第 3 章:AWS 進階網路設定
Reference Link
Route53
Public zone
resource "aws_route53_zone" "primary" {
name = "example.com"
}
Public Subdomain Zone
resource "aws_route53_zone" "main" {
name = "example.com"
}
resource "aws_route53_zone" "dev" {
name = "dev.example.com"
tags = {
Environment = "dev"
}
}
resource "aws_route53_record" "dev-ns" {
zone_id = aws_route53_zone.main.zone_id
name = "dev.example.com"
type = "NS"
ttl = "30"
records = aws_route53_zone.dev.name_servers
}
Private Zone
resource "aws_route53_zone" "private" {
name = "example.com"
vpc {
vpc_id = aws_vpc.example.id
}
}
關聯 Private Zone
resource "aws_vpc" "primary" {
cidr_block = "10.6.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
}
resource "aws_vpc" "secondary" {
cidr_block = "10.7.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
}
resource "aws_route53_zone" "example" {
name = "example.com"
# NOTE: The aws_route53_zone vpc argument accepts multiple configuration
# blocks. The below usage of the single vpc configuration, the
# lifecycle configuration, and the aws_route53_zone_association
# resource is for illustrative purposes (e.g., for a separate
# cross-account authorization process, which is not shown here).
vpc {
vpc_id = aws_vpc.primary.id
}
lifecycle {
ignore_changes = [vpc]
}
}
resource "aws_route53_zone_association" "secondary" {
zone_id = aws_route53_zone.example.zone_id
vpc_id = aws_vpc.secondary.id
}
VPC Association Authorization
provider "aws" {
}
provider "aws" {
alias = "alternate"
}
resource "aws_vpc" "example" {
cidr_block = "10.6.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
}
resource "aws_route53_zone" "example" {
name = "example.com"
vpc {
vpc_id = aws_vpc.example.id
}
# Prevent the deletion of associated VPCs after
# the initial creation. See documentation on
# aws_route53_zone_association for details
lifecycle {
ignore_changes = [vpc]
}
}
resource "aws_vpc" "alternate" {
provider = aws.alternate
cidr_block = "10.7.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
}
resource "aws_route53_vpc_association_authorization" "example" {
vpc_id = aws_vpc.alternate.id
zone_id = aws_route53_zone.example.id
}
resource "aws_route53_zone_association" "example" {
provider = aws.alternate
vpc_id = aws_route53_vpc_association_authorization.example.vpc_id
zone_id = aws_route53_vpc_association_authorization.example.zone_id
}
Delegation Set
resource "aws_route53_delegation_set" "main" {
reference_name = "DynDNS"
}
resource "aws_route53_zone" "primary" {
name = "hashicorp.com"
delegation_set_id = aws_route53_delegation_set.main.id
}
resource "aws_route53_zone" "secondary" {
name = "terraform.io"
delegation_set_id = aws_route53_delegation_set.main.id
}
Health Check
resource "aws_route53_health_check" "example" {
fqdn = "example.com"
port = 80
type = "HTTP"
resource_path = "/"
failure_threshold = "5"
request_interval = "30"
tags = {
Name = "tf-test-health-check"
}
}
Traffic Policy
resource "aws_route53_traffic_policy" "example" {
name = "example"
comment = "example comment"
document = <<EOF
{
"AWSPolicyFormatVersion": "2015-10-01",
"RecordType": "A",
"Endpoints": {
"endpoint-start-NkPh": {
"Type": "value",
"Value": "10.0.0.2"
}
},
"StartEndpoint": "endpoint-start-NkPh"
}
EOF
}
Route53 Resolver
Resolver endpoint
resource "aws_route53_resolver_endpoint" "foo" {
name = "foo"
direction = "INBOUND"
security_group_ids = [
aws_security_group.sg1.id,
aws_security_group.sg2.id,
]
ip_address {
subnet_id = aws_subnet.sn1.id
}
ip_address {
subnet_id = aws_subnet.sn2.id
ip = "10.0.64.4"
}
protocols = ["Do53", "DoH"]
tags = {
Environment = "Prod"
}
}
Resolver rule
resource "aws_route53_resolver_rule" "sys" {
domain_name = "subdomain.example.com"
rule_type = "SYSTEM"
}
Forward rule
resource "aws_route53_resolver_rule" "fwd" {
domain_name = "example.com"
name = "example"
rule_type = "FORWARD"
resolver_endpoint_id = aws_route53_resolver_endpoint.foo.id
target_ip {
ip = "123.45.67.89"
}
tags = {
Environment = "Prod"
}
}
Route53 Resolver rule association.
