Terraform WAF Web ACL资源没用吗？

Question

Terraform provides a WAF Web ACL Resource . Can it be attached to anything using terraform such as an ALB or is it useless?

Answer 1

With the release of the 1.12 AWS provider it is now possible to directly create regional WAF resources for use with load balancers.

You can now create any of a aws_wafregional_byte_match_set , aws_wafregional_ipset , aws_wafregional_size_constraint_set , aws_wafregional_sql_injection_match_set or aws_wafregional_xss_match_set , linking these to aws_wafregional_rule as predicates and then in turn adding the WAF rules to a aws_wafregional_web_acl . Then finally you can attach the regional WAF to a load balancer with the aws_wafregional_web_acl_association resource .

The Regional WAF Web ACL association resource docs give a helpful example of how they all link together:

resource "aws_wafregional_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptor {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_wafregional_rule" "foo" {
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicate {
    data_id = "${aws_wafregional_ipset.ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_wafregional_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "ALLOW"
  }
  rule {
    action {
      type = "BLOCK"
    }
    priority = 1
    rule_id = "${aws_wafregional_rule.foo.id}"
  }
}

resource "aws_vpc" "foo" {
  cidr_block = "10.1.0.0/16"
}

data "aws_availability_zones" "available" {}

resource "aws_subnet" "foo" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.1.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[0]}"
}

resource "aws_subnet" "bar" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.2.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[1]}"
}

resource "aws_alb" "foo" {
  internal = true
  subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}

resource "aws_wafregional_web_acl_association" "foo" {
  resource_arn = "${aws_alb.foo.arn}"
  web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}

Original post:

The regional WAF resources have been caught up in a mixture of review and people abandoning pull requests but are scheduled for the AWS provider 1.12.0 release .

Currently there are only byte match set and IP address set resources available so they're not much use without the rule, ACL and association resources to actually do things with.

Until then you could use CloudFormation with Terraform's own escape hatch aws_cloudformation_stack resource with something like this:

resource "aws_lb" "load_balancer" {
  ...
}

resource "aws_cloudformation_stack" "waf" {
  name = "waf-example"

  parameters {
    ALBArn = "${aws_lb.load_balancer.arn}"
  }

  template_body = <<STACK
Parameters:
  ALBArn:
    Type: String

Resources:
  WAF:
    Type: AWS::WAFRegional::WebACL
    Properties:
      Name: WAF-Example
      DefaultAction:
        Type: BLOCK
      MetricName: WafExample
      Rules:
        - Action:
            Type: ALLOW
          Priority: 2
          RuleId:
            Ref: WhitelistRule

  WhitelistRule:
    Type: AWS::WAFRegional::Rule
    Properties:
      Name: WAF-Example-Whitelist
      MetricName: WafExampleWhiteList
      Predicates:
        - DataId:
            Ref: ExternalAPIURI
          Negated: false
          Type: ByteMatch

  ExternalAPIURI:
    Type: AWS::WAFRegional::ByteMatchSet
    Properties:
      Name: WAF-Example-StringMatch
      ByteMatchTuples:
        - FieldToMatch:
            Type: URI
          PositionalConstraint: STARTS_WITH
          TargetString: /public/
          TextTransformation: NONE

  WAFALBattachment:
    Type: AWS::WAFRegional::WebACLAssociation
    Properties:
      ResourceArn:
        Ref: ALBArn
      WebACLId:
        Ref: WAF
STACK
}