefix. Mutually exclusive with `name` (provider rejects both being set at apply time) |
putin_khuylo | bool | true | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Russian_invasion_of_Ukraine |
rule_json | string | null | Escape hatch: JSON string of WAF rules for cases where dynamic blocks cannot represent all provider features. Mutually exclusive with `rules` |
rules | any | {} | Map of WAF rule configurations. The key is used as the rule name. Each rule supports: - `priority` - (Required) Rule priority (lower = evaluated first) - `action` - Action for standalone rules. Use string (`allow`, `block`, `count`, `captcha`, `challenge`) or object for custom response - `override_action` - Override action for managed/rule group rules. Use string (`none`, `count`) or object - `statement` - (Required) Rule statement configuration. See AWS provider docs for statement structure - `visibility_config` - CloudWatch metrics config. Auto-generated from rule key if omitted - `captcha_config` - Optional CAPTCHA configuration - `challenge_config` - Optional challenge configuration - `rule_labels` - Optional list of labels to add to matching requests See examples/complete for usage patterns. |
scope | string | "REGIONAL" | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are `CLOUDFRONT` or `REGIONAL` |
tags | map(string) | {} | A map of tags to add to all resources |
token_domains | list(string) | [] | Specifies the domains that AWS WAF should accept in a web request token. Enables token use across multiple protected resources |
visibility_config | object({...}) | {} | Visibility configuration for the Web ACL. Defines CloudWatch metrics configuration |