WAFv2 Web ACL (managed rules + rate limit)

aws-waf

AWS WAFv2 web ACL (REGIONAL or CLOUDFRONT scope) with a default-allow posture, a configurable set of AWS managed rule groups (blocking by default), and an optional rate-based rule that throttles abusive IPs. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

The two classic WAFv2 gotchas are handled for you: managed rule groups attach via override_action (not action) so the group's own blocking decisions apply, and the web ACL ships with the required visibility_config on the ACL and every rule.

Secure defaults:

• Default action allow (the standard posture: pass normal traffic, let rules block the bad) — flip to block for an allow-list-only edge.
• Managed rule groups run active/blocking (override_action { none {} }), not count-only. Set override_to_count = true per group to observe before enforcing.
• A rate-based rule is enabled by default and blocks any IP exceeding rate_limit requests (2000) per 5-minute window.
• CloudWatch metrics + request sampling on, so you can tune false positives.

Scope note: CLOUDFRONT-scope web ACLs must be created with the AWS provider configured for us-east-1. REGIONAL ACLs live in (and protect resources in) the provider's region. Resource associations apply to REGIONAL only — CloudFront attaches a web ACL through its distribution's web_acl_id.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (tofu fmt, validate, tflint). A live apply→verify→destroy fixture lives under tests/ (live.tfvars, provider.tf, verify.sh) — the verify step asserts the web ACL ARN/capacity exist before teardown.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).