README.yaml

name: "aws-waf"
# Canonical GitHub repo
github_repo: "cloudposse-terraform-components/aws-waf"
# Short description of this project
description: |-
  This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule
  group.

  ## Usage

  **Stack Level**: Regional

  Here's an example snippet for how to use this component.

  ```yaml
  components:
    terraform:
      waf:
        vars:
          enabled: true
          name: waf
          acl_name: default
          default_action: allow
          description: Default web ACL
          visibility_config:
            cloudwatch_metrics_enabled: false
            metric_name: "default"
            sampled_requests_enabled: false
          managed_rule_group_statement_rules:
            - name: "OWASP-10"
              # Rules are processed in order based on the value of priority, lowest number first
              priority: 1

              statement:
                name: AWSManagedRulesCommonRuleSet
                vendor_name: AWS

              visibility_config:
                # Defines and enables Amazon CloudWatch metrics and web request sample collection.
                cloudwatch_metrics_enabled: false
                metric_name: "OWASP-10"
                sampled_requests_enabled: false
  ```

  <!-- prettier-ignore-start -->
  <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
  ## Requirements

  | Name | Version |
  |------|---------|
  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
  | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |

  ## Providers

  | Name | Version |
  |------|---------|
  | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |

  ## Modules

  | Name | Source | Version |
  |------|--------|---------|
  | <a name="module_association_resource_components"></a> [association\_resource\_components](#module\_association\_resource\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
  | <a name="module_aws_waf"></a> [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 1.8.0 |
  | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
  | <a name="module_log_destination_components"></a> [log\_destination\_components](#module\_log\_destination\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
  | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

  ## Resources

  | Name | Type |
  |------|------|
  | [aws_ssm_parameter.acl_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
  | [aws_alb.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/alb) | data source |
  | [aws_lbs.alb_by_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lbs) | data source |