resource "aws_route53_resolver_rule_association" "example" {
resolver_rule_id = aws_route53_resolver_rule.sys.id
vpc_id = aws_vpc.foo.id
}
Route 53 Resolver config resource
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_route53_resolver_config" "example" {
resource_id = aws_vpc.example.id
autodefined_reverse_flag = "DISABLE"
}
oute 53 Resolver DNS Firewall config resource
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_route53_resolver_firewall_config" "example" {
resource_id = aws_vpc.example.id
firewall_fail_open = "ENABLED"
}
Resolver DNS Firewall domain list resource
resource "aws_route53_resolver_firewall_domain_list" "example" {
name = "example"
}
Resolver DNS Firewall rule resource
resource "aws_route53_resolver_firewall_domain_list" "example" {
name = "example"
domains = ["example.com"]
tags = {}
}
resource "aws_route53_resolver_firewall_rule_group" "example" {
name = "example"
tags = {}
}
resource "aws_route53_resolver_firewall_rule" "example" {
name = "example"
action = "BLOCK"
block_override_dns_type = "CNAME"
block_override_domain = "example.com"
block_override_ttl = 1
block_response = "OVERRIDE"
firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.example.id
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.example.id
priority = 100
}
Resolver DNS Firewall rule group resource
resource "aws_route53_resolver_firewall_rule_group" "example" {
name = "example"
}
Resolver DNS Firewall rule group association resource
resource "aws_route53_resolver_firewall_rule_group" "example" {
name = "example"
}
resource "aws_route53_resolver_firewall_rule_group_association" "example" {
name = "example"
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.example.id
priority = 100
vpc_id = aws_vpc.example.id
}
Resolver query logging configuration resource
resource "aws_route53_resolver_query_log_config" "example" {
name = "example"
destination_arn = aws_s3_bucket.example.arn
tags = {
Environment = "Prod"
}
}
Resolver query logging configuration association resource
resource "aws_route53_resolver_query_log_config_association" "example" {
resolver_query_log_config_id = aws_route53_resolver_query_log_config.example.id
resource_id = aws_vpc.example.id
}
ACM
ACM with DNS
resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
tags = {
Environment = "test"
}
lifecycle {
create_before_destroy = true
}
}
ACM with Email
resource "aws_acm_certificate" "cert" {
domain_name = "testing.example.com"
validation_method = "EMAIL"
validation_option {
domain_name = "testing.example.com"
validation_domain = "example.com"
}
}
CloudFront
S3 Origin
resource "aws_s3_bucket" "b" {
bucket = "mybucket"
tags = {
Name = "My bucket"
}
}
resource "aws_s3_bucket_acl" "b_acl" {
bucket = aws_s3_bucket.b.id
acl = "private"
}
locals {
s3_origin_id = "myS3Origin"
}
resource "aws_cloudfront_distribution" "s3_distribution" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_access_control_id = aws_cloudfront_origin_access_control.default.id
origin_id = local.s3_origin_id
}
enabled = true
is_ipv6_enabled = true
comment = "Some comment"
default_root_object = "index.html"
logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}
aliases = ["mysite.example.com", "yoursite.example.com"]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}
# Cache behavior with precedence 1
ordered_cache_behavior {
path_pattern = "/content/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
compress = true
viewer_protocol_policy = "redirect-to-https"
}
price_class = "PriceClass_200"
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
tags = {
Environment = "production"
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
With Failover Routing
resource "aws_cloudfront_distribution" "s3_distribution" {
origin_group {
origin_id = "groupS3"
failover_criteria {
status_codes = [403, 404, 500, 502]
}
member {
origin_id = "primaryS3"
}
member {
origin_id = "failoverS3"
}
}
origin {
domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
origin_id = "primaryS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
origin {
domain_name = aws_s3_bucket.failover.bucket_regional_domain_name
origin_id = "failoverS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
default_cache_behavior {
# ... other configuration ...
target_origin_id = "groupS3"
