Deploy the Security Automations for AWS WAF solution by using Terraform

Created by Dr. Rahul Sharad Gaikwad (AWS) and Tamilselvan P (AWS)

Code repository: aws-waf-automation-terraform-samples	Environment: PoC or pilot	Technologies: Security, identity, compliance; Infrastructure; Content delivery; DevOps
Workload: All other workloads	AWS services: AWS WAF

Summary

AWS WAF is a web application firewall that helps protect applications from common exploits by using customizable rules, which you define and deploy in web access control lists (ACLs). Configuring AWS WAF rules can be challenging, especially for organizations that do not have dedicated security teams. To simplify this process, Amazon Web Services (AWS) offers the Security Automations for AWS WAF solution, which automatically deploys a single web ACL with a set of AWS WAF rules that filters web-based attacks. During Terraform deployment, you can specify which protective features to include. After you deploy this solution, AWS WAF inspects web requests to existing Amazon CloudFront distributions or Application Load Balancers, and blocks any requests that don’t match the rules.

The Security Automations for AWS WAF solution can be deployed by using AWS CloudFormation according to the instructions in the Security Automations for AWS WAF Implementation Guide. This pattern provides an alternative deployment option for organizations that use HashiCorp Terraform as their preferred infrastructure as code (IaC) tool to provision and manage their cloud infrastructure. When you deploy this solution, Terraform automatically applies the changes in the cloud and deploys and configures the AWS WAF settings and protective features.

Prerequisites and limitations

Prerequisites

• An active AWS account.

• AWS Command Line Interface (AWS CLI) installed and configured with necessary permissions. For more information, see Getting started (AWS CLI documentation).

• Terraform installed and configured. For more information, see Install Terraform (Terraform documentation).

Product versions

• AWS CLI version 2.4.25 or later

• Terraform version 1.1.9 or later

Architecture

Target architecture

This pattern deploys the Security Automations for AWS WAF solution. For more information about the target architecture, see Architecture overview in the Security Automations for AWS WAF Implementation Guide. For more information about the AWS Lambda automations in this deployment, the Application log parser, the AWS WAF log parser, the IP lists parser, and the Access handler, see Component details in the Security Automations for AWS WAF Implementation Guide.

Terraform deployment

When you run terraform apply, Terraform does the following:

1. Terraform creates IAM roles and Lambda functions based on the inputs from the testing.tfvars file.

2. Terraform creates AWS WAF ACL rules and IP sets based on the inputs from the testing.tfvars file.

3. Terraform creates the Amazon Simple Storage Service (Amazon S3) buckets, Amazon EventBridge rules, AWS Glue database tables, and Amazon Athena work groups based on the inputs from the testing.tfvars file.

4. Terraform deploys the AWS CloudFormation stack to provision the custom resources.

5. Terraform creates the Amazon API Gateway resources based on the given inputs from testing.tfvars file.

Automation and scale

You can use this pattern to create AWS WAF rules for multiple AWS accounts and AWS Regions to deploy the Security Automations for AWS WAF solution throughout your AWS Cloud environment.

Tools

AWS services

• AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.

• AWS WAF is a web application firewall that helps you monitor HTTP and HTTPS requests that are forwarded to your protected web application resources.

Other services

• Git is an open-source, distributed version control system.

• HashiCorp Terraform is a command-line interface application that helps you use code to provision and manage cloud infrastructure and resources.

Code repository

The code for this pattern is available in the GitHub AWS WAF Automation Using Terraform repository.

Best practices

• Put static files in separate S3 buckets.

• Avoid hardcoding variables.

• Limit the use of custom scripts.

• Adopt a naming convention.

Epics

Set up your local workstation

Task	Description	Skills required
Install Git.	Follow the instructions in Getting started (Git website) to install Git on your local workstation.	DevOps engineer
Clone the repository.	On your local workstation, enter the following command to clone the code repository. To copy the full command, including the repo URL, see the Additional information section of this pattern. git clone <repo-URL>.git	DevOps engineer
Update the variables.	Navigate into the cloned directory by entering the following command. cd terraform-aws-waf-automation In any text editor, open the testing.tfvars file. Update the values of the variables in the testing.tfvars file. Save and close the file.	DevOps engineer

Provision the target architecture using Terraform

Task	Description	Skills required
Initialize the Terraform configuration.	Enter the following command to initialize your working directory that contains the Terraform configuration files. terraform init	DevOps engineer
Preview the Terraform plan.	Enter the following command. Terraform evaluates the configuration files to determine the target state for the declared resources. It then compares the target state against the current state and creates a plan. terraform plan -var-file="testing.tfvars"	DevOps engineer
Verify the plan.	Review the plan and confirm that it configures the required architecture in your target AWS account.	DevOps engineer
Deploy the solution.	Enter the following command to apply the plan. terraform apply -var-file="testing.tfvars" Enter yes to confirm. Terraform creates, updates, or destroys infrastructure to achieve the target state declared in the configuration files. For more information about the sequence, see Terraform deployment in the Architecture section of this pattern.	DevOps engineer

Validate and clean up

Task	Description	Skills required
Verify the changes.	In the Terraform console, verify that the outputs match the expected results. Sign in to the AWS Management Console. Verify the outputs in the Terraform console have been successfully deployed in your AWS account.	DevOps engineer
(Optional) Clean up the infrastructure.	If you want to remove all resources and configuration changes made by this solution, do the following: In the Terraform console, enter the following command. terraform destroy -var-file="testing.tfvars” Enter yes to confirm.	DevOps engineer

Troubleshooting

Issue	Solution
WAFV2 IPSet: WAFOptimisticLockException error	If you receive this error when you run the terraform destroy command, you must manually delete the IP sets. For instructions, see Deleting an IP set (AWS WAF documentation).

Related resources

AWS references

• Security Automations for AWS WAF Implementation Guide

• Security Automations for AWS WAF (AWS Solutions Library)

• Security Automations for AWS WAF FAQ

Terraform references

• Terraform Backend Configuration

• Terraform AWS Provider - Documentation and Usage

• Terraform AWS Provider (GitHub repository)

Additional information

The following command clones the GitHub repository for this pattern.

git clone https://github.com/aws-samples/aws-waf-automation-terraform-samples.git