NOTE: This includes AWSManagedRulesKnownBadInputsRuleSet by default, which AWS updated to mitigate the recent Log4j issue (CVE-2021-44228).

Just released a Terraform module for AWS WAF. If you host “standard” web services (atop something Linux-like), this takes an opinionated approach to save you time while providing enough flexibility for common use cases.

module "waf" {
  source                  = "git::ssh://git@github.com/sonatype/terraform-aws-waf.git?ref=v0.0.1"
  association_arns        = [module.foo.alb_arn]
  environment             = var.environment
  name                    = var.name
  namespace               = var.namespace
  tags                    = var.tags

  # these have caused problems for legitimate queries, YMMV
  common_ruleset_excludes = [
    "GenericRFI_QUERYARGUMENTS",
    "EC2MetaDataSSRF_QUERYARGUMENTS",
    "EC2MetaDataSSRF_BODY",
    "SizeRestrictions_BODY",
    "CrossSiteScripting_QUERYARGUMENTS",
    "NoUserAgent_HEADER"
  ]
}

Associate your ALB, API Gateway, etc. ARNs (typical WAF-enabled resources), generate test traffic, watch the WAF console for unexpected blocks, and adjust excludes as needed.

This was a spike to flesh out adding modular web firewalling to terraform-keycloak-aws. As part of that, additional improvements will be added along with more real-world testing. If you have feature requests or find bugs, browse the project repo and feel free to submit PRs or open issues.