}
# ... other configuration ...
}
With Managed Caching Policy
locals {
s3_origin_id = "myS3Origin"
}
resource "aws_cloudfront_distribution" "s3_distribution" {
origin {
domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
origin_id = "myS3Origin"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
comment = "Some comment"
default_root_object = "index.html"
# AWS Managed Caching Policy (CachingDisabled)
default_cache_behavior {
# Using the CachingDisabled managed policy ID:
cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.s3_origin_id
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
# ... other configuration ...
}
Cloudfront Cache Policy
resource "aws_cloudfront_cache_policy" "example" {
name = "example-policy"
comment = "test comment"
default_ttl = 50
max_ttl = 100
min_ttl = 1
parameters_in_cache_key_and_forwarded_to_origin {
cookies_config {
cookie_behavior = "whitelist"
cookies {
items = ["example"]
}
}
headers_config {
header_behavior = "whitelist"
headers {
items = ["example"]
}
}
query_strings_config {
query_string_behavior = "whitelist"
query_strings {
items = ["example"]
}
}
}
}
Cloudfront Continuous Deployment Policy
resource "aws_cloudfront_distribution" "staging" {
enabled = true
staging = true
# ... other configuration ...
}
resource "aws_cloudfront_continuous_deployment_policy" "example" {
enabled = true
staging_distribution_dns_names {
items = [aws_cloudfront_distribution.staging.domain_name]
quantity = 1
}
traffic_config {
type = "SingleWeight"
single_weight_config {
weight = "0.01"
}
}
}
resource "aws_cloudfront_distribution" "production" {
enabled = true
# NOTE: A continuous deployment policy cannot be associated to distribution
# on creation. Set this argument once the resource exists.
continuous_deployment_policy_id = aws_cloudfront_continuous_deployment_policy.example.id
# ... other configuration ...
}
Cloudfront Function
resource "aws_cloudfront_function" "test" {
name = "test"
runtime = "cloudfront-js-2.0"
comment = "my function"
publish = true
code = file("${path.module}/function.js")
}
WAF
WAFv2 Rule Group
resource "aws_wafv2_rule_group" "example" {
name = "example-rule"
scope = "REGIONAL"
capacity = 2
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
WAFv2 Rule Group Complex
resource "aws_wafv2_ip_set" "test" {
name = "test"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["1.1.1.1/32", "2.2.2.2/32"]
}
resource "aws_wafv2_regex_pattern_set" "test" {
name = "test"
scope = "REGIONAL"
regular_expression {
regex_string = "one"
}
}
resource "aws_wafv2_rule_group" "example" {
name = "complex-example"
description = "An rule group containing all statements"
scope = "REGIONAL"
capacity = 500
rule {
name = "rule-1"
priority = 1
action {
block {}
}
statement {
not_statement {
statement {
and_statement {
statement {
geo_match_statement {
country_codes = ["US"]
}
}
statement {
byte_match_statement {
positional_constraint = "CONTAINS"
search_string = "word"
field_to_match {
all_query_arguments {}
}
text_transformation {
priority = 5
type = "CMD_LINE"
}
text_transformation {
priority = 2
type = "LOWERCASE"
}
}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-1"
sampled_requests_enabled = false
}
}
rule {
name = "rule-2"
priority = 2
action {
count {}
}
statement {
or_statement {
statement {
regex_match_statement {
regex_string = "[a-z]([a-z0-9_-]*[a-z0-9])?"
field_to_match {
single_header {
name = "user-agent"
}
}
text_transformation {
priority = 6
type = "NONE"
}
}
}
statement {
sqli_match_statement {
field_to_match {
body {}
}
text_transformation {
priority = 5
type = "URL_DECODE"
}
text_transformation {
priority = 4
type = "HTML_ENTITY_DECODE"
}
text_transformation {
priority = 3
type = "COMPRESS_WHITE_SPACE"
}
}
}
statement {
xss_match_statement {
field_to_match {
method {}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-2"
sampled_requests_enabled = false
}
captcha_config {
immunity_time_property {
immunity_time = 240
}
}
}
rule {
name = "rule-3"
priority = 3
action {
block {}
}
statement {
size_constraint_statement {
comparison_operator = "GT"
size = 100
field_to_match {
single_query_argument {
name = "username"
}
}
text_transformation {
priority = 5
type = "NONE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-3"
sampled_requests_enabled = false
}
}
rule {
name = "rule-4"
priority = 4
action {
block {}
}
statement {
or_statement {
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.test.arn
}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.test.arn
field_to_match {
single_header {
name = "referer"
}
}
text_transformation {
priority = 2
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "rule-4"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
captcha_config {
immunity_time_property {
immunity_time = 120
}
}
tags = {
Name = "example-and-statement"
Code = "123456"
}
}
ACL Managed Rule
resource "aws_wafv2_web_acl" "example" {
name = "managed-rule-example"
description = "Example of a managed rule."
