WAFv2 Web ACL (managed rules + rate limit)
A WAFv2 web ACL (REGIONAL or CLOUDFRONT) with a default-allow posture, configurable AWS managed rule groups blocking by default, and a rate-based rule that throttles abusive IPs.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-30 · how we verify
Documentation
aws-waf
AWS WAFv2 web ACL (REGIONAL or CLOUDFRONT scope) with a default-allow
posture, a configurable set of AWS managed rule groups (blocking by default),
and an optional rate-based rule that throttles abusive IPs. Works with
Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.
The two classic WAFv2 gotchas are handled for you: managed rule groups attach via
override_action (not action) so the group's own blocking decisions apply, and
the web ACL ships with the required visibility_config on the ACL and every
rule.
Secure defaults:
- Default action
allow(the standard posture: pass normal traffic, let rules block the bad) — flip toblockfor an allow-list-only edge. - Managed rule groups run active/blocking (
override_action { none {} }), not count-only. Setoverride_to_count = trueper group to observe before enforcing. - A rate-based rule is enabled by default and blocks any IP exceeding
rate_limitrequests (2000) per 5-minute window. - CloudWatch metrics + request sampling on, so you can tune false positives.
Scope note:
CLOUDFRONT-scope web ACLs must be created with the AWS provider configured forus-east-1.REGIONALACLs live in (and protect resources in) the provider's region. Resource associations apply toREGIONALonly — CloudFront attaches a web ACL through its distribution'sweb_acl_id.
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/aws>= 6.0, < 7.0
Verification
Static-validated (tofu fmt, validate, tflint). A live apply→verify→destroy
fixture lives under tests/ (live.tfvars, provider.tf, verify.sh) — the
verify step asserts the web ACL ARN/capacity exist before teardown.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).
Usage code & full reference unlock after purchase
The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.
- Usage
- Inputs
- Outputs
- Security notes