// terraform-aws-waf

AWS WAFv2 Web ACLs with managed rules, rate limiting, geoblocking, Bot Control, IP sets, custom rules, and logging.

Terraform ≥ 1.0 AWS ≥ 4.0 MIT License

Executive Summary

This module creates and manages AWS WAFv2 Web ACLs with comprehensive protection capabilities. It supports AWS Managed Rule Groups (Common Rule Set, SQL injection, known bad inputs, admin protection, IP reputation, and more), AWS Bot Control with COMMON or TARGETED inspection, rate-based rules with IP aggregation and scope-down statements, IP set reference rules for allow/block lists, geo match rules for country-based blocking, and fully custom rules with byte match, geo match, and size constraint statements. Logging is supported to Kinesis Firehose, CloudWatch Logs, or S3 with field redaction. Web ACL associations attach to ALB, API Gateway, AppSync, and Cognito resources. Both REGIONAL and CLOUDFRONT scopes are supported.

Overview

Rule Types

Managed, Bot Control, Rate Limit, IP Set, Geo Match, Custom

Resources

Web ACL, Logging Config, CloudWatch Log Group, Web ACL Association

Log Destinations

Kinesis Firehose, CloudWatch Logs, S3 Bucket

10+

Managed Rule Groups

CRS, SQLi, Linux, Windows, PHP, WordPress, IP Reputation, Anonymous IP, Bot Control, ATP, ACFP

Architecture Diagram

Client RequestHTTP/S traffic

↓

CloudFront / ALB / API GWProtected resource

↓

WAFv2 Web ACLRule evaluation pipeline

↓

Managed RulesCRS, SQLi, Bad Inputs

Bot ControlCOMMON / TARGETED

Rate LimitingIP-based throttling

IP Set RulesAllow / Block lists

Geo MatchCountry blocking

Custom RulesByte / Size match

↓

ALLOWForward to app

BLOCK403 Forbidden

COUNTLog only

↓

CloudWatch LogsAuto-created

Kinesis FirehoseStreaming

S3 BucketArchival

Component Breakdown

Component	Resource	Purpose
Web ACL	`aws_wafv2_web_acl`	Central rule evaluation engine with configurable default action
Managed Rules	managed_rule_group_statement	AWS-curated rules: CRS, SQLi, Known Bad Inputs, Admin Protection, IP Reputation
Bot Control	AWSManagedRulesBotControlRuleSet	Bot detection with COMMON (general) or TARGETED (advanced) inspection
Rate Limiting	rate_based_statement	IP-based request throttling with optional geo scope-down
IP Set Rules	ip_set_reference_statement	Allow/block based on IP set ARN references
Geo Match	geo_match_statement	Country-code-based blocking/allowing
Custom Rules	byte_match / size_constraint / geo	Custom inspection of URI, query string, headers, body
Logging	`aws_wafv2_web_acl_logging_configuration`	Log to Firehose, CloudWatch, or S3 with field redaction
Association	`aws_wafv2_web_acl_association`	Attach Web ACL to ALB, API Gateway, AppSync, Cognito

Data Flow

Client

→

ALB / CloudFront

→

WAF Rules (priority order)

→

Application

Rules are evaluated in priority order (lowest number first). The first matching rule determines the action (ALLOW, BLOCK, or COUNT). If no rule matches, the default action applies. All evaluations are logged to the configured destination with CloudWatch metrics enabled per-rule for visibility.

Security Controls

OWASP Top 10 Coverage

AWSManagedRulesCommonRuleSet provides protection against XSS, SQLi, SSRF, and other OWASP Top 10 threats

Log4j / Known Exploits

AWSManagedRulesKnownBadInputsRuleSet blocks Log4Shell and other known vulnerability patterns

Bot Mitigation

Bot Control with COMMON or TARGETED inspection levels for automated traffic management

DDoS Protection

Rate-based rules throttle abusive IPs, geo-blocking restricts traffic by country

Log Redaction

Sensitive fields (authorization headers, query strings) can be redacted from WAF logs

