Skip to content

Resource: awsWafregionalWebAcl

Provides a WAF Regional Web ACL Resource for use with Application Load Balancer.

Example Usage

Regular Rule

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsWafregionalIpsetIpset = new aws.wafregionalIpset.WafregionalIpset(
  this,
  "ipset",
  {
    ipSetDescriptor: [
      {
        type: "IPV4",
        value: "192.0.7.0/24",
      },
    ],
    name: "tfIPSet",
  }
);
const awsWafregionalRuleWafrule = new aws.wafregionalRule.WafregionalRule(
  this,
  "wafrule",
  {
    metricName: "tfWAFRule",
    name: "tfWAFRule",
    predicate: [
      {
        dataId: awsWafregionalIpsetIpset.id,
        negated: false,
        type: "IPMatch",
      },
    ],
  }
);
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "wafacl", {
  defaultAction: {
    type: "ALLOW",
  },
  metricName: "tfWebACL",
  name: "tfWebACL",
  rule: [
    {
      action: {
        type: "BLOCK",
      },
      priority: 1,
      ruleId: awsWafregionalRuleWafrule.id,
      type: "REGULAR",
    },
  ],
});

Group Rule

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "example", {
  defaultAction: {
    type: "ALLOW",
  },
  metricName: "example",
  name: "example",
  rule: [
    {
      overrideAction: {
        type: "NONE",
      },
      priority: 1,
      ruleId: "${aws_wafregional_rule_group.example.id}",
      type: "GROUP",
    },
  ],
});

Logging

\~> NOTE: The Kinesis Firehose Delivery Stream name must begin with awsWafLogs. See the AWS WAF Developer Guide for more information about enabling WAF logging.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafregionalWebAcl.WafregionalWebAcl(this, "example", {
  loggingConfiguration: {
    logDestination: "${aws_kinesis_firehose_delivery_stream.example.arn}",
    redactedFields: {
      fieldToMatch: [
        {
          type: "URI",
        },
        {
          data: "referer",
          type: "HEADER",
        },
      ],
    },
  },
});

Argument Reference

The following arguments are supported:

  • defaultAction - (Required) The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
  • metricName - (Required) The name or description for the Amazon CloudWatch metric of this web ACL.
  • name - (Required) The name or description of the web ACL.
  • loggingConfiguration - (Optional) Configuration block to enable WAF logging. Detailed below.
  • rule - (Optional) Set of configuration blocks containing rules for the web ACL. Detailed below.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

defaultAction Configuration Block

  • type - (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., allow, block or count

loggingConfiguration Configuration Block

  • logDestination - (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
  • redactedFields - (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

redactedFields Configuration Block

  • fieldToMatch - (Required) Set of configuration blocks for fields to redact. Detailed below.
fieldToMatch Configuration Block

-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.

  • data - (Optional) When the value of type is header, enter the name of the header that you want the WAF to search, for example, userAgent or referer. If the value of type is any other value, omit data.
  • type - (Required) The part of the web request that you want AWS WAF to search for a specified stringE.g., header or method

rule Configuration Block

-> Additional information about this configuration can be found in the AWS WAF Regional API Reference.

  • priority - (Required) Specifies the order in which the rules in a WebACL are evaluated. Rules with a lower value are evaluated before rules with a higher value.
  • ruleId - (Required) ID of the associated WAF (Regional) rule (e.g., awsWafregionalRule). WAF (Global) rules cannot be used.
  • action - (Optional) Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is group. Detailed below.
  • overrideAction - (Optional) Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is group. Detailed below.
  • type - (Optional) The rule type, either regular, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or group, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as group.

action / overrideAction Configuration Block

  • type - (Required) Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for action are allow, block or count. Valid values for overrideAction are count and none.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the WAF Regional WebACL.
  • id - The ID of the WAF Regional WebACL.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

WAF Regional Web ACL can be imported using the id, e.g.,

$ terraform import aws_wafregional_web_acl.wafacl a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc