AWS WAF Module

aws iac oss terraform

NOTE: This includes AWSManagedRulesKnownBadInputsRuleSet by default, which AWS updated to mitigate the recent Log4j issue (CVE-2021-44228).

Just released a Terraform module for AWS WAF. If you host “standard” web services (atop something Linux-like), this takes an opinionated approach to save you time while providing enough flexibility for common use cases.

module "waf" {
  source                  = "git::ssh://"
  association_arns        = []
  environment             = var.environment
  name                    =
  namespace               = var.namespace
  tags                    = var.tags

  # these have caused problems for legitimate queries, YMMV
  common_ruleset_excludes = [

Associate your ALB, API Gateway, etc. ARNs (typical WAF-enabled resources), generate test traffic, watch the WAF console for unexpected blocks, and adjust excludes as needed.

This was a spike to flesh out adding modular web firewalling to terraform-keycloak-aws. As part of that, additional improvements will be added along with more real-world testing. If you have feature requests or find bugs, browse the project repo and feel free to submit PRs or open issues.