This module creates a CloudFront distribution that passes traffic through a Web Application Firewall (WAF) without caching.
Add this module to your main.tf (or appropriate) file and configure the inputs
to match your desired configuration. For example, to create a new distribution
my-project.org that points to origin.my-project.org, you could use:
module "cloudfront_waf" {
source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf"
project = "my-project"
environment = "dev"
domain = "my-project.org"
log_bucket = module.logging.bucket
}Make sure you re-run tofu init after adding the module to your configuration.
tofu init
tofu planTo update the source for this module, pass -upgrade to tofu init:
tofu init -upgradeThe WAF is configured with the following managed rules groups. The priorities of these rules are spaced out to allow for custom rules to be inserted between.
| Rule Group Name | Priority | Description |
|---|---|---|
| AWSManagedRulesAmazonIpReputationList | 200 | Protects against IP addresses with a poor reputation. |
| AWSManagedRulesCommonRuleSet | 300 | Protects against common threats. |
| AWSManagedRulesKnownBadInputsRuleSet | 400 | Protects against known bad inputs. |
| AWSManagedRulesSQLiRuleSet | 500 | Protects against SQL injection attacks. |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| domain | Primary domain for the distribution. The hosted zone for this domain should be in the same account. | string |
n/a | yes |
| log_bucket | Domain name of the S3 bucket to send logs to. | string |
n/a | yes |
| project | The name of the project. | string |
n/a | yes |
| environment | The environment for the project. | string |
"dev" |
no |
| ip_set_rules | The environment for the project. | map(object) |
"dev" |
no |
| log_group | CloudWatch log group to send WAF logs to. | list(string) |
[] |
no |
| origin_domain | Fully qualified domain name for the origin. Defaults to origin.${subdomain}.${domain}. |
string |
n/a | no |
| passive | Enable passive mode for the WAF, counting all requests rather than blocking. | bool |
false |
no |
| subdomain | Subdomain for the distribution. Defaults to the environment. | string |
n/a | no |
| tags | Optional tags to be applied to all resources. | list |
[] |
no |
To allow or deny traffic based on IP address, you can specify a map of IP set
rules to create. You will need to create the IP set in your
configuration, and provide the ARN of the resource. An IP set can be created
with the wafv2_ip_set resource.
For example:
resource "aws_wafv2_ip_set" "security_scanners" {
name = "my-project-staging-security-scanners"
description = "Security scanners that are allowed to access the site."
scope = "CLOUDFRONT"
ip_address_version = "IPV4"
addresses = [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
module "cloudfront_waf" {
source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.1.0"
project = "my-project"
environment = "staging"
domain = "my-project.org"
log_bucket = module.logging.bucket
ip_set_rules = {
scanners = {
name = "my-project-staging-security-scanners"
priority = 0
action = "allow"
arn = aws_wafv2_ip_set.security_scanners.arn
}
}
}