alb_arn |
ARN of the ALB to be associated with the WAFv2 ACL. |
string |
"" |
no |
associate_alb |
Whether to associate an ALB with the WAFv2 ACL. |
bool |
false |
no |
default_action |
The action to perform if none of the rules contained in the WebACL match. |
string |
"allow" |
no |
enable_logging |
Whether to associate Logging resource with the WAFv2 ACL. |
bool |
false |
no |
filtered_header_rule |
HTTP header to filter . Currently supports a single header type and multiple header values. |
object({ header_types = list(string) priority = number header_value = string action = string search_string = string }) |
{ "action": "block", "header_types": [], "header_value": "", "priority": 1, "search_string": "" } |
no |
group_rules |
List of WAFv2 Rule Groups. |
list(object({ name = string arn = string priority = number override_action = string })) |
[] |
no |
ip_rate_based_rule |
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span |
object({ name = string priority = number limit = number action = string response_code = optional(number, 403) }) |
null |
no |
ip_rate_url_based_rules |
A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span |
list(object({ name = string priority = number limit = number action = string response_code = optional(number, 403) search_string = string positional_constraint = string })) |
[] |
no |
ip_sets_rule |
A rule to detect web requests coming from particular IP addresses or address ranges. |
list(object({ name = string priority = number ip_set_arn = string action = string response_code = optional(number, 403) })) |
[] |
no |
log_destination_arns |
The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. |
list(string) |
[] |
no |
managed_rules |
List of Managed WAF rules. |
list(object({ name = string priority = number override_action = string vendor_name = string version = optional(string) rule_action_override = list(object({ name = string action_to_use = string })) })) |
[ { "name": "AWSManagedRulesCommonRuleSet", "override_action": "none", "priority": 10, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesAmazonIpReputationList", "override_action": "none", "priority": 20, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesKnownBadInputsRuleSet", "override_action": "none", "priority": 30, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesSQLiRuleSet", "override_action": "none", "priority": 40, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesLinuxRuleSet", "override_action": "none", "priority": 50, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesUnixRuleSet", "override_action": "none", "priority": 60, "rule_action_override": [], "vendor_name": "AWS" } ] |
no |
name |
A friendly name of the WebACL. |
string |
n/a |
yes |
scope |
The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. |
string |
n/a |
yes |
tags |
A mapping of tags to assign to the WAFv2 ACL. |
map(string) |
{} |
no |