  ## Inputs

  | Name | Description | Type | Default | Required |
  |------|-------------|------|---------|:--------:|
  | <a name="input_acl_name"></a> [acl\_name](#input\_acl\_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm\_path\_prefix}/{acl\_name}/arn | `string` | n/a | yes |
  | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
  | <a name="input_alb_names"></a> [alb\_names](#input\_alb\_names) | list of ALB names to associate with the web ACL. | `list(string)` | `[]` | no |
  | <a name="input_alb_tags"></a> [alb\_tags](#input\_alb\_tags) | list of tags to match one or more ALBs to associate with the web ACL. | `list(map(string))` | `[]` | no |
  | <a name="input_association_resource_arns"></a> [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.<br>This must be an ARN of an Application Load Balancer, Amazon API Gateway stage, or AWS AppSync.<br><br>Do not use this variable to associate a Cloudfront Distribution.<br>Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.<br>For more details, refer to https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html | `list(string)` | `[]` | no |
  | <a name="input_association_resource_component_selectors"></a> [association\_resource\_component\_selectors](#input\_association\_resource\_component\_selectors) | A list of Atmos component selectors to get from the remote state and associate their ARNs with the web ACL.<br>The components must be Application Load Balancers, Amazon API Gateway stages, or AWS AppSync.<br><br>component:<br>  Atmos component name<br>component\_arn\_output:<br>  The component output that defines the component ARN<br><br>Set `tenant`, `environment` and `stage` if the components are in different OUs, regions or accounts.<br><br>Do not use this variable to select a Cloudfront Distribution component.<br>Instead, you should use the `web_acl_id` property on the `cloudfront_distribution` resource.<br>For more details, refer to https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html | <pre>list(object({<br>    component            = string<br>    namespace            = optional(string, null)<br>    tenant               = optional(string, null)<br>    environment          = optional(string, null)<br>    stage                = optional(string, null)<br>    component_arn_output = string<br>  }))</pre> | `[]` | no |
  | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
  | <a name="input_byte_match_statement_rules"></a> [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  positional\_constraint:<br>    Area within the portion of a web request that you want AWS WAF to search for search\_string. Valid values include the following: EXACTLY, STARTS\_WITH, ENDS\_WITH, CONTAINS, CONTAINS\_WORD.<br>  search\_string<br>    String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field\_to\_match.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
  | <a name="input_custom_response_body"></a> [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.<br>The map keys are used as the `key` attribute which is a unique key identifying the custom response body.<br>content:<br>  Payload of the custom response.<br>  The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.<br>content\_type:<br>  Content Type of Response Body.<br>  Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. | <pre>map(object({<br>    content      = string<br>    content_type = string<br>  }))</pre> | `{}` | no |
  | <a name="input_default_action"></a> [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no |
  | <a name="input_default_block_response"></a> [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no |
  | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
  | <a name="input_description"></a> [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no |
  | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
  | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
  | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
  | <a name="input_geo_allowlist_statement_rules"></a> [geo\_allowlist\_statement\_rules](#input\_geo\_allowlist\_statement\_rules) | A rule statement used to identify a list of allowed countries which should not be blocked by the WAF.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  country\_codes:<br>    A list of two-character country codes.<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_geo_match_statement_rules"></a> [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  country\_codes:<br>    A list of two-character country codes.<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
  | <a name="input_ip_set_reference_statement_rules"></a> [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  arn:<br>    The ARN of the IP Set that this statement references.<br>  ip\_set:<br>    Defines a new IP Set<br><br>    description:<br>      A friendly description of the IP Set<br>    addresses:<br>      Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.<br>      All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.<br>    ip\_address\_version:<br>      Specify `IPV4` or `IPV6`<br>  ip\_set\_forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br>    position:<br>      The position in the header to search for the IP address.<br>      Possible values include: `FIRST`, `LAST`, or `ANY`.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
  | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
  | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
  | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
  | <a name="input_log_destination_component_selectors"></a> [log\_destination\_component\_selectors](#input\_log\_destination\_component\_selectors) | A list of Atmos component selectors to get from the remote state and associate their names/ARNs with the WAF logs.<br>The components must be Amazon Kinesis Data Firehose, CloudWatch Log Group, or S3 bucket.<br><br>component:<br>  Atmos component name<br>component\_output:<br>  The component output that defines the component name or ARN<br><br>Set `tenant`, `environment` and `stage` if the components are in different OUs, regions or accounts.<br><br>Note: data firehose, log group, or bucket name must be prefixed with `aws-waf-logs-`,<br>e.g. `aws-waf-logs-example-firehose`, `aws-waf-logs-example-log-group`, or `aws-waf-logs-example-bucket`. | <pre>list(object({<br>    component        = string<br>    namespace        = optional(string, null)<br>    tenant           = optional(string, null)<br>    environment      = optional(string, null)<br>    stage            = optional(string, null)<br>    component_output = string<br>  }))</pre> | `[]` | no |
  | <a name="input_log_destination_configs"></a> [log\_destination\_configs](#input\_log\_destination\_configs) | A list of resource names/ARNs to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket with the WAF logs.<br>Note: data firehose, log group, or bucket name must be prefixed with `aws-waf-logs-`,<br>e.g. `aws-waf-logs-example-firehose`, `aws-waf-logs-example-log-group`, or `aws-waf-logs-example-bucket`. | `list(string)` | `[]` | no |
  | <a name="input_logging_filter"></a> [logging\_filter](#input\_logging\_filter) | A configuration block that specifies which web requests are kept in the logs and which are dropped.<br>You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | <pre>object({<br>    default_behavior = string<br>    filter = list(object({<br>      behavior    = string<br>      requirement = string<br>      condition = list(object({<br>        action_condition = optional(object({<br>          action = string<br>        }), null)<br>        label_name_condition = optional(object({<br>          label_name = string<br>        }), null)<br>      }))<br>    }))<br>  })</pre> | `null` | no |
  | <a name="input_managed_rule_group_statement_rules"></a> [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>override\_action:<br>  The override action to apply to the rules in a rule group.<br>  Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  name:<br>    The name of the managed rule group.<br>  vendor\_name:<br>    The name of the managed rule group vendor.<br>  version:<br>    The version of the managed rule group.<br>    You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.<br>  rule\_action\_override:<br>    Action settings to use in the place of the rule actions that are configured inside the rule group.<br>    You specify one override for each rule whose action you want to change.<br>  managed\_rule\_group\_configs:<br>    Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.