This module creates a CloudFront distribution that passes traffic through a Web Application Firewall (WAF) without caching.
Add this module to your main.tf
(or appropriate) file and configure the inputs
to match your desired configuration. For example, to create a new distribution
my-project.org
that points to origin.my-project.org
, you could use:
module "cloudfront_waf" {
source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf"
project = "my-project"
environment = "dev"
domain = "my-project.org"
log_bucket = module.logging.bucket
}
Make sure you re-run tofu init
after adding the module to your configuration.
tofu init
tofu plan
To update the source for this module, pass -upgrade
to tofu init
:
tofu init -upgrade
The WAF is configured with the following managed rules groups. The priorities of these rules are spaced out to allow for custom rules to be inserted between.
Rule Group Name | Priority | Description |
---|---|---|
AWSManagedRulesAmazonIpReputationList | 200 | Protects against IP addresses with a poor reputation. |
AWSManagedRulesCommonRuleSet | 300 | Protects against common threats. |
AWSManagedRulesKnownBadInputsRuleSet | 400 | Protects against known bad inputs. |
AWSManagedRulesSQLiRuleSet | 500 | Protects against SQL injection attacks. |
Name | Description | Type | Default | Required |
---|---|---|---|---|
domain | Primary domain for the distribution. The hosted zone for this domain should be in the same account. | string |
n/a | yes |
log_bucket | Domain name of the S3 bucket to send logs to. | string |
n/a | yes |
project | The name of the project. | string |
n/a | yes |
environment | The environment for the project. | string |
"dev" |
no |
ip_set_rules | The environment for the project. | map(object) |
"dev" |
no |
log_group | CloudWatch log group to send WAF logs to. | list(string) |
[] |
no |
origin_domain | Fully qualified domain name for the origin. Defaults to origin.${subdomain}.${domain} . |
string |
n/a | no |
passive | Enable passive mode for the WAF, counting all requests rather than blocking. | bool |
false |
no |
subdomain | Subdomain for the distribution. Defaults to the environment. | string |
n/a | no |
tags | Optional tags to be applied to all resources. | list |
[] |
no |
To allow or deny traffic based on IP address, you can specify a map of IP set
rules to create. You will need to create the IP set in your
configuration, and provide the ARN of the resource. An IP set can be created
with the wafv2_ip_set
resource.
For example:
resource "aws_wafv2_ip_set" "security_scanners" {
name = "my-project-staging-security-scanners"
description = "Security scanners that are allowed to access the site."
scope = "CLOUDFRONT"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
module "cloudfront_waf" {
source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.1.0"
project = "my-project"
environment = "staging"
domain = "my-project.org"
log_bucket = module.logging.bucket
ip_set_rules = {
scanners = {
name = "my-project-staging-security-scanners"
priority = 0
action = "allow"
arn = aws_wafv2_ip_set.security_scanners.arn
}
}
}