generated from cloudposse-terraform-components/template
You must be signed in to change notification settings - Fork 0
Copy pathREADME.yaml
171 lines (151 loc) · 55.4 KB
name: "aws-waf"
# Canonical GitHub repo
github_repo: "cloudposse-terraform-components/aws-waf"
# Short description of this project
description: |-
This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule
## Usage
**Stack Level**: Regional
Here's an example snippet for how to use this component.
enabled: true
name: waf
acl_name: default
default_action: allow
description: Default web ACL
cloudwatch_metrics_enabled: false
metric_name: "default"
sampled_requests_enabled: false
- name: "OWASP-10"
# Rules are processed in order based on the value of priority, lowest number first
priority: 1
name: AWSManagedRulesCommonRuleSet
vendor_name: AWS
# Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch_metrics_enabled: false
metric_name: "OWASP-10"
sampled_requests_enabled: false
<!-- prettier-ignore-start -->
## Requirements
| Name | Version |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
| Name | Source | Version |
| <a name="module_association_resource_components"></a> [association\_resource\_components](#module\_association\_resource\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| <a name="module_aws_waf"></a> [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 1.8.0 |
| <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
| <a name="module_log_destination_components"></a> [log\_destination\_components](#module\_log\_destination\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
| Name | Type |
| [aws_ssm_parameter.acl_arn]( | resource |
| [aws_alb.alb]( | data source |
| [aws_lbs.alb_by_tags]( | data source |
## Inputs
| Name | Description | Type | Default | Required |
| <a name="input_acl_name"></a> [acl\_name](#input\_acl\_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm\_path\_prefix}/{acl\_name}/arn | `string` | n/a | yes |
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <a name="input_alb_names"></a> [alb\_names](#input\_alb\_names) | list of ALB names to associate with the web ACL. | `list(string)` | `[]` | no |
| <a name="input_alb_tags"></a> [alb\_tags](#input\_alb\_tags) | list of tags to match one or more ALBs to associate with the web ACL. | `list(map(string))` | `[]` | no |
| <a name="input_association_resource_arns"></a> [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.<br>This must be an ARN of an Application Load Balancer, Amazon API Gateway stage, or AWS AppSync.<br><br>Do not use this variable to associate a Cloudfront Distribution.<br>Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.<br>For more details, refer to | `list(string)` | `[]` | no |
| <a name="input_association_resource_component_selectors"></a> [association\_resource\_component\_selectors](#input\_association\_resource\_component\_selectors) | A list of Atmos component selectors to get from the remote state and associate their ARNs with the web ACL.<br>The components must be Application Load Balancers, Amazon API Gateway stages, or AWS AppSync.<br><br>component:<br> Atmos component name<br>component\_arn\_output:<br> The component output that defines the component ARN<br><br>Set `tenant`, `environment` and `stage` if the components are in different OUs, regions or accounts.<br><br>Do not use this variable to select a Cloudfront Distribution component.<br>Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.<br>For more details, refer to | <pre>list(object({<br> component = string<br> namespace = optional(string, null)<br> tenant = optional(string, null)<br> environment = optional(string, null)<br> stage = optional(string, null)<br> component_arn_output = string<br> }))</pre> | `[]` | no |
| <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <a name="input_byte_match_statement_rules"></a> [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> positional\_constraint:<br> Area within the portion of a web request that you want AWS WAF to search for search\_string. Valid values include the following: EXACTLY, STARTS\_WITH, ENDS\_WITH, CONTAINS, CONTAINS\_WORD.<br> search\_string<br> String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field\_to\_match.<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <a name="input_custom_response_body"></a> [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.<br>The map keys are used as the `key` attribute which is a unique key identifying the custom response body.<br>content:<br> Payload of the custom response.<br> The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.<br>content\_type:<br> Content Type of Response Body.<br> Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. | <pre>map(object({<br> content = string<br> content_type = string<br> }))</pre> | `{}` | no |
| <a name="input_default_action"></a> [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no |
| <a name="input_default_block_response"></a> [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no |
| <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <a name="input_description"></a> [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no |