<br>    Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = optional(string)<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      name        = string<br>      vendor_name = string<br>      version     = optional(string)<br>      rule_action_override = optional(map(object({<br>        action = string<br>        custom_request_handling = optional(object({<br>          insert_header = object({<br>            name  = string<br>            value = string<br>          })<br>        }), null)<br>        custom_response = optional(object({<br>          response_code = string<br>          response_header = optional(object({<br>            name  = string<br>            value = string<br>          }), null)<br>        }), null)<br>      })), null)<br>      managed_rule_group_configs = optional(list(object({<br>        aws_managed_rules_bot_control_rule_set = optional(object({<br>          inspection_level        = string<br>          enable_machine_learning = optional(bool, true)<br>        }), null)<br>        aws_managed_rules_atp_rule_set = optional(object({<br>          enable_regex_in_path = optional(bool)<br>          login_path           = string<br>          request_inspection = optional(object({<br>            payload_type = string<br>            password_field = object({<br>              identifier = string<br>            })<br>            username_field = object({<br>              identifier = string<br>            })<br>          }), null)<br>          response_inspection = optional(object({<br>            body_contains = optional(object({<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            header = optional(object({<br>              name           = string<br>              success_values = list(string)<br>              failure_values = list(string)<br>            }), null)<br>            json = optional(object({<br><br>              identifier      = string<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            status_code = optional(object({<br>              success_codes = list(string)<br>              failure_codes = list(string)<br>            }), null)<br>          }), null)<br>        }), null)<br>      })), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
  | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
  | <a name="input_rate_based_statement_rules"></a> [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,<br>and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  aggregate\_key\_type:<br>     Setting that indicates how to aggregate the request counts.<br>     Possible values include: `FORWARDED_IP` or `IP`<br>  limit:<br>    The limit on requests per 5-minute period for a single originating IP address.<br>  evaluation\_window\_sec:<br>    The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.<br>    Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br>  byte\_match\_statement:<br>    field\_to\_match:<br>      Part of a web request that you want AWS WAF to inspect.<br>    positional\_constraint:<br>      Area within the portion of a web request that you want AWS WAF to search for search\_string.<br>      Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.<br>    search\_string:<br>      String value that you want AWS WAF to search for.<br>      AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.<br>      The maximum length of the value is 50 bytes.<br>    text\_transformation:<br>      Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>      See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      limit                 = number<br>      aggregate_key_type    = string<br>      evaluation_window_sec = optional(number)<br>      forwarded_ip_config = optional(object({<br>        fallback_behavior = string<br>        header_name       = string<br>      }), null)<br>      scope_down_statement = optional(object({<br>        byte_match_statement = object({<br>          positional_constraint = string<br>          search_string         = string<br>          field_to_match = object({<br>            all_query_arguments   = optional(bool)<br>            body                  = optional(bool)<br>            method                = optional(bool)<br>            query_string          = optional(bool)<br>            single_header         = optional(object({ name = string }))<br>            single_query_argument = optional(object({ name = string }))<br>            uri_path              = optional(bool)<br>          })<br>          text_transformation = list(object({<br>            priority = number<br>            type     = string<br>          }))<br>        })<br>      }), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_redacted_fields"></a> [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.<br>You can only specify one of the following: `method`, `query_string`, `single_header`, or `uri_path`<br><br>method:<br>  Whether to enable redaction of the HTTP method.<br>  The method indicates the type of operation that the request is asking the origin to perform.<br>uri\_path:<br>  Whether to enable redaction of the URI path.<br>  This is the part of a web request that identifies a resource.<br>query\_string:<br>  Whether to enable redaction of the query string.<br>  This is the part of a URL that appears after a `?` character, if any.<br>single\_header:<br>  The list of names of the query headers to redact. | <pre>map(object({<br>    method        = optional(bool, false)<br>    uri_path      = optional(bool, false)<br>    query_string  = optional(bool, false)<br>    single_header = optional(list(string), null)<br>  }))</pre> | `{}` | no |
  | <a name="input_regex_match_statement_rules"></a> [regex\_match\_statement\_rules](#input\_regex\_match\_statement\_rules) | A rule statement used to search web request components for a match against a single regular expression.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  regex\_string:<br>     String representing the regular expression. Minimum of 1 and maximum of 512 characters.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#field_to_match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_regex_pattern_set_reference_statement_rules"></a> [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  arn:<br>     The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
  | <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
  | <a name="input_rule_group_reference_statement_rules"></a> [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>override\_action:<br>  The override action to apply to the rules in a rule group.<br>  Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  arn:<br>    The ARN of the `aws_wafv2_rule_group` resource.<br>  rule\_action\_override:<br>    Action settings to use in the place of the rule actions that are configured inside the rule group.<br>    You specify one override for each rule whose action you want to change.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = optional(string)<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      arn = string<br>      rule_action_override = optional(map(object({<br>        action = string<br>        custom_request_handling = optional(object({<br>          insert_header = object({<br>            name  = string<br>            value = string<br>          })<br>        }), null)<br>        custom_response = optional(object({<br>          response_code = string<br>          response_header = optional(object({<br>            name  = string<br>            value = string<br>          }), null)<br>        }), null)<br>      })), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_scope"></a> [scope](#input\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.<br>Possible values are `CLOUDFRONT` or `REGIONAL`.<br>To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no |
  | <a name="input_size_constraint_statement_rules"></a> [size\_constraint\_statement\_rules](#input\_size\_constraint\_statement\_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  comparison\_operator:<br>     The operator to use to compare the request part to the size setting.<br>     Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.<br>  size:<br>    The size, in bytes, to compare to the request part, after any transformations.<br>    Valid values are integers between `0` and `21474836480`, inclusive.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_sqli_match_statement_rules"></a> [sqli\_match\_statement\_rules](#input\_sqli\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,<br>such as the URI or the query string, that you want AWS WAF to inspect.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>statement:<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
  | <a name="input_ssm_path_prefix"></a> [ssm\_path\_prefix](#input\_ssm\_path\_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no |
  | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
  | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
  | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
  | <a name="input_token_domains"></a> [token\_domains](#input\_token\_domains) | Specifies the domains that AWS WAF should accept in a web request token.<br>This enables the use of tokens across multiple protected websites.<br>When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting.<br>If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource.<br>With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list,<br>including their prefixed subdomains. | `list(string)` | `null` | no |
  | <a name="input_visibility_config"></a> [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>cloudwatch\_metrics\_enabled:<br>  Whether the associated resource sends metrics to CloudWatch.<br>metric\_name:<br>  A friendly name of the CloudWatch metric.<br>sampled\_requests\_enabled:<br>  Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>object({<br>    cloudwatch_metrics_enabled = bool<br>    metric_name                = string<br>    sampled_requests_enabled   = bool<br>  })</pre> | n/a | yes |
  | <a name="input_xss_match_statement_rules"></a> [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |

