Terraform — Setup AWS WAF v2 (Web ACL) AWSManagedRuleSet
In this article, we are talking about How we can configure WAF ACL and its association with an ALB using Terraform.
What is Web ACL in WAF?
A web access control list (web ACL) gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, and AWS App Runner resources.
Let’s Start!
Prerequisites
- We require AWS IAM API keys (access and secret keys) with full access to create AWS WAF/ AWS WAF rules.
- Terraform should be installed on the machine. If Terraform does not exist you can download and install it from here.
1. Create a “provider.tf”
This is the provider file that tells Terraform which provider you are using.
All infrastructure will be on the AWS because of provider “aws”
. If you want to use another cloud provider such as GCP or Azure, you can change this but in our case, we are using AWS.
provider "aws" {
region = "${var.region}"
}
We already declared the region of AWS that we are creating a WAF setup.
you can declare a profile also if you are working on multiple AWS accounts.
`profile = “<PROFILE NAME>”
by default, it will take your default profile.
2. Create “variables.tf”
All variables will be in this file. Now, there is only one region
but there will be more…
variable "region" {
description = "AWS Deployment region.."
default = "us-east-1"
}
variable "aws_lb_arn" {
description = "ARN of your LoadBalance that you want to attach with WAF.."
}
If you are using terraform.tfvars
you just need to add a description only.
3. Create a “terraform.tfvars
”
To persist variable values, create a file, and assign variables within this file. Create a file named terraform.tfvars
with the following contents:
region = "us-east-2"
aws_lb_arn = "arn:aws:elasticloadbalancing:us-east-1:XXXX:loadbalancer/XXX"
Note: Please make sure your AWS LoadBalancer is available on the same AWS region you define above.
For all files which match terraform.tfvars
or *.auto.tfvars
present in the current directory, Terraform automatically loads them to populate variables. If the file is named something else, you can use the -var-file
flag directly to specify a file.
I don’t recommend saving usernames and passwords to version control, but you can create a local secret variables file and use -var-file
to load it.
4. Create a “modules > Waf” Folder
A module is a container for multiple resources that are used together. Modules can be used to create lightweight abstractions, so that you can describe your infrastructure in terms of its architecture, rather than directly in terms of physical objects.
5. Create “Main.tf” in the Waf folder.
in the above file, I have to override some rules to show you how we can override some rules or force allow rules using the following code block.
rule_action_override {
action_to_use {
allow {}
}
name = "<Name OF RUle That you waht to override>" //SizeRestrictions_BODY
}
6. Create “variables.tf” in the Waf folder.
This is the same as the above variable.tf
file just declares all variables that we are using in main.tf
a file so we can use get all variable's values from production.tf
file.
7. Create “output.tf” in the Waf folder.
We can export any details from created resources and give that as input for another module.
output "web_acl_arn" {
description = "The ARN of the WAF WebACL."
value = aws_wafv2_web_acl.WafWebAcl.arn
}
We can access output value in another submodule like
waf_arn = "${module.waf.web_acl_arn}"
8. Create “production.tf”
production.tf
files in your working directory when you run terraform plan or terraform apply together from the root module. That module may call other modules and connect them by passing output values from one to the input values of another. To learn how to use modules, see the Modules Configuration section.
module "waf" {source = "./modules/waf"
region = "${var.region}"
aws_lb_arn = "${var.aws_lb_arn}"
}
Now, We are ready to init!
Run terraform init
that downloads all modules information and download terraform in your project file.
After that, you can see the .terraform folder in your project directory that contains terraform setup and modules information.
terraform plan
The terraform plan
a command is used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state specified in the configuration files.
This command is a convenient way to check whether the execution plan for a set of changes matches your expectations without making any changes to real resources or the state. For example, terraform plan
might be run before committing a change to version control, to create confidence that it will behave as expected.
terraform apply
The terraform apply
a command is used to apply the changes required to reach the desired state of the configuration or the pre-determined set of actions generated by an terraform plan
execution plan.
🎊 🎉🤖🎊 🎉 Our WAF Setup is ready on AWS.
You just need to follow all steps or clone this repository to start terraforming.
After cloning the repo, just run the following commands.
rename
sample.terraform.tfvars
toterraform.tfvars
change values of variables in
terraform.tfvars
.terraform init
terraform plan
terraform apply
Thank you for reading, if you have anything to add please send a response or add a note!