Resource: awsWafWebAcl

Provides a WAF Web ACL Resource

Example Usage

This example blocks requests coming from 192070/24 and allows everything else.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsWafIpsetIpset = new aws.wafIpset.WafIpset(this, "ipset", {
  ipSetDescriptors: [
    {
      type: "IPV4",
      value: "192.0.7.0/24",
    },
  ],
  name: "tfIPSet",
});
const awsWafRuleWafrule = new aws.wafRule.WafRule(this, "wafrule", {
  depends_on: [`\${${awsWafIpsetIpset.fqn}}`],
  metricName: "tfWAFRule",
  name: "tfWAFRule",
  predicates: [
    {
      dataId: awsWafIpsetIpset.id,
      negated: false,
      type: "IPMatch",
    },
  ],
});
new aws.wafWebAcl.WafWebAcl(this, "waf_acl", {
  defaultAction: {
    type: "ALLOW",
  },
  depends_on: [`\${${awsWafIpsetIpset.fqn}}`, `\${${awsWafRuleWafrule.fqn}}`],
  metricName: "tfWebACL",
  name: "tfWebACL",
  rules: [
    {
      action: {
        type: "BLOCK",
      },
      priority: 1,
      ruleId: awsWafRuleWafrule.id,
      type: "REGULAR",
    },
  ],
});

Logging

\~> NOTE: The Kinesis Firehose Delivery Stream name must begin with awsWafLogs and be located in usEast1 region. See the AWS WAF Developer Guide for more information about enabling WAF logging.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafWebAcl.WafWebAcl(this, "example", {
  loggingConfiguration: {
    logDestination: "${aws_kinesis_firehose_delivery_stream.example.arn}",
    redactedFields: {
      fieldToMatch: [
        {
          type: "URI",
        },
        {
          data: "referer",
          type: "HEADER",
        },
      ],
    },
  },
});

Argument Reference

The following arguments are supported:

defaultAction - (Required) Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
metricName - (Required) The name or description for the Amazon CloudWatch metric of this web ACL.
name - (Required) The name or description of the web ACL.
rules - (Optional) Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
loggingConfiguration - (Optional) Configuration block to enable WAF logging. Detailed below.
tags - (Optional) Key-value map of resource tags. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

`defaultAction` Configuration Block

type - (Required) Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules. e.g., allow or block

`loggingConfiguration` Configuration Block

logDestination - (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
redactedFields - (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

`redactedFields` Configuration Block

fieldToMatch - (Required) Set of configuration blocks for fields to redact. Detailed below.

`fieldToMatch` Configuration Block

-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.

data - (Optional) When the value of type is header, enter the name of the header that you want the WAF to search, for example, userAgent or referer. If the value of type is any other value, omit data.
type - (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g., header or method

`rules` Configuration Block

See docs for all details and supported values.

action - (Optional) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is group.
type - (Required) valid values are: block, allow, or count
overrideAction - (Optional) Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is group.
type - (Required) valid values are: none or count
priority - (Required) Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
ruleId - (Required) ID of the associated WAF (Global) rule (e.g., awsWafRule). WAF (Regional) rules cannot be used.
type - (Optional) The rule type, either regular, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or group, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as group.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF WebACL.
arn - The ARN of the WAF WebACL.
tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

WAF Web ACL can be imported using the id, e.g.,

$ terraform import aws_waf_web_acl.main 0c8e583e-18f3-4c13-9e2a-67c4805d2f94

Resource: awsWafWebAcl

Example Usage

Logging

Argument Reference

defaultAction Configuration Block

loggingConfiguration Configuration Block

redactedFields Configuration Block

fieldToMatch Configuration Block

rules Configuration Block