  ## Outputs

  | Name | Description |
  |------|-------------|
  | <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the WAF WebACL. |
  | <a name="output_id"></a> [id](#output\_id) | The ID of the WAF WebACL. |
  | <a name="output_logging_config_id"></a> [logging\_config\_id](#output\_logging\_config\_id) | The ARN of the WAFv2 Web ACL logging configuration. |
  <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
  <!-- prettier-ignore-end -->

  ## References

  - [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/waf) -
    Cloud Posse's upstream component
tags:
  - component/waf
  - layer/addons
  - provider/aws
# Categories of this project
categories:
  - component/waf
  - layer/addons
  - provider/aws
# License of this project
license: "APACHE2"
# Badges to display
badges:
  - name: Latest Release
    image: https://img.shields.io/github/release/cloudposse-terraform-components/aws-waf.svg?style=for-the-badge
    url: https://github.com/cloudposse-terraform-components/aws-waf/releases/latest
  - name: Slack Community
    image: https://slack.cloudposse.com/for-the-badge.svg
    url: https://slack.cloudposse.com
related:
  - name: "Cloud Posse Terraform Modules"
    description: Our collection of reusable Terraform modules used by our reference architectures.
    url: "https://docs.cloudposse.com/modules/"
  - name: "Atmos"
    description: "Atmos is like docker-compose but for your infrastructure"
    url: "https://atmos.tools"
contributors: [] # If included generates contribs