AWS WAF v2 Terraform Module

Terraform module which creates AWS WAF v2 Web ACL resources with comprehensive rule support.

Usage

module "wafv2" {
  source  = "terraform-aws-modules/wafv2/aws"

  name  = "my-web-acl"
  scope = "REGIONAL"

  default_action = "allow"

  rules = {
    common-rule-set = {
      priority        = 1
      override_action = "none"

      statement = {
        managed_rule_group_statement = {
          name        = "AWSManagedRulesCommonRuleSet"
          vendor_name = "AWS"
        }
      }
    }

    rate-limit = {
      priority = 2
      action   = "block"

      statement = {
        rate_based_statement = {
          limit = 1000
        }
      }
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Features

• Full coverage of AWS provider WAFv2 surface: every WAFv2 resource is supported by the root module or a submodule
• AWS WAF v2 Web ACL with comprehensive rule statement support
• All 12+ statement types: byte match, geo match, IP set reference, label match, managed rule group, rate based, regex match, regex pattern set reference, rule group reference, size constraint, SQLi match, XSS match
• Compound statements (AND, OR, NOT) with 2 levels of nesting, including AND/OR inside scope_down_statement
• Dual-mode actions: simple string ("allow", "block", "count", "captcha", "challenge") or objects with custom response/request handling
• Custom response bodies
• CAPTCHA and challenge configuration
• Association configuration for request body size limits
• Optional inline Web ACL associations
• Optional inline logging configuration
• Submodules for IP sets, regex pattern sets, Web ACL associations, logging configuration, custom rule groups, standalone Web ACL rules, Web ACL ↔ rule group associations, and CAPTCHA API keys

Conditional Creation

The module supports conditional resource creation:

module "wafv2" {
  source = "terraform-aws-modules/wafv2/aws"

  create = false
}

Submodules

• ip-set - Manages WAF v2 IP sets
• regex-pattern-set - Manages WAF v2 regex pattern sets
• web-acl-association - Manages WAF v2 Web ACL associations
• logging-configuration - Manages WAF v2 logging configuration
• rule-group - Manages WAF v2 custom rule groups (reusable rule sets with fixed WCU capacity)
• web-acl-rule - Manages a single rule attached to an existing Web ACL (provider v6.37.0+, solves IP set deletion-ordering errors)
• web-acl-rule-group-association - Associates a custom or managed rule group with an existing Web ACL
• api-key - Manages WAFv2 API keys for CAPTCHA / JavaScript challenge token domains

Examples

• Basic - Minimal example with a single managed rule group
• Complete - Comprehensive example with all major features
• IP Set - IP set submodule with IPv4 and IPv6 sets
• Regex Pattern Set - Regex pattern set submodule
• Web ACL Association - Web ACL association with a Cognito User Pool
• Logging Configuration - Logging configuration with CloudWatch Logs
• Rule Group - Custom rule group with sample rules
• Web ACL Rule - Standalone rule attached to a Web ACL (deletion-ordering safe)
• Web ACL Rule Group Association - Associate a managed and a custom rule group with a Web ACL
• API Key - WAFv2 API key for CAPTCHA token domains

Module Wrappers

For managing multiple similar resources, see wrappers.

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

• Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
• Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
• Putin khuylo!