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_geo_allowlist_statement_rules"></a> [geo\_allowlist\_statement\_rules](#input\_geo\_allowlist\_statement\_rules) | A rule statement used to identify a list of allowed countries which should not be blocked by the WAF.<br><br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> country\_codes:<br> A list of two-character country codes.<br> forwarded\_ip\_config:<br> fallback\_behavior:<br> The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br> Possible values: `MATCH`, `NO_MATCH`<br> header\_name:<br> The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_geo_match_statement_rules"></a> [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> country\_codes:<br> A list of two-character country codes.<br> forwarded\_ip\_config:<br> fallback\_behavior:<br> The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br> Possible values: `MATCH`, `NO_MATCH`<br> header\_name:<br> The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <a name="input_ip_set_reference_statement_rules"></a> [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> arn:<br> The ARN of the IP Set that this statement references.<br> ip\_set:<br> Defines a new IP Set<br><br> description:<br> A friendly description of the IP Set<br> addresses:<br> Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.<br> All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.<br> ip\_address\_version:<br> Specify `IPV4` or `IPV6`<br> ip\_set\_forwarded\_ip\_config:<br> fallback\_behavior:<br> The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br> Possible values: `MATCH`, `NO_MATCH`<br> header\_name:<br> The name of the HTTP header to use for the IP address.<br> position:<br> The position in the header to search for the IP address.<br> Possible values include: `FIRST`, `LAST`, or `ANY`.<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
| <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
| <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
| <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br> The value of the `name` tag, if included, will be the `id`, not the `name`.<br> Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br> changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br> "default"<br>]</pre> | no |
| <a name="input_log_destination_component_selectors"></a> [log\_destination\_component\_selectors](#input\_log\_destination\_component\_selectors) | A list of Atmos component selectors to get from the remote state and associate their names/ARNs with the WAF logs.<br>The components must be Amazon Kinesis Data Firehose, CloudWatch Log Group, or S3 bucket.<br><br>component:<br> Atmos component name<br>component\_output:<br> The component output that defines the component name or ARN<br><br>Set `tenant`, `environment` and `stage` if the components are in different OUs, regions or accounts.<br><br>Note: data firehose, log group, or bucket name must be prefixed with `aws-waf-logs-`,<br>e.g. `aws-waf-logs-example-firehose`, `aws-waf-logs-example-log-group`, or `aws-waf-logs-example-bucket`. | <pre>list(object({<br> component = string<br> namespace = optional(string, null)<br> tenant = optional(string, null)<br> environment = optional(string, null)<br> stage = optional(string, null)<br> component_output = string<br> }))</pre> | `[]` | no |
| <a name="input_log_destination_configs"></a> [log\_destination\_configs](#input\_log\_destination\_configs) | A list of resource names/ARNs to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket with the WAF logs.<br>Note: data firehose, log group, or bucket name must be prefixed with `aws-waf-logs-`,<br>e.g. `aws-waf-logs-example-firehose`, `aws-waf-logs-example-log-group`, or `aws-waf-logs-example-bucket`. | `list(string)` | `[]` | no |
| <a name="input_logging_filter"></a> [logging\_filter](#input\_logging\_filter) | A configuration block that specifies which web requests are kept in the logs and which are dropped.<br>You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | <pre>object({<br> default_behavior = string<br> filter = list(object({<br> behavior = string<br> requirement = string<br> condition = list(object({<br> action_condition = optional(object({<br> action = string<br> }), null)<br> label_name_condition = optional(object({<br> label_name = string<br> }), null)<br> }))<br> }))<br> })</pre> | `null` | no |
| <a name="input_managed_rule_group_statement_rules"></a> [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.<br><br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>override\_action:<br> The override action to apply to the rules in a rule group.<br> Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> name:<br> The name of the managed rule group.<br> vendor\_name:<br> The name of the managed rule group vendor.<br> version:<br> The version of the managed rule group.<br> You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.<br> rule\_action\_override:<br> Action settings to use in the place of the rule actions that are configured inside the rule group.<br> You specify one override for each rule whose action you want to change.<br> managed\_rule\_group\_configs:<br> Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.<br> Refer to for more details.