Summary Prerequisites and limitations Architecture Tools Best practices Epics Troubleshooting Related resources

Deploy the Security Automations for AWS WAF solution by using Terraform

Created by Dr. Rahul Sharad Gaikwad (AWS) and Tamilselvan P (AWS)

Summary

AWS WAF is a web application firewall that helps protect applications from common exploits by using customizable rules, which you define and deploy in web access control lists (ACLs). Configuring AWS WAF rules can be challenging, especially for organizations that do not have dedicated security teams. To simplify this process, Amazon Web Services (AWS) offers the Security Automations for AWS WAF solution, which automatically deploys a single web ACL with a set of AWS WAF rules that filters web-based attacks. During Terraform deployment, you can specify which protective features to include. After you deploy this solution, AWS WAF inspects web requests to existing Amazon CloudFront distributions or Application Load Balancers, and blocks any requests that don’t match the rules.

The Security Automations for AWS WAF solution can be deployed by using AWS CloudFormation according to the instructions in the Security Automations for AWS WAF Implementation Guide. This pattern provides an alternative deployment option for organizations that use HashiCorp Terraform as their preferred infrastructure as code (IaC) tool to provision and manage their cloud infrastructure. When you deploy this solution, Terraform automatically applies the changes in the cloud and deploys and configures the AWS WAF settings and protective features.

Prerequisites and limitations

Prerequisites

An active AWS account.
AWS Command Line Interface (AWS CLI) version 2.4.25 or later, installed and configured with necessary permissions. For more information, see Getting started (AWS CLI documentation).
Terraform version 1.1.9 or later, installed and configured. For more information, see Install Terraform (Terraform documentation).

Architecture

Target architecture

This pattern deploys the Security Automations for AWS WAF solution. For more information about the target architecture, see Architecture overview in the Security Automations for AWS WAF Implementation Guide. For more information about the AWS Lambda automations in this deployment, the Application log parser, the AWS WAF log parser, the IP lists parser, and the Access handler, see Component details in the Security Automations for AWS WAF Implementation Guide.

Terraform deployment

When you run terraform apply, Terraform does the following:

Terraform creates AWS Identity and Access Management (IAM) roles and Lambda functions based on the inputs from the testing.tfvars file.
Terraform creates AWS WAF ACL rules and IP sets based on the inputs from the testing.tfvars file.
Terraform creates the Amazon Simple Storage Service (Amazon S3) buckets, Amazon EventBridge rules, AWS Glue database tables, and Amazon Athena work groups based on the inputs from the testing.tfvars file.
Terraform deploys the AWS CloudFormation stack to provision the custom resources.
Terraform creates the Amazon API Gateway resources based on the given inputs from testing.tfvars file.

Automation and scale

You can use this pattern to create AWS WAF rules for multiple AWS accounts and AWS Regions to deploy the Security Automations for AWS WAF solution throughout your AWS Cloud environment.

Tools

AWS services

AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
AWS WAF is a web application firewall that helps you monitor HTTP and HTTPS requests that are forwarded to your protected web application resources.

Other services

Git is an open-source, distributed version control system.
HashiCorp Terraform is a command-line interface application that helps you use code to provision and manage cloud infrastructure and resources.

Code repository

The code for this pattern is available in the GitHub AWS WAF Automation Using Terraform repository.

Best practices

Put static files in separate Amazon S3 buckets.
Avoid hardcoding variables.
Limit the use of custom scripts.
Adopt a naming convention.

Epics

Task Description Skills required

Task	Description	Skills required
Install Git.	Follow the instructions in Getting started (Git website) to install Git on your local workstation.	DevOps engineer
Clone the repository.	On your local workstation, enter the following command to clone the code repository: `git clone https://github.com/aws-samples/aws-waf-automation-terraform-samples.git`	DevOps engineer
Update the variables.	Navigate into the cloned directory by entering the following command: `cd terraform-aws-waf-automation` In any text editor, open the testing.tfvars file. Update the values of the variables in the testing.tfvars file. Save and close the file.	DevOps engineer

Install Git.

Follow the instructions in Getting started (Git website) to install Git on your local workstation.

DevOps engineer

Clone the repository.

On your local workstation, enter the following command to clone the code repository:


git clone https://github.com/aws-samples/aws-waf-automation-terraform-samples.git

DevOps engineer

Update the variables.

Navigate into the cloned directory by entering the following command:
```
cd terraform-aws-waf-automation
```
In any text editor, open the testing.tfvars file.
Update the values of the variables in the testing.tfvars file.
Save and close the file.

DevOps engineer

Task	Description	Skills required
Initialize the Terraform configuration.	Enter the following command to initialize your working directory that contains the Terraform configuration files: `terraform init`	DevOps engineer
Preview the Terraform plan.	Enter the following command. Terraform evaluates the configuration files to determine the target state for the declared resources. It then compares the target state against the current state and creates a plan: `terraform plan -var-file="testing.tfvars"`	DevOps engineer
Verify the plan.	Review the plan and confirm that it configures the required architecture in your target AWS account.	DevOps engineer
Deploy the solution.	Enter the following command to apply the plan: `terraform apply -var-file="testing.tfvars"` Enter `yes` to confirm. Terraform creates, updates, or destroys infrastructure to achieve the target state declared in the configuration files. For more information about the sequence, see Terraform deployment in the Architecture section of this pattern.	DevOps engineer

Task	Description	Skills required
Verify the changes.	In the Terraform console, verify that the outputs match the expected results. Sign in to the AWS Management Console. Verify the outputs in the Terraform console have been successfully deployed in your AWS account.	DevOps engineer
(Optional) Clean up the infrastructure.	If you want to remove all resources and configuration changes made by this solution, do the following: In the Terraform console, enter the following command: `terraform destroy -var-file="testing.tfvars”` Enter `yes` to confirm.	DevOps engineer

Troubleshooting

Issue	Solution
`WAFV2 IPSet: WAFOptimisticLockException` error	If you receive this error when you run the `terraform destroy` command, you must manually delete the IP sets. For instructions, see Deleting an IP set (AWS WAF documentation).

Related resources

AWS references

Security Automations for AWS WAF Implementation Guide
Security Automations for AWS WAF (AWS Solutions Library)
Security Automations for AWS WAF FAQ

Terraform references

Terraform backend configuration
Terraform AWS Provider - Documentation and Usage
Terraform AWS Provider (GitHub repository)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deploy preventative controls for public subnets

Detect Amazon RDS instances with expiring CA certificates