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
rule_action_override {
action_to_use {
count {}
}
name = "SizeRestrictions_QUERYSTRING"
}
rule_action_override {
action_to_use {
count {}
}
name = "NoUserAgent_HEADER"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
token_domains = ["mywebsite.com", "myotherwebsite.com"]
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
ACL Account Creation Fraud Prevention
resource "aws_wafv2_web_acl" "acfp-example" {
name = "managed-acfp-example"
description = "Example of a managed ACFP rule."
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "acfp-rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesACFPRuleSet"
vendor_name = "AWS"
managed_rule_group_configs {
aws_managed_rules_acfp_rule_set {
creation_path = "/signin"
registration_page_path = "/register"
request_inspection {
email_field {
identifier = "/email"
}
password_field {
identifier = "/password"
}
payload_type = "JSON"
username_field {
identifier = "/username"
}
}
response_inspection {
status_code {
failure_codes = ["403"]
success_codes = ["200"]
}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
ACL Account Takeover Protection
resource "aws_wafv2_web_acl" "atp-example" {
name = "managed-atp-example"
description = "Example of a managed ATP rule."
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "atp-rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesATPRuleSet"
vendor_name = "AWS"
managed_rule_group_configs {
aws_managed_rules_atp_rule_set {
login_path = "/api/1/signin"
request_inspection {
password_field {
identifier = "/password"
}
payload_type = "JSON"
username_field {
identifier = "/email"
}
}
response_inspection {
status_code {
failure_codes = ["403"]
success_codes = ["200"]
}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
ACL Rate Based
resource "aws_wafv2_web_acl" "example" {
name = "rate-based-example"
description = "Example of a Cloudfront rate based statement."
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "rule-1"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
limit = 10000
aggregate_key_type = "IP"
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
ACL Rule Group Reference
resource "aws_wafv2_rule_group" "example" {
capacity = 10
name = "example-rule-group"
scope = "REGIONAL"
rule {
name = "rule-1"
priority = 1
action {
count {}
}
statement {
geo_match_statement {
country_codes = ["NL"]
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
rule {
name = "rule-to-exclude-a"
priority = 10
action {
allow {}
}
statement {
geo_match_statement {
country_codes = ["US"]
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
rule {
name = "rule-to-exclude-b"
priority = 15
action {
allow {}
}
statement {
geo_match_statement {
country_codes = ["GB"]
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl" "test" {
name = "rule-group-example"
scope = "REGIONAL"
default_action {
block {}
}
rule {
name = "rule-1"
priority = 1
override_action {
count {}
}
statement {
rule_group_reference_statement {
arn = aws_wafv2_rule_group.example.arn
rule_action_override {
action_to_use {
count {}
}
name = "rule-to-exclude-b"
}
rule_action_override {
action_to_use {
count {}
}
name = "rule-to-exclude-a"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
關聯 ACL
resource "aws_api_gateway_rest_api" "example" {
body = jsonencode({
openapi = "3.0.1"
info = {
title = "example"
version = "1.0"
}
paths = {
"/path1" = {
get = {
x-amazon-apigateway-integration = {
httpMethod = "GET"
payloadFormatVersion = "1.0"
type = "HTTP_PROXY"
uri = "https://ip-ranges.amazonaws.com/ip-ranges.json"
}
}
}
}
})
name = "example"
}
resource "aws_api_gateway_deployment" "example" {
rest_api_id = aws_api_gateway_rest_api.example.id
triggers = {
redeployment = sha1(jsonencode(aws_api_gateway_rest_api.example.body))
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_api_gateway_stage" "example" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
}
resource "aws_wafv2_web_acl" "example" {
name = "web-acl-association-example"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl_association" "example" {
resource_arn = aws_api_gateway_stage.example.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}
WAF IP set
resource "aws_wafv2_ip_set" "example" {
name = "example"