<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> override_action = optional(string)<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = object({<br> name = string<br> vendor_name = string<br> version = optional(string)<br> rule_action_override = optional(map(object({<br> action = string<br> custom_request_handling = optional(object({<br> insert_header = object({<br> name = string<br> value = string<br> })<br> }), null)<br> custom_response = optional(object({<br> response_code = string<br> response_header = optional(object({<br> name = string<br> value = string<br> }), null)<br> }), null)<br> })), null)<br> managed_rule_group_configs = optional(list(object({<br> aws_managed_rules_bot_control_rule_set = optional(object({<br> inspection_level = string<br> enable_machine_learning = optional(bool, true)<br> }), null)<br> aws_managed_rules_atp_rule_set = optional(object({<br> enable_regex_in_path = optional(bool)<br> login_path = string<br> request_inspection = optional(object({<br> payload_type = string<br> password_field = object({<br> identifier = string<br> })<br> username_field = object({<br> identifier = string<br> })<br> }), null)<br> response_inspection = optional(object({<br> body_contains = optional(object({<br> success_strings = list(string)<br> failure_strings = list(string)<br> }), null)<br> header = optional(object({<br> name = string<br> success_values = list(string)<br> failure_values = list(string)<br> }), null)<br> json = optional(object({<br><br> identifier = string<br> success_strings = list(string)<br> failure_strings = list(string)<br> }), null)<br> status_code = optional(object({<br> success_codes = list(string)<br> failure_codes = list(string)<br> }), null)<br> }), null)<br> }), null)<br> })), null)<br> })<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| <a name="input_rate_based_statement_rules"></a> [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,<br>and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> aggregate\_key\_type:<br> Setting that indicates how to aggregate the request counts.<br> Possible values include: `FORWARDED_IP` or `IP`<br> limit:<br> The limit on requests per 5-minute period for a single originating IP address.<br> evaluation\_window\_sec:<br> The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.<br> Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).<br> forwarded\_ip\_config:<br> fallback\_behavior:<br> The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br> Possible values: `MATCH`, `NO_MATCH`<br> header\_name:<br> The name of the HTTP header to use for the IP address.<br> byte\_match\_statement:<br> field\_to\_match:<br> Part of a web request that you want AWS WAF to inspect.<br> positional\_constraint:<br> Area within the portion of a web request that you want AWS WAF to search for search\_string.<br> Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.<br> search\_string:<br> String value that you want AWS WAF to search for.<br> AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.<br> The maximum length of the value is 50 bytes.<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = object({<br> limit = number<br> aggregate_key_type = string<br> evaluation_window_sec = optional(number)<br> forwarded_ip_config = optional(object({<br> fallback_behavior = string<br> header_name = string<br> }), null)<br> scope_down_statement = optional(object({<br> byte_match_statement = object({<br> positional_constraint = string<br> search_string = string<br> field_to_match = object({<br> all_query_arguments = optional(bool)<br> body = optional(bool)<br> method = optional(bool)<br> query_string = optional(bool)<br> single_header = optional(object({ name = string }))<br> single_query_argument = optional(object({ name = string }))<br> uri_path = optional(bool)<br> })<br> text_transformation = list(object({<br> priority = number<br> type = string<br> }))<br> })<br> }), null)<br> })<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_redacted_fields"></a> [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.<br>You can only specify one of the following: `method`, `query_string`, `single_header`, or `uri_path`<br><br>method:<br> Whether to enable redaction of the HTTP method.<br> The method indicates the type of operation that the request is asking the origin to perform.<br>uri\_path:<br> Whether to enable redaction of the URI path.<br> This is the part of a web request that identifies a resource.<br>query\_string:<br> Whether to enable redaction of the query string.<br> This is the part of a URL that appears after a `?` character, if any.<br>single\_header:<br> The list of names of the query headers to redact. | <pre>map(object({<br> method = optional(bool, false)<br> uri_path = optional(bool, false)<br> query_string = optional(bool, false)<br> single_header = optional(list(string), null)<br> }))</pre> | `{}` | no |
| <a name="input_regex_match_statement_rules"></a> [regex\_match\_statement\_rules](#input\_regex\_match\_statement\_rules) | A rule statement used to search web request components for a match against a single regular expression.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> regex\_string:<br> String representing the regular expression. Minimum of 1 and maximum of 512 characters.<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_regex_pattern_set_reference_statement_rules"></a> [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> arn:<br> The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
