WAF

resource "aws_wafv2_web_acl" "cf" { provider = aws.us-east-1 name = "skills-waf" scope = "CLOUDFRONT" default_action { allow {} } rule { name = "Allow-only-HTTP-GET-and-POST" priority = 0 action { block { custom_response { response_code = 405 } } } statement { and_statement { statement { not_statement { statement { byte_match_statement { field_to_match { method {} } positional_constraint = "EXACTLY" search_string = "GET" text_transformation { priority = 1 type = "NONE" } } } } } statement { not_statement { statement { byte_match_statement { field_to_match { method {} } positional_constraint = "EXACTLY" search_string = "POST" text_transformation { priority = 0 type = "NONE" } } } } } } } visibility_config { sampled_requests_enabled = true cloudwatch_metrics_enabled = true metric_name = "Allow-only-HTTP-GET-and-POST" } } rule { name = "BlockBadUserInQuery" priority = 1 action { block { custom_response { response_code = 403 } } } statement { byte_match_statement { field_to_match { single_query_argument { name = "id" } } positional_constraint = "CONTAINS" search_string = "baduser" text_transformation { priority = 0 type = "NONE" } } } visibility_config { sampled_requests_enabled = true cloudwatch_metrics_enabled = true metric_name = "BlockBadUserInQuery" } } visibility_config { cloudwatch_metrics_enabled = true metric_name = "skills-waf" sampled_requests_enabled = true } }