How to Setup AWS WAF and Web ACL using Terraform on Amazon Cloud

It is always a good practice to monitor and make sure your applications or website are fully protected. AWS cloud provides you a service known as AWS WAF that Protect your web applications from common web exploits.

Lets learn everything about AWS WAF ( Web Application Firewall ) and use Terraform to create it.

Table of Contents

  1. What is AWS WAF ?
  2. Prerequisites
  3. Terraform Configuration Files and Structure
  4. Configure Terraform files for AWS WAF
  5. Deploy AWS WAF using Terraform commands
  6. Conclusion

What is AWS WAF ?

AWS WAF stands for Amazon Web services Web Application Firewall. Using AWS WAF you can monitor all the HTTP or HTTPSrequests that are forwarded to Amazon Cloud Front , Amazon Load balancer , Amazon API Gateway REST API etc. from users. It also controls who can access the required content or data based on specific conditions such source IP address etc.

AWS WAF Protect your web applications from common web exploits. To know more about Detailed view of AWS WAF , please find it on the other Blog Post What is AWS Web Application Firewall ?

Prerequisites:

Terraform Configuration Files and Structure

Let us first understand terraform configuration files before running Terraform commands.

  • main.tf : This file contains code that create or import other AWS resources.
  • vars.tf : This file defines variable types and optionally set the values.
  • output.tf: This file helps in generating of the output of AWS resources .The output is generated after the terraform apply command is executed.
  • terraform.tfvars: This file contains the actual values of variables which we created in vars.tf
  • provider.tf: This file is very important . You need to provide the details of providers such as AWS , Oracle or Google etc. so that terraform can make the communication with the same provider and then work with resources.

Configure Terraform files for AWS WAF

In this demonstration we will create a simple Amazon WAF instance using Terraform on Windows machine.

  • Create a folder on your desktop or any location on windows Machine ( I prefer it on Desktop). Now create a file main.tf inside the folder you’re in and paste the below content
# Creating the IP Set

resource "aws_waf_ipset" "ipset" {
   name = "MyFirstipset"
   ip_set_descriptors {
     type = "IPV4"
     value = "10.111.0.0/20"
   }
}

# Creating the Rule which will be applied on Web ACL component

resource "aws_waf_rule" "waf_rule" { 
  depends_on = [aws_waf_ipset.ipset]
  name        = var.waf_rule_name
  metric_name = var.waf_rule_metrics
  predicates {
    data_id = aws_waf_ipset.ipset.id
    negated = false
    type    = "IPMatch"
  }
}

# Creating the Rule Group which will be applied on Web ACL component

resource "aws_waf_rule_group" "rule_group" {  
  name        = var.waf_rule_group_name
  metric_name = var.waf_rule_metrics

  activated_rule {
    action {
      type = "COUNT"
    }
    priority = 50
    rule_id  = aws_waf_rule.waf_rule.id
  }
}

# Creating the Web ACL component in AWS WAF

resource "aws_waf_web_acl" "waf_acl" {
  depends_on = [ 
     aws_waf_rule.waf_rule,
     aws_waf_ipset.ipset,
      ]
  name        = var.web_acl_name
  metric_name = var.web_acl_metics

  default_action {
    type = "ALLOW"
  }
  rules {
    action {
      type = "BLOCK"
    }
    priority = 1
    rule_id  = aws_waf_rule.waf_rule.id
    type     = "REGULAR"
 }
}
  • Create one more file vars.tf inside the same folder and paste the below content
variable "web_acl_name" {
  type = string
}
variable "web_acl_metics" {
  type = string
}
variable "waf_rule_name" {
  type = string
}
variable "waf_rule_metrics" {
  type = string
}
variable "waf_rule_group_name" {
  type = string
}
variable "waf_rule_group_metrics" {
  type = string
}
  • Create one more file output.tf inside the same folder and paste the below content
output "aws_waf_rule_arn" {
   value = aws_waf_rule.waf_rule.arn
}

output "aws_waf_rule_id" {
   value = aws_waf_rule.waf_rule.id
}

output "aws_waf_web_acl_arn" {
   value = aws_waf_web_acl.waf_acl.arn
}

output "aws_waf_web_acl_id" {
   value = aws_waf_web_acl.waf_acl.id
}

output "aws_waf_rule_group_arn" {
   value = aws_waf_rule_group.rule_group.arn
}

output "aws_waf_rule_group_id" {
   value = aws_waf_rule_group.rule_group.id
}
  • Create one more file provider.tf inside the same folder and paste the below content
provider "aws" {      
  region = "us-east-1"
}
  • Again, Create one more file terraform.tfvars inside the same folder and paste the below content
web_acl_name = "myFirstwebacl"
web_acl_metics = "myFirstwebaclmetics"
waf_rule_name = "myFirstwafrulename"
waf_rule_metrics = "myFirstwafrulemetrics"
waf_rule_group_name = "myFirstwaf_rule_group_name"
waf_rule_group_metrics = "myFirstwafrulgroupmetrics"
  • Now your files and code are all set and your directory should look something like below.

Deploy AWS WAF using Terraform commands

  • Now, Lets Initialize the terraform by running the following init command.
terraform init
  • Terraform initialized successfully , now its time to see the plan which is kind of blueprint before deployment. We generally use plan to confirm if correct resources is going to provisioned or deleted.
terraform plan
  • After verification , now its time to actually deploy the code using apply command .
terraform apply

By now, you should have created the Web ACL and other components of AWS WAF with Terraform. Let’s verify by manually checking in the AWS Management Console.

  • Open your favorite web browser and navigate to the AWS Management Console and log in.
  • While in the Console, click on the search bar at the top, search for ‘WAF’, and click on the WAF menu item.
  • Now You should be on AWS WAF Page, Lets verify each component starting from Web ACL .
  • Now verify the IP Set
  • Now, Verify the Rules which in the Web ACL.
  • Next, Lets verify the Web ACL Rule Groups.

Conclusion

In this tutorial you learned about AWS WAF that is Web Application Firewall and how to setup in Amazon cloud using Terraform .

It is very important to protect your website from attacks. So which Website do you plan to protect ?

Hope this tutorial helped you and if so please comment and share it with your friends.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s