| <a name="input_rule_group_reference_statement_rules"></a> [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.<br><br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>override\_action:<br> The override action to apply to the rules in a rule group.<br> Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> arn:<br> The ARN of the `aws_wafv2_rule_group` resource.<br> rule\_action\_override:<br> Action settings to use in the place of the rule actions that are configured inside the rule group.<br> You specify one override for each rule whose action you want to change.<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> override_action = optional(string)<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = object({<br> arn = string<br> rule_action_override = optional(map(object({<br> action = string<br> custom_request_handling = optional(object({<br> insert_header = object({<br> name = string<br> value = string<br> })<br> }), null)<br> custom_response = optional(object({<br> response_code = string<br> response_header = optional(object({<br> name = string<br> value = string<br> }), null)<br> }), null)<br> })), null)<br> })<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_scope"></a> [scope](#input\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.<br>Possible values are `CLOUDFRONT` or `REGIONAL`.<br>To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no |
| <a name="input_size_constraint_statement_rules"></a> [size\_constraint\_statement\_rules](#input\_size\_constraint\_statement\_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> comparison\_operator:<br> The operator to use to compare the request part to the size setting.<br> Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.<br> size:<br> The size, in bytes, to compare to the request part, after any transformations.<br> Valid values are integers between `0` and `21474836480`, inclusive.<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_sqli_match_statement_rules"></a> [sqli\_match\_statement\_rules](#input\_sqli\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,<br>such as the URI or the query string, that you want AWS WAF to inspect.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>statement:<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
| <a name="input_ssm_path_prefix"></a> [ssm\_path\_prefix](#input\_ssm\_path\_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| <a name="input_token_domains"></a> [token\_domains](#input\_token\_domains) | Specifies the domains that AWS WAF should accept in a web request token.<br>This enables the use of tokens across multiple protected websites.<br>When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting.<br>If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource.<br>With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list,<br>including their prefixed subdomains. | `list(string)` | `null` | no |
| <a name="input_visibility_config"></a> [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br>metric\_name:<br> A friendly name of the CloudWatch metric.<br>sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>object({<br> cloudwatch_metrics_enabled = bool<br> metric_name = string<br> sampled_requests_enabled = bool<br> })</pre> | n/a | yes |
| <a name="input_xss_match_statement_rules"></a> [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.<br><br>action:<br> The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br> A friendly name of the rule.<br>priority:<br> If you define more than one Rule in a WebACL,<br> AWS WAF evaluates each request against the rules in order based on the value of priority.<br> AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br> Defines custom immunity time.<br><br> immunity\_time:<br> The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br> A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br> field\_to\_match:<br> The part of a web request that you want AWS WAF to inspect.<br> See<br> text\_transformation:<br> Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br> See<br><br>visibility\_config:<br> Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br> cloudwatch\_metrics\_enabled:<br> Whether the associated resource sends metrics to CloudWatch.<br> metric\_name:<br> A friendly name of the CloudWatch metric.<br> sampled\_requests\_enabled:<br> Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br> name = string<br> priority = number<br> action = string<br> captcha_config = optional(object({<br> immunity_time_property = object({<br> immunity_time = number<br> })<br> }), null)<br> rule_label = optional(list(string), null)<br> statement = any<br> visibility_config = optional(object({<br> cloudwatch_metrics_enabled = optional(bool)<br> metric_name = string<br> sampled_requests_enabled = optional(bool)<br> }), null)<br> }))</pre> | `null` | no |
## Outputs
| Name | Description |
| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the WAF WebACL. |
| <a name="output_id"></a> [id](#output\_id) | The ID of the WAF WebACL. |
| <a name="output_logging_config_id"></a> [logging\_config\_id](#output\_logging\_config\_id) | The ARN of the WAFv2 Web ACL logging configuration. |
<!-- prettier-ignore-end -->
## References
- [cloudposse/terraform-aws-components]( -
Cloud Posse's upstream component
- component/waf
- layer/addons
- provider/aws
# Categories of this project
- component/waf
- layer/addons
- provider/aws
# License of this project
license: "APACHE2"
# Badges to display
- name: Latest Release
- name: Slack Community
- name: "Cloud Posse Terraform Modules"
description: Our collection of reusable Terraform modules used by our reference architectures.
url: ""
- name: "Atmos"
description: "Atmos is like docker-compose but for your infrastructure"
url: ""
contributors: [] # If included generates contribs