trussworks
terraform-aws-wafv2
HCL

Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets

Last updated Jan 19, 2026
104
Stars
58
Forks
3
Issues
0
Stars/day
Attention Score
34
Language breakdown
HCL 100.0%
Files click to expand
README

terraform-aws-wafv2

Creates AWS WAFv2 ACL and supports the following

  • AWS Managed Rule Sets
  • Associating with Application Load Balancers (ALB)
  • Blocking IP Sets
  • Global IP Rate limiting
  • Custom IP rate limiting for different URLs

Usage with CloudFront

Note: The Terraform AWS provider needs to be associated with the us-east-1 region to use with CloudFront.

module "cloudfront_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

name = "cloudfront-web-acl" scope = "CLOUDFRONT" }

Usage with Application Load Balancer (ALB)

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

name = "alb-web-acl" scope = "REGIONAL"

albarn = awslb.alb.arn associate_alb = true }

Usage with Logging Configuraion of CloudWatchLogs

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "0.0.1"

name = "cloudfront-web-acl" scope = "CLOUDFRONT"

enable_logging = true logdestinationarns = [ awscloudwatchlog_group.logs.arn ] }

Usage blocking IP Sets

resource "awswafv2ip_set" "ipset" {
  name = "blocked_ips"

scope = "REGIONAL" ipaddressversion = "IPV4"

addresses = [ "1.2.3.4/32", "5.6.7.8/32" ] }

module "wafv2" { source = "../../"

name = "wafv2" scope = "REGIONAL"

ipsetsrule = [ { name = "blocked_ips" action = "block" priority = 1 ipsetarn = awswafv2ip_set.ipset.arn } ] }

Requirements

| Name | Version | |------|---------| | terraform | >= 1.0 | | aws | >= 5.0 |

Providers

| Name | Version | |------|---------| | aws | >= 5.0 |

Modules

No modules.

Resources

| Name | Type | |------|------| | awswafv2webacl.main | resource | | awswafv2webaclassociation.main | resource | | awswafv2webaclloggingconfiguration.main | resource |

Inputs

| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | alb\_arn | ARN of the ALB to be associated with the WAFv2 ACL. | string | "" | no | | associate\_alb | Whether to associate an ALB with the WAFv2 ACL. | bool | false | no | | default\_action | The action to perform if none of the rules contained in the WebACL match. | string | "allow" | no | | enable\_logging | Whether to associate Logging resource with the WAFv2 ACL. | bool | false | no | | filtered\header\rule | HTTP header to filter . Currently supports a single header type and multiple header values. |

({ headertypes = list(string) priority = number headervalue = string action = string searchstring = string })
|
{ "action": "block", "headertypes": [], "headervalue": "", "priority": 1, "searchstring": "" }
| no | | group\rules | List of WAFv2 Rule Groups. |
(object({ name = string arn = string priority = number overrideaction = string }))
| [] | no | | ip\rate\based\rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span |
({ name = string priority = number limit = number action = string responsecode = optional(number, 403) })
| null | no | | ip\rate\url\based\rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span |
(object({ name = string priority = number limit = number action = string responsecode = optional(number, 403) searchstring = string positional_constraint = string }))
| [] | no | | ip\sets\rule | A rule to detect web requests coming from particular IP addresses or address ranges. |
(object({ name = string priority = number ipsetarn = string action = string response_code = optional(number, 403) }))
| [] | no | | log\destination\arns | The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. | list(string) | [] | no | | managed\rules | List of Managed WAF rules. |
(object({ name = string priority = number overrideaction = string vendorname = string version = optional(string) ruleactionoverride = list(object({ name = string actiontouse = string })) }))
|
[ { "name": "AWSManagedRulesCommonRuleSet", "overrideaction": "none", "priority": 10, "ruleactionoverride": [], "vendorname": "AWS" }, { "name": "AWSManagedRulesAmazonIpReputationList", "overrideaction": "none", "priority": 20, "ruleactionoverride": [], "vendorname": "AWS" }, { "name": "AWSManagedRulesKnownBadInputsRuleSet", "overrideaction": "none", "priority": 30, "ruleactionoverride": [], "vendorname": "AWS" }, { "name": "AWSManagedRulesSQLiRuleSet", "overrideaction": "none", "priority": 40, "ruleactionoverride": [], "vendorname": "AWS" }, { "name": "AWSManagedRulesLinuxRuleSet", "overrideaction": "none", "priority": 50, "ruleactionoverride": [], "vendorname": "AWS" }, { "name": "AWSManagedRulesUnixRuleSet", "overrideaction": "none", "priority": 60, "ruleactionoverride": [], "vendor_name": "AWS" } ]
| no | | name | A friendly name of the WebACL. | string | n/a | yes | | scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | string | n/a | yes | | tags | A mapping of tags to assign to the WAFv2 ACL. | map(string) | {} | no |

Outputs

| Name | Description | |------|-------------| | web\acl\id | The ARN of the WAF WebACL. |

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks
🔗 More in this category

© 2026 GitRepoTrend · trussworks/terraform-aws-wafv2 · Updated daily from GitHub