Terraform — Setup AWS WAF v2 (Web ACL) AWSManagedRuleSet

Prashant Bhatasana

Published in

AppGambit

5 min readApr 18, 2023

In this article, we are talking about How we can configure WAF ACL and its association with an ALB using Terraform.

What is Web ACL in WAF?

A web access control list (web ACL) gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, and AWS App Runner resources.

Let’s Start!

Prerequisites

We require AWS IAM API keys (access and secret keys) with full access to create AWS WAF/ AWS WAF rules.
Terraform should be installed on the machine. If Terraform does not exist you can download and install it from here.

1. Create a “provider.tf”

This is the provider file that tells Terraform which provider you are using.

All infrastructure will be on the AWS because of provider “aws”. If you want to use another cloud provider such as GCP or Azure, you can change this but in our case, we are using AWS.

provider "aws" {
  region  = "${var.region}"
}

We already declared the region of AWS that we are creating a WAF setup.

you can declare a profile also if you are working on multiple AWS accounts.

`profile = “<PROFILE NAME>”

by default, it will take your default profile.

2. Create “variables.tf”

All variables will be in this file. Now, there is only one region but there will be more…

variable "region" {
  description = "AWS Deployment region.."
  default = "us-east-1"
}

variable "aws_lb_arn" {
  description = "ARN of your LoadBalance that you want to attach with WAF.."
}

If you are using terraform.tfvars you just need to add a description only.

3. Create a “`terraform.tfvars`”

To persist variable values, create a file, and assign variables within this file. Create a file named terraform.tfvars with the following contents:

region = "us-east-2"
aws_lb_arn = "arn:aws:elasticloadbalancing:us-east-1:XXXX:loadbalancer/XXX"

Note: Please make sure your AWS LoadBalancer is available on the same AWS region you define above.

For all files which match terraform.tfvars or *.auto.tfvars present in the current directory, Terraform automatically loads them to populate variables. If the file is named something else, you can use the -var-file flag directly to specify a file.

I don’t recommend saving usernames and passwords to version control, but you can create a local secret variables file and use -var-file to load it.

4. Create a “modules > Waf” Folder

A module is a container for multiple resources that are used together. Modules can be used to create lightweight abstractions, so that you can describe your infrastructure in terms of its architecture, rather than directly in terms of physical objects.

5. Create “Main.tf” in the Waf folder.

main.tf file of the WAF module

in the above file, I have to override some rules to show you how we can override some rules or force allow rules using the following code block.

rule_action_override {
  action_to_use {
      allow {}
  }
  name = "<Name OF RUle That you waht to override>" //SizeRestrictions_BODY
}

6. Create “variables.tf” in the Waf folder.

This is the same as the above variable.tf file just declares all variables that we are using in main.tf a file so we can use get all variable's values from production.tf file.

7. Create “output.tf” in the Waf folder.

We can export any details from created resources and give that as input for another module.

output "web_acl_arn" {
  description = "The ARN of the WAF WebACL."
  value       = aws_wafv2_web_acl.WafWebAcl.arn
}

We can access output value in another submodule like

waf_arn   = "${module.waf.web_acl_arn}"

8. Create “production.tf”

production.tf files in your working directory when you run terraform plan or terraform apply together from the root module. That module may call other modules and connect them by passing output values from one to the input values of another. To learn how to use modules, see the Modules Configuration section.

module "waf" {source = "./modules/waf"
  region               = "${var.region}"
  aws_lb_arn          = "${var.aws_lb_arn}"
}

Now, We are ready to init!

Run terraform init that downloads all modules information and download terraform in your project file.

After that, you can see the .terraform folder in your project directory that contains terraform setup and modules information.

`terraform plan`

The terraform plan a command is used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state specified in the configuration files.

This command is a convenient way to check whether the execution plan for a set of changes matches your expectations without making any changes to real resources or the state. For example, terraform plan might be run before committing a change to version control, to create confidence that it will behave as expected.

terraform apply

The terraform apply a command is used to apply the changes required to reach the desired state of the configuration or the pre-determined set of actions generated by an terraform plan execution plan.

🎊 🎉🤖🎊 🎉 Our WAF Setup is ready on AWS.

You just need to follow all steps or clone this repository to start terraforming.

GitHub — LazziBear/terraform-aws-WAFv2: This is the terraform script that creates AWD WAF with…

You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

After cloning the repo, just run the following commands.

rename sample.terraform.tfvars to terraform.tfvars
change values of variables in terraform.tfvars.
terraform init
terraform plan
terraform apply

Thank you for reading, if you have anything to add please send a response or add a note!