Per-Rule Metrics

CloudWatch metrics and sampled requests enabled on every rule for full observability

Industry Adaptation

Industry	Configuration
E-Commerce	CRS + SQLi rules, Bot Control (TARGETED), rate limiting on checkout, geo-blocking
Financial Services	CRS + Admin Protection + ATP for account takeover, IP allowlists for partner APIs
SaaS / API	Rate limiting per endpoint, Known Bad Inputs, custom rules for API abuse patterns
Media / Content	Bot Control for scraping prevention, geo restrictions for licensing, ACFP for fake accounts
Healthcare	CRS + Admin Protection, IP allowlists, log redaction for PHI fields

Production Readiness Checklist

Enable AWSManagedRulesCommonRuleSet as the baseline managed rule group
Add AWSManagedRulesKnownBadInputsRuleSet for Log4j and known exploit protection
Enable WAF logging with enable_logging = true
Start managed rules in COUNT mode, then switch to NONE (enforce) after review
Configure rate limiting for public-facing endpoints
Add IP reputation rules (AmazonIpReputationList)
Redact sensitive headers (authorization, cookies) from logs
Associate Web ACL with all public-facing ALBs and API Gateways
Set up CloudWatch dashboards for WAF metrics
Monitor Web ACL capacity units to stay within 1,500 WCU limit
Enable Bot Control for applications with bot traffic concerns
Use geo-blocking for traffic from high-risk countries

Configuration Reference

Required Variables

Variable	Type	Description
`name`	string	Name of the WAFv2 Web ACL

Key Optional Variables

Variable	Default	Description
`scope`	"REGIONAL"	REGIONAL or CLOUDFRONT
`default_action`	"allow"	Default action (allow or block)
`managed_rule_groups`	[]	List of AWS managed rule groups
`enable_bot_control`	false	Enable Bot Control
`bot_control_inspection_level`	"COMMON"	COMMON or TARGETED
`rate_limit_rules`	[]	Rate-based rules
`ip_set_rules`	[]	IP set reference rules
`geo_match_rules`	[]	Geo match / country blocking rules
`custom_rules`	[]	Custom byte/size/geo rules
`enable_logging`	true	Enable WAF logging
`resource_arns`	[]	ARNs of resources to associate

AWS Managed Rule Groups Reference

Category	Rule Group Name
Baseline	`AWSManagedRulesCommonRuleSet`, `AWSManagedRulesAdminProtectionRuleSet`, `AWSManagedRulesKnownBadInputsRuleSet`
SQLi / LFI	`AWSManagedRulesSQLiRuleSet`, `AWSManagedRulesLinuxRuleSet`, `AWSManagedRulesUnixRuleSet`
Platform	`AWSManagedRulesWindowsRuleSet`, `AWSManagedRulesPHPRuleSet`, `AWSManagedRulesWordPressRuleSet`
IP Reputation	`AWSManagedRulesAmazonIpReputationList`, `AWSManagedRulesAnonymousIpList`
Bot / Fraud	`AWSManagedRulesBotControlRuleSet`, `AWSManagedRulesATPRuleSet`, `AWSManagedRulesACFPRuleSet`

Deployment

module "waf" {
  source = "github.com/kogunlowo123/terraform-aws-waf"

  name  = "my-web-acl"
  scope = "REGIONAL"

  managed_rule_groups = [
    {
      name            = "AWSManagedRulesCommonRuleSet"
      priority        = 10
      override_action = "none"
      excluded_rules  = []
    },
    {
      name            = "AWSManagedRulesKnownBadInputsRuleSet"
      priority        = 20
      override_action = "none"
      excluded_rules  = []
    }
  ]

  rate_limit_rules = [
    {
      name     = "global-rate-limit"
      priority = 100
      rate     = 2000
      action   = "block"
    }
  ]

  resource_arns = [aws_lb.main.arn]

  tags = { Environment = "production" }
}

Links

AWS WAFv2 Documentation

AWS Managed Rule Groups

AWS Bot Control

Terraform aws_wafv2_web_acl

OWASP Top 10