search

trussworks / terraform-aws-wafv2

Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets
https://registry.terraform.io/modules/trussworks/wafv2
Apache License 2.0
104 stars 58 forks source link

Unable to block all by default #40

Closed pr1ntr closed 3 years ago

pr1ntr commented 3 years ago

It appears that 

default_action {
  allow {}
}

is hardcoded. AWS doesn't allow me to create an ipset with 0.0.0.0/0. Is there a different way to accomplish this with this module?

dynamike commented 3 years ago

You can see a terraform workaround for blocking 0.0.0.0/0 in the examples https://github.com/trussworks/terraform-aws-wafv2/blob/master/examples/alb/main.tf#L1

It uses a range and formatlist to generate /8s for all ips. Does that help?

pr1ntr commented 3 years ago

aah that makes sense. I ended up just forking and changing allow {} to block {}. I wonder if this can be parameterized in 0.14.