resource "aws_wafv2_web_acl" "web_acl_rules" {
name = var.web_acl_name
description = var.web_acl_name
scope = var.scope
tags = {
product-name = "common"
}
default_action {
allow {
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = var.web_acl_name
sampled_requests_enabled = true
}
dynamic "rule" {
for_each = var.managed_rules
content {
name = "${var.web_acl_name}-${rule.value.rule_name}"
priority = rule.key
override_action {
dynamic "none" {
for_each = rule.value.mode == "block" ? [1] : []
content {}
}
dynamic "count" {
for_each = rule.value.mode == "count" ? [1] : []
content {}
}
}
statement {
managed_rule_group_statement {
name = rule.value.rule_name
vendor_name = rule.value.provider_name
dynamic "excluded_rule" {
for_each = rule.value.exceptions
content {
name = excluded_rule.value
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.web_acl_name}-${rule.value.rule_name}"
sampled_requests_enabled = true
}
}
}
}
-----------------------------------------------------------------------------------------------------------------------------
scope = "REGIONAL"
managed_rules = [
{
provider_name = "F5"
rule_name = "OWASP_Managed"
exceptions = ["rule_XML_External_Entity__XXE__injection_attempt__Content__AllQueryArguments_Body"]
mode = "allow"
},
{
provider_name = "AWS"
rule_name = "AWSManagedRulesAnonymousIpList"
exceptions = ["HostingProviderIPList"]
mode = "block"
},
{
provider_name = "AWS"
rule_name = "AWSManagedRulesAmazonIpReputationList"
exceptions = []
mode = "block"
}
]
-----------------------------------------------------------------------------------------------------------------------------
variable "environment" {
description = "The name of the environment"
type = string
}
variable "scope" {
description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"
type = string
default = "CLOUDFRONT"
}
variable "managed_rules" {
description = "the managed rules name in order (make sure not to cross 1500 wcu's)"
type = list(object({
provider_name = string
rule_name = string
exceptions = list(string)
mode = string
}))
}