tessl/npm-pulumi--aws
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
waf.mddocs/security/
WAF - Web Application Firewall
AWS WAF protects web applications from common web exploits.
Common Tasks
Create WAFv2 Web ACL with rate limiting
const webAcl = new aws.wafv2.WebAcl("web-acl", {
scope: "REGIONAL",
defaultAction: { allow: {} },
rules: [{
name: "rate-limit",
priority: 1,
statement: {
rateBasedStatement: {
limit: 2000,
aggregateKeyType: "IP",
},
},
action: { block: {} },
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: "rate-limit-rule",
},
}],
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: "web-acl",
},
});Add managed rule set for common threats
const webAcl = new aws.wafv2.WebAcl("web-acl", {
scope: "REGIONAL",
defaultAction: { allow: {} },
rules: [{
name: "aws-managed-rules",
priority: 1,
overrideAction: { none: {} },
statement: {
managedRuleGroupStatement: {
vendorName: "AWS",
name: "AWSManagedRulesCommonRuleSet",
},
},
visibilityConfig: { /* ... */ },
}],
visibilityConfig: { /* ... */ },
});Associate WAF with Application Load Balancer
new aws.wafv2.WebAclAssociation("alb-waf", {
resourceArn: alb.arn,
webAclArn: webAcl.arn,
});Versions
AWS provides three WAF versions:
- waf - WAF Classic (global)
- wafregional - WAF Classic (regional)
- wafv2 - Latest WAF version with improved features
Core Resources (WAFv2)
WebAcl
class WebAcl extends pulumi.CustomResource {
constructor(name: string, args: WebAclArgs, opts?: pulumi.CustomResourceOptions);
readonly arn: pulumi.Output<string>;
readonly id: pulumi.Output<string>;
}
interface WebAclArgs {
scope: pulumi.Input<"CLOUDFRONT" | "REGIONAL">;
defaultAction: pulumi.Input<WebAclDefaultAction>;
rules?: pulumi.Input<pulumi.Input<WebAclRule>[]>;
visibilityConfig: pulumi.Input<WebAclVisibilityConfig>;
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}Example: Create Web ACL with IP blocking
const webAcl = new aws.wafv2.WebAcl("web-acl", {
scope: "REGIONAL",
defaultAction: { allow: {} },
rules: [
{
name: "block-ips",
priority: 1,
action: { block: {} },
statement: {
ipSetReferenceStatement: {
arn: ipSet.arn,
},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: "block-ips-rule",
},
},
{
name: "rate-limit",
priority: 2,
action: { block: {} },
statement: {
rateBasedStatement: {
limit: 2000,
aggregateKeyType: "IP",
},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: "rate-limit-rule",
},
},
],
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: "web-acl",
},
tags: {
Environment: "production",
},
});For complete WAF API, see All Services, wafregional, and wafv2.
Related Services
- CloudFront - WAF for CDN distributions (use CLOUDFRONT scope)
- Load Balancers - WAF for Application Load Balancers (use REGIONAL scope)
- API Gateway - WAF for REST APIs
- CloudWatch - WAF metrics and logging
- S3 - Store WAF logs
Install with Tessl CLI
npx tessl i tessl/npm-pulumi--aws@7.16.0