This module creates a WAF IP blocklist that is automatically updated on a user-defined schedule.
The automatic update is based on a service's WAF logs where an IP address exceeds the block threshold in a 24 hour period.
The IP block is temporary and the IP address will be removed once it has been at least 24 hours since it has exceeded the block threshold.
No requirements.
| Name | Version |
|---|---|
| archive | n/a |
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.ipv4_blocklist | resource |
| aws_cloudwatch_event_target.ipv4_blocklist | resource |
| aws_cloudwatch_log_group.ipv4_blocklist | resource |
| aws_iam_policy.ipv4_blocklist | resource |
| aws_iam_role.ipv4_blocklist | resource |
| aws_iam_role_policy_attachment.ipv4_blocklist | resource |
| aws_lambda_function.ipv4_blocklist | resource |
| aws_lambda_permission.ipv4_blocklist | resource |
| aws_wafv2_ip_set.ipv4_blocklist | resource |
| archive_file.ipv4_blocklist | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_policy | data source |
| aws_iam_policy_document.athena | data source |
| aws_iam_policy_document.cloudwatch | data source |
| aws_iam_policy_document.combined | data source |
| aws_iam_policy_document.s3_read | data source |
| aws_iam_policy_document.s3_write | data source |
| aws_iam_policy_document.waf_ip_set | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| athena_database_name | (Optional, default 'access_logs') The name of the Athena database where the WAF logs table exists. | string |
"access_logs" |
no |
| athena_query_results_bucket | (Required) The name of the S3 bucket where the Athena query results are stored. | string |
n/a | yes |
| athena_query_source_bucket | (Required) The name of the S3 bucket where the source data for the Athena query lives. | string |
n/a | yes |
| athena_waf_table_name | (Optional, default 'waf_logs') The name of the WAF logs table in the Athena database. | string |
"waf_logs" |
no |
| athena_workgroup_name | (Optional, default 'primary') The name of the Athena workgroup. | string |
"primary" |
no |
| billing_tag_key | (Optional, default 'CostCentre') The name of the billing tag | string |
"CostCentre" |
no |
| billing_tag_value | (Required) The value of the billing tag | string |
n/a | yes |
| service_name | (Required) The name of the service | string |
n/a | yes |
| waf_block_threshold | (Optional, default 20) The threshold of blocked requests for adding an IP address to the blocklist | number |
20 |
no |
| waf_ip_blocklist_update_schedule | (Optional, default 'rate(2 hours)') The schedule expression for updating the WAF IP blocklist | string |
"rate(2 hours)" |
no |
| waf_rule_ids_skip | (Optional, default []) A list of WAF rule IDs to ignore when adding an IP address to the blocklist | list(string) |
[] |
no |
| waf_scope | (Optional, default 'REGIONAL') The scope of the WAF IP blocklist | string |
"REGIONAL" |
no |
| Name | Description |
|---|---|
| ipv4_blocklist_arn | The ARN of the IP blocklist |
| ipv4_lambda_cloudwatch_log_group_arn | The ARN of the CloudWatch Log Group for the IPv4 blocklist Lambda |
| ipv4_lambda_cloudwatch_log_group_name | The name of the CloudWatch Log Group for the IPv4 blocklist Lambda |