WAF

resource "aws_wafv2_web_acl" "wsi_waf" { name = "wsi-waf" scope = "REGIONAL" default_action { allow {} } custom_response_body { key = "Blocked" content = "Blocked by WAF" content_type = "TEXT_PLAIN" } rule { name = "token-block" priority = 0 statement { and_statement { statement { byte_match_statement { search_string = "/v1/token/verify" field_to_match { uri_path {} } text_transformation { priority = 0 type = "NONE" } positional_constraint = "EXACTLY" } } statement { or_statement { statement { byte_match_statement { search_string = "eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0" field_to_match { single_header { name = "authorization" } } text_transformation { priority = 0 type = "NONE" } positional_constraint = "CONTAINS" } } statement { byte_match_statement { search_string = "eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0" field_to_match { single_header { name = "authorization" } } text_transformation { priority = 0 type = "NONE" } positional_constraint = "CONTAINS" } } } } } } action { block { custom_response { response_code = 401 custom_response_body_key = "Blocked" } } } visibility_config { sampled_requests_enabled = true cloudwatch_metrics_enabled = true metric_name = "wsi-waf-cw" } } visibility_config { sampled_requests_enabled = true cloudwatch_metrics_enabled = true metric_name = "wsi-waf" } } resource "aws_wafv2_web_acl_association" "example" { resource_arn = aws_lb.lb.arn web_acl_arn = aws_wafv2_web_acl.wsi_waf.arn }