description = "Example IP set"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["1.2.3.4/32", "5.6.7.8/32"]
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
}
Regex Pattern Set
resource "aws_wafv2_regex_pattern_set" "example" {
name = "example"
description = "Example regex pattern set"
scope = "REGIONAL"
regular_expression {
regex_string = "one"
}
regular_expression {
regex_string = "two"
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
}
WAF Log
resource "aws_wafv2_web_acl_logging_configuration" "example" {
log_destination_configs = [aws_kinesis_firehose_delivery_stream.example.arn]
resource_arn = aws_wafv2_web_acl.example.arn
redacted_fields {
single_header {
name = "user-agent"
}
}
}
WAF with Logging Filter
resource "aws_wafv2_web_acl_logging_configuration" "example" {
log_destination_configs = [aws_kinesis_firehose_delivery_stream.example.arn]
resource_arn = aws_wafv2_web_acl.example.arn
logging_filter {
default_behavior = "KEEP"
filter {
behavior = "DROP"
condition {
action_condition {
action = "COUNT"
}
}
condition {
label_name_condition {
label_name = "awswaf:111122223333:rulegroup:testRules:LabelNameZ"
}
}
requirement = "MEETS_ALL"
}
filter {
behavior = "KEEP"
condition {
action_condition {
action = "ALLOW"
}
}
requirement = "MEETS_ANY"
}
}
}
WAF with CloudWatch Log Group and managed CloudWatch Log Resource Policy
resource "aws_cloudwatch_log_group" "example" {
name = "aws-waf-logs-some-uniq-suffix"
}
resource "aws_wafv2_web_acl_logging_configuration" "example" {
log_destination_configs = [aws_cloudwatch_log_group.example.arn]
resource_arn = aws_wafv2_web_acl.example.arn
}
resource "aws_cloudwatch_log_resource_policy" "example" {
policy_document = data.aws_iam_policy_document.example.json
policy_name = "webacl-policy-uniq-name"
}
data "aws_iam_policy_document" "example" {
version = "2012-10-17"
statement {
effect = "Allow"
principals {
identifiers = ["delivery.logs.amazonaws.com"]
type = "Service"
}
actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
resources = ["${aws_cloudwatch_log_group.example.arn}:*"]
condition {
test = "ArnLike"
values = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"]
variable = "aws:SourceArn"
}
condition {
test = "StringEquals"
values = [tostring(data.aws_caller_identity.current.account_id)]
variable = "aws:SourceAccount"
}
}
}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
Global Accelerator
Global Accelerator
resource "aws_globalaccelerator_accelerator" "example" {
name = "Example"
ip_address_type = "IPV4"
ip_addresses = ["1.2.3.4"]
enabled = true
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
Globalaccelerator Custom Routing Accelerator
resource "aws_globalaccelerator_custom_routing_accelerator" "example" {
name = "Example"
ip_address_type = "IPV4"
ip_addresses = ["1.2.3.4"]
enabled = true
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
Globalaccelerator Custom Routing Endpoint Group
resource "aws_globalaccelerator_custom_routing_endpoint_group" "example" {
listener_arn = aws_globalaccelerator_custom_routing_listener.example.id
destination_configuration {
from_port = 80
to_port = 8080
protocols = ["TCP"]
}
endpoint_configuration {
endpoint_id = aws_subnet.example.id
}
}
Globalaccelerator Custom Routing Listener
resource "aws_globalaccelerator_custom_routing_accelerator" "example" {
name = "Example"
ip_address_type = "IPV4"
enabled = true
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
resource "aws_globalaccelerator_custom_routing_listener" "example" {
accelerator_arn = aws_globalaccelerator_custom_routing_accelerator.example.id
port_range {
from_port = 80
to_port = 80
}
}
Globalaccelerator Endpoint Group
resource "aws_globalaccelerator_endpoint_group" "example" {
listener_arn = aws_globalaccelerator_listener.example.id
endpoint_configuration {
endpoint_id = aws_lb.example.arn
weight = 100
}
}
Global Accelerator listener
resource "aws_globalaccelerator_accelerator" "example" {
name = "Example"
ip_address_type = "IPV4"
enabled = true
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
resource "aws_globalaccelerator_listener" "example" {
accelerator_arn = aws_globalaccelerator_accelerator.example.id
client_affinity = "SOURCE_IP"
protocol = "TCP"
port_range {
from_port = 80
to_port = 80
}
}