WAF Associations

Input map: wafv2_web_acl_association

Attach WAF Web ACLs to Application Load Balancers to protect web applications.

Key Fields

Field	Type	Required	Description
`web_acl`	string	Yes	Key reference to `wafv2_web_acl`
`lb`	string	Yes	Key reference to `lbs` (load balancers)

Basic Example

# Associate WAF with ALB
wafv2_web_acl_association = {
  default-waf = {
    web_acl = "EpicManagedRulesWebACL"
    lb      = "default"
  }
}

Supported Load Balancer Types

Application Load Balancer (ALB) – Full support
Network Load Balancer (NLB) – Not supported by AWS WAF
CloudFront distributions – Not currently supported (requires different association method)

How It Works

WAF Web ACL is created with rules
Association attaches the Web ACL to the load balancer's ARN
All incoming requests to the ALB are evaluated by the WAF
Blocked requests receive a 403 response (or custom response if configured)
Allowed/counted requests proceed to the load balancer targets

Inspection Flow

Internet Request
    ↓
WAF Web ACL (via Association)
    ↓ (if allowed/counted)
Application Load Balancer
    ↓
Target Group
    ↓
ECS/EC2 Targets

Key References

The association module uses key-based references to resolve ARNs:

# Module internally resolves:
resource "aws_wafv2_web_acl_association" "association" {
  resource_arn = var.mod_lb["api-alb"].arn
  web_acl_arn  = var.mod_wafv2_web_acl["api-waf"].arn
}