Skip to content

Resource: awsWafv2WebAclAssociation

Creates a WAFv2 Web ACL Association.

\~> NOTE on associating a WAFv2 Web ACL with a Cloudfront distribution: Do not use this resource to associate a WAFv2 Web ACL with a Cloudfront Distribution. The AWS API call backing this resource notes that you should use the webAclId property on the cloudfrontDistribution instead.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayRestApiExample = new aws.apiGatewayRestApi.ApiGatewayRestApi(
  this,
  "example",
  {
    body: '${jsonencode({\n    openapi = "3.0.1"\n    info = {\n      title   = "example"\n      version = "1.0"\n    }\n    paths = {\n      "/path1" = {\n        get = {\n          x-amazon-apigateway-integration = {\n            httpMethod           = "GET"\n            payloadFormatVersion = "1.0"\n            type                 = "HTTP_PROXY"\n            uri                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"\n          }\n        }\n      }\n    }\n  })}',
    name: "example",
  }
);
const awsWafv2WebAclExample = new aws.wafv2WebAcl.Wafv2WebAcl(
  this,
  "example_1",
  {
    defaultAction: {
      allow: {},
    },
    name: "web-acl-association-example",
    scope: "REGIONAL",
    visibilityConfig: {
      cloudwatchMetricsEnabled: false,
      metricName: "friendly-metric-name",
      sampledRequestsEnabled: false,
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclExample.overrideLogicalId("example");
const awsApiGatewayDeploymentExample =
  new aws.apiGatewayDeployment.ApiGatewayDeployment(this, "example_2", {
    restApiId: awsApiGatewayRestApiExample.id,
    triggers: {
      redeployment: `\${sha1(jsonencode(${awsApiGatewayRestApiExample.body}))}`,
    },
  });
awsApiGatewayDeploymentExample.addOverride("lifecycle", [
  {
    create_before_destroy: true,
  },
]);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayDeploymentExample.overrideLogicalId("example");
const awsApiGatewayStageExample = new aws.apiGatewayStage.ApiGatewayStage(
  this,
  "example_3",
  {
    deploymentId: awsApiGatewayDeploymentExample.id,
    restApiId: awsApiGatewayRestApiExample.id,
    stageName: "example",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayStageExample.overrideLogicalId("example");
const awsWafv2WebAclAssociationExample =
  new aws.wafv2WebAclAssociation.Wafv2WebAclAssociation(this, "example_4", {
    resourceArn: awsApiGatewayStageExample.arn,
    webAclArn: awsWafv2WebAclExample.arn,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclAssociationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • resourceArn - (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool.
  • webAclArn - (Required) The Amazon Resource Name (ARN) of the Web ACL that you want to associate with the resource.

Attributes Reference

No additional attributes are exported.

Timeouts

Configuration options:

  • create - (Default 5M)

Import

WAFv2 Web ACL Association can be imported using WEB_ACL_ARN,RESOURCE_ARN e.g.,

$ terraform import aws_wafv2_web_acl_association.example arn:aws:wafv2:...7ce849ea,arn:aws:apigateway:...ages/name