AWS WAF V2 Web ACL Association
This page shows how to write Terraform and CloudFormation for AWS WAF V2 Web ACL Association and write them securely.
aws_wafv2_web_acl_association (Terraform)
The Web ACL Association in AWS WAF V2 can be configured in Terraform with the resource name aws_wafv2_web_acl_association. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_wafv2_web_acl_association" "web_acl_association_alb" {
resource_arn = aws_alb.ALB.arn
web_acl_arn = aws_wafv2_web_acl.wec_acl.arn
}
################## Association ##################
resource "aws_wafv2_web_acl_association" "bar" {
resource_arn = aws_lb.lb_good_2.arn
web_acl_arn = aws_wafv2_web_acl.bar.arn
}
resource "aws_wafv2_web_acl_association" "zed" {
resource "aws_wafv2_web_acl_association" "acl-association" {
resource_arn = aws_api_gateway_stage.ContactFormAPI_stage.arn
web_acl_arn = module.waf.waf_arn
}
Parameters
-
idoptional computed - string -
resource_arnrequired - string -
web_acl_arnrequired - string
Explanation in Terraform Registry
Creates a WAFv2 Web ACL Association.
NOTE on associating a WAFv2 Web ACL with a Cloudfront distribution: Do not use this resource to associate a WAFv2 Web ACL with a Cloudfront Distribution. The [AWS API call backing this resource][1] notes that you should use the [
web_acl_id][2] property on the [cloudfront_distribution][2] instead. [1]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html > [2]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id
AWS::WAFv2::WebACLAssociation (CloudFormation)
The WebACLAssociation in WAFv2 can be configured in CloudFormation with the resource name AWS::WAFv2::WebACLAssociation. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !ImportValue "{{ waf_association.arn_import }}"
WebACLArn: "{{ waf_association.waf_arn }}"
{% endfor %}
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Sub "${ALBArn}"
WebACLArn: !GetAtt AvailableAcl.Arn
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
Fn::ImportValue: !Sub ${Stage}:LoadbalancerArn
WebACLArn: !GetAtt RestrictToCloudfrontAccessAcl.Arn
Type: 'AWS::WAFv2::WebACLAssociation'
Properties:
WebACLArn: !Fn::GetAtt Waf.Arn
ResourceArn: !Ref WebAlb
Outputs:
Waf:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: arn:aws:elasticloadbalancing:us-east-1:420417608870:loadbalancer/app/WAF-testing/b9472e166cbf817c
WebACLArn: !Ref WebACL
"Type": "AWS::WAFv2::WebACLAssociation"
},
"WAFIPSetLocalhost": {
"Properties": {
"Addresses": [
"10.1.1.1/32",
"Type": "AWS::WAFv2::WebACLAssociation",
"DependsOn": [ "ApiRest", "ApiResource", "ApiResourceMethod", "ApiDeployment" ],
"Properties": {
"ResourceArn": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}::/restapis/${ApiRest}/stages/all"
},
"Type": "AWS::WAFv2::WebACLAssociation",
"Properties": {
"ResourceArn": {
"Fn::Sub": [
"arn:aws:apigateway:${AWS::Region}::/restapis/${ApiId}/stages/${ApiStage}",
{
"Type": "AWS::WAFv2::WebACLAssociation",
"Properties": {
"ResourceArn": {
"Fn::Join": [
"",
[
"AWS::WAFv2::WebACLAssociation": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html",
"Properties": {
"ResourceArn": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn",
"UpdateType": "Mutable",
Parameters
-
ResourceArnrequired - String -
WebACLArnrequired - String
Explanation in CloudFormation Registry
Note This is the latest version of AWS WAF, named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide. Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AWS AppSync GraphQL API. For Amazon CloudFront, don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the AWS::WAFv2::WebACL to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see AWS::CloudFront::Distribution.
Frequently asked questions
What is AWS WAF V2 Web ACL Association?
AWS WAF V2 Web ACL Association is a resource for WAF V2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS WAF V2 Web ACL Association?
For Terraform, the Ndomi/terraform, bridgecrewio/checkov and yerbaszen/apigw-lambda-js source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the rik2803/aws-cfn-gen, miura333/cloudformation_sample and fares-data-build-tool/fdbt-aws source code examples are useful. See the CloudFormation Example section for further details.
