AWS WAF V2 Web ACL Association

This page shows how to write Terraform and CloudFormation for AWS WAF V2 Web ACL Association and write them securely.

aws_wafv2_web_acl_association (Terraform)

The Web ACL Association in AWS WAF V2 can be configured in Terraform with the resource name aws_wafv2_web_acl_association. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

waf.tf#L128
resource "aws_wafv2_web_acl_association" "web_acl_association_alb" {
  resource_arn = aws_alb.ALB.arn
  web_acl_arn = aws_wafv2_web_acl.wec_acl.arn
}

################## Association ##################
main.tf#L18
resource "aws_wafv2_web_acl_association" "bar" {
  resource_arn = aws_lb.lb_good_2.arn
  web_acl_arn = aws_wafv2_web_acl.bar.arn
}

resource "aws_wafv2_web_acl_association" "zed" {
waf_webacl.tf#L16
resource "aws_wafv2_web_acl_association" "acl-association" {
  resource_arn = aws_api_gateway_stage.ContactFormAPI_stage.arn
  web_acl_arn  = module.waf.waf_arn
}

Parameters

Explanation in Terraform Registry

Creates a WAFv2 Web ACL Association.

NOTE on associating a WAFv2 Web ACL with a Cloudfront distribution: Do not use this resource to associate a WAFv2 Web ACL with a Cloudfront Distribution. The [AWS API call backing this resource][1] notes that you should use the [web_acl_id][2] property on the [cloudfront_distribution][2] instead. [1]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html > [2]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id

AWS::WAFv2::WebACLAssociation (CloudFormation)

The WebACLAssociation in WAFv2 can be configured in CloudFormation with the resource name AWS::WAFv2::WebACLAssociation. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

WAFAssociations.yml#L9
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !ImportValue "{{ waf_association.arn_import }}"
      WebACLArn: "{{ waf_association.waf_arn }}"
{% endfor %}
template.yml#L81
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Sub "${ALBArn}"
      WebACLArn: !GetAtt AvailableAcl.Arn
waf.yml#L69
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn:
        Fn::ImportValue: !Sub ${Stage}:LoadbalancerArn
      WebACLArn: !GetAtt RestrictToCloudfrontAccessAcl.Arn

waf.serverless.yml#L44
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: !Fn::GetAtt Waf.Arn
      ResourceArn: !Ref WebAlb
Outputs:
  Waf:
WAF.yml#L30
      Type: AWS::WAFv2::WebACLAssociation
      Properties:
        ResourceArn: arn:aws:elasticloadbalancing:us-east-1:420417608870:loadbalancer/app/WAF-testing/b9472e166cbf817c
        WebACLArn: !Ref WebACL


project-with-waf.json#L96
            "Type": "AWS::WAFv2::WebACLAssociation"
        },
        "WAFIPSetLocalhost": {
            "Properties": {
                "Addresses": [
                    "10.1.1.1/32",
cf.json#L708
            "Type": "AWS::WAFv2::WebACLAssociation",
            "DependsOn": [ "ApiRest", "ApiResource", "ApiResourceMethod", "ApiDeployment" ],
            "Properties": {
                "ResourceArn": {
                    "Fn::Sub": "arn:aws:apigateway:${AWS::Region}::/restapis/${ApiRest}/stages/all"
                },
api-enhanced-observability-variables_template.json#L70
            "Type": "AWS::WAFv2::WebACLAssociation",
            "Properties": {
                "ResourceArn": {
                    "Fn::Sub": [
                        "arn:aws:apigateway:${AWS::Region}::/restapis/${ApiId}/stages/${ApiStage}",
                        {
integ.wafwebacl-apigateway-sagemakerendpoint.expected.json#L474
      "Type": "AWS::WAFv2::WebACLAssociation",
      "Properties": {
        "ResourceArn": {
          "Fn::Join": [
            "",
            [
WAFv2WebACLAssociationSpecification.json#L3
    "AWS::WAFv2::WebACLAssociation": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html",
      "Properties": {
        "ResourceArn": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn",
          "UpdateType": "Mutable",

Parameters

Explanation in CloudFormation Registry

Note This is the latest version of AWS WAF, named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide. Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AWS AppSync GraphQL API. For Amazon CloudFront, don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the AWS::WAFv2::WebACL to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see AWS::CloudFront::Distribution.

Frequently asked questions

What is AWS WAF V2 Web ACL Association?

AWS WAF V2 Web ACL Association is a resource for WAF V2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS WAF V2 Web ACL Association?

For Terraform, the Ndomi/terraform, bridgecrewio/checkov and yerbaszen/apigw-lambda-js source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the rik2803/aws-cfn-gen, miura333/cloudformation_sample and fares-data-build-tool/fdbt-aws source code examples are useful. See the CloudFormation Example section for further details.