serverless-form-waf.yml

AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  ProjectName:
    Description: Project name used to identify created AWS resources
    Type: String

Resources:
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Description: !Sub Web ACL for ${ProjectName} project distribution
      Name: !Sub ${ProjectName}-web-acl
      Scope: CLOUDFRONT
      VisibilityConfig:
        SampledRequestsEnabled: "true"
        CloudWatchMetricsEnabled: "true"
        MetricName: !Sub ${ProjectName}-metric
      Rules:
        - Name: AWS-AWSManagedRulesCommonRuleSet
          Priority: 0
          OverrideAction:
            None: {}
          VisibilityConfig:
            SampledRequestsEnabled: "true"
            CloudWatchMetricsEnabled: "true"
            MetricName: AWS-AWSManagedRulesCommonRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesCommonRuleSet
              ExcludedRules: []
        - Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
          Priority: 1
          OverrideAction:
            None: {}
          VisibilityConfig:
            SampledRequestsEnabled: "true"
            CloudWatchMetricsEnabled: "true"
            MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesKnownBadInputsRuleSet
              ExcludedRules: []

  Logs:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub aws-waf-logs-${ProjectName}
      RetentionInDays: 7

  WafLogsConfiguration:
    Type: AWS::WAFv2::LoggingConfiguration
    Properties:
      ResourceArn: !GetAtt WebACL.Arn
      LogDestinationConfigs:
        - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${ProjectName}

Outputs:
  WebACLId:
    Value: !GetAtt WebACL.Arn