Provides a WAF Web ACL Resource
This example blocks requests coming from 192.0.7.0/24
and allows everything else.
resource "aws_waf_ipset" "ipset" {
name = "tfIPSet"
ip_set_descriptors {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_waf_rule" "wafrule" {
depends_on = [aws_waf_ipset.ipset]
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicates {
data_id = aws_waf_ipset.ipset.id
negated = false
type = "IPMatch"
}
}
resource "aws_waf_web_acl" "waf_acl" {
depends_on = [
aws_waf_ipset.ipset,
aws_waf_rule.wafrule,
]
name = "tfWebACL"
metric_name = "tfWebACL"
default_action {
type = "ALLOW"
}
rules {
action {
type = "BLOCK"
}
priority = 1
rule_id = aws_waf_rule.wafrule.id
type = "REGULAR"
}
}
resource "aws_waf_web_acl" "example" {
# ... other configuration ...
logging_configuration {
log_destination = aws_kinesis_firehose_delivery_stream.example.arn
redacted_fields {
field_to_match {
type = "URI"
}
field_to_match {
data = "referer"
type = "HEADER"
}
}
}
}
This resource supports the following arguments:
default_action
- (Required) Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.metric_name
- (Required) The name or description for the Amazon CloudWatch metric of this web ACL.name
- (Required) The name or description of the web ACL.rules
- (Optional) Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.logging_configuration
- (Optional) Configuration block to enable WAF logging. Detailed below.tags
- (Optional) Key-value map of resource tags. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.default_action
Configuration Blocktype
- (Required) Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules
.
e.g., ALLOW
or BLOCK
logging_configuration
Configuration Blocklog_destination
- (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Streamredacted_fields
- (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.redacted_fields
Configuration Blockfield_to_match
- (Required) Set of configuration blocks for fields to redact. Detailed below.field_to_match
Configuration Blockdata
- (Optional) When the value of type
is HEADER
, enter the name of the header that you want the WAF to search, for example, User-Agent
or Referer
. If the value of type
is any other value, omit data
.type
- (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER
or METHOD
rules
Configuration BlockSee docs for all details and supported values.
action
- (Optional) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type
is GROUP
.
type
- (Required) valid values are: BLOCK
, ALLOW
, or COUNT
override_action
- (Optional) Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type
is GROUP
.
type
- (Required) valid values are: NONE
or COUNT
priority
- (Required) Specifies the order in which the rules in a WebACL are evaluated.
Rules with a lower value are evaluated before rules with a higher value.rule_id
- (Required) ID of the associated WAF (Global) rule (e.g., aws_waf_rule
). WAF (Regional) rules cannot be used.type
- (Optional) The rule type, either REGULAR
, as defined by Rule, RATE_BASED
, as defined by RateBasedRule, or GROUP
, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type
as RATE_BASED
. If you add a GROUP rule, you need to set type
as GROUP
.This resource exports the following attributes in addition to the arguments above:
id
- The ID of the WAF WebACL.arn
- The ARN of the WAF WebACL.tags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.In Terraform v1.5.0 and later, use an import
block to import WAF Web ACL using the id
. For example:
import {
to = aws_waf_web_acl.main
id = "0c8e583e-18f3-4c13-9e2a-67c4805d2f94"
}
Using terraform import
, import WAF Web ACL using the id
. For example:
% terraform import aws_waf_web_acl.main 0c8e583e-18f3-4c13-9e2a-67c4805d2f94