Resource: awsWafregionalWebAclAssociation
Manages an association with WAF Regional Web ACL.
-> Note: An Application Load Balancer can only be associated with one WAF Regional WebACL.
Example Usage
Application Load Balancer Association
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsVpcFoo = new aws.vpc.Vpc(this, "foo", {
cidrBlock: "10.1.0.0/16",
});
const awsWafregionalIpsetIpset = new aws.wafregionalIpset.WafregionalIpset(
this,
"ipset",
{
ipSetDescriptor: [
{
type: "IPV4",
value: "192.0.7.0/24",
},
],
name: "tfIPSet",
}
);
const awsWafregionalRuleFoo = new aws.wafregionalRule.WafregionalRule(
this,
"foo_2",
{
metricName: "tfWAFRule",
name: "tfWAFRule",
predicate: [
{
dataId: awsWafregionalIpsetIpset.id,
negated: false,
type: "IPMatch",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafregionalRuleFoo.overrideLogicalId("foo");
const awsWafregionalWebAclFoo = new aws.wafregionalWebAcl.WafregionalWebAcl(
this,
"foo_3",
{
defaultAction: {
type: "ALLOW",
},
metricName: "foo",
name: "foo",
rule: [
{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: awsWafregionalRuleFoo.id,
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafregionalWebAclFoo.overrideLogicalId("foo");
const dataAwsAvailabilityZonesAvailable =
new aws.dataAwsAvailabilityZones.DataAwsAvailabilityZones(
this,
"available",
{}
);
const awsSubnetBar = new aws.subnet.Subnet(this, "bar", {
availabilityZone: `\${${dataAwsAvailabilityZonesAvailable.names.fqn}[1]}`,
cidrBlock: "10.1.2.0/24",
vpcId: awsVpcFoo.id,
});
const awsSubnetFoo = new aws.subnet.Subnet(this, "foo_6", {
availabilityZone: `\${${dataAwsAvailabilityZonesAvailable.names.fqn}[0]}`,
cidrBlock: "10.1.1.0/24",
vpcId: awsVpcFoo.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSubnetFoo.overrideLogicalId("foo");
const awsAlbFoo = new aws.alb.Alb(this, "foo_7", {
internal: true,
subnets: [awsSubnetFoo.id, awsSubnetBar.id],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAlbFoo.overrideLogicalId("foo");
const awsWafregionalWebAclAssociationFoo =
new aws.wafregionalWebAclAssociation.WafregionalWebAclAssociation(
this,
"foo_8",
{
resourceArn: awsAlbFoo.arn,
webAclId: awsWafregionalWebAclFoo.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafregionalWebAclAssociationFoo.overrideLogicalId("foo");
API Gateway Association
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayRestApiExample = new aws.apiGatewayRestApi.ApiGatewayRestApi(
this,
"example",
{
body: '${jsonencode({\n openapi = "3.0.1"\n info = {\n title = "example"\n version = "1.0"\n }\n paths = {\n "/path1" = {\n get = {\n x-amazon-apigateway-integration = {\n httpMethod = "GET"\n payloadFormatVersion = "1.0"\n type = "HTTP_PROXY"\n uri = "https://ip-ranges.amazonaws.com/ip-ranges.json"\n }\n }\n }\n }\n })}',
name: "example",
}
);
const awsWafregionalIpsetIpset = new aws.wafregionalIpset.WafregionalIpset(
this,
"ipset",
{
ipSetDescriptor: [
{
type: "IPV4",
value: "192.0.7.0/24",
},
],
name: "tfIPSet",
}
);
const awsWafregionalRuleFoo = new aws.wafregionalRule.WafregionalRule(
this,
"foo",
{
metricName: "tfWAFRule",
name: "tfWAFRule",
predicate: [
{
dataId: awsWafregionalIpsetIpset.id,
negated: false,
type: "IPMatch",
},
],
}
);
const awsWafregionalWebAclFoo = new aws.wafregionalWebAcl.WafregionalWebAcl(
this,
"foo_3",
{
defaultAction: {
type: "ALLOW",
},
metricName: "foo",
name: "foo",
rule: [
{
action: {
type: "BLOCK",
},
priority: 1,
ruleId: awsWafregionalRuleFoo.id,
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafregionalWebAclFoo.overrideLogicalId("foo");
const awsApiGatewayDeploymentExample =
new aws.apiGatewayDeployment.ApiGatewayDeployment(this, "example_4", {
restApiId: awsApiGatewayRestApiExample.id,
triggers: {
redeployment: `\${sha1(jsonencode(${awsApiGatewayRestApiExample.body}))}`,
},
});
awsApiGatewayDeploymentExample.addOverride("lifecycle", [
{
create_before_destroy: true,
},
]);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayDeploymentExample.overrideLogicalId("example");
const awsApiGatewayStageExample = new aws.apiGatewayStage.ApiGatewayStage(
this,
"example_5",
{
deploymentId: awsApiGatewayDeploymentExample.id,
restApiId: awsApiGatewayRestApiExample.id,
stageName: "example",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayStageExample.overrideLogicalId("example");
new aws.wafregionalWebAclAssociation.WafregionalWebAclAssociation(
this,
"association",
{
resourceArn: awsApiGatewayStageExample.arn,
webAclId: awsWafregionalWebAclFoo.id,
}
);
Argument Reference
The following arguments are supported:
webAclId- (Required) The ID of the WAF Regional WebACL to create an association.resourceArn- (Required) ARN of the resource to associate with. For example, an Application Load Balancer or API Gateway Stage.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id- The ID of the association
Import
WAF Regional Web ACL Association can be imported using their webAclId:resourceArn, e.g.,