1. Home
  2. Documentation
  3. Modernisation Platform User Guide
  4. Web Application Firewall (WAF) Module

Web Application Firewall (WAF) Module

Deploying a Web Application Firewall in the Modernisation Platform

You can use the modernisation-platform-terraform-waf module to create an AWS WAF (Web Application Firewall) configuration in your account.

The module supports:

  • Custom rules such as IP blocking from an SSM parameter.
  • AWS-managed rule groups, with the ability to run in block or count mode.
  • Optional DDoS protection aligned with the Firewall Manager configuration.

You can associate the WAF with one or more AWS resources (e.g., Application Load Balancer or CloudFront distributions) by supplying their ARNs.

Example usage

module "waf" {
  source                      = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-waf?ref=v2.0.0"
  enable_pagerduty_integration = true
  enable_ddos_protection = true
  ddos_rate_limit        = 5000
  block_non_uk_traffic   = false
  associated_resource_arns = [aws_lb.waf_lb.arn]
  managed_rule_actions = {
    AWSManagedRulesKnownBadInputsRuleSet = false
    AWSManagedRulesCommonRuleSet         = false
    AWSManagedRulesSQLiRuleSet           = false
    AWSManagedRulesLinuxRuleSet          = false
    AWSManagedRulesAnonymousIpList       = false
    AWSManagedRulesBotControlRuleSet     = false
  }

  core_logging_account_id = local.environment_management.account_ids["core-logging-production"]

  application_name = local.application_name
  tags             = local.tags

  additional_managed_rules = [
  {
    name            = "AWSManagedRulesPHPRuleSet"
    vendor_name     = "AWS"
    override_action = "count"
  },
  {
    name        = "AWSManagedRulesUnixRuleSet"
    vendor_name = "AWS"
    override_action = "count"
  }
]
}

Known issues and limitations

1. FM-managed rule conflicts for MOJ teams

For MOJ teams, a Firewall Manager (FM)–managed rule created in the
aws-root-account repository
(and sometimes via the environments repository) cannot be removed by this module.

Impact:
This can cause terraform apply failures when associating resources to the WAF.

Workaround:
Run the apply, then manually associate the resources to the WAF afterwards.

Prerequisites

To use this module you must:

  • Have Terraform ≥ 1.0 and AWS provider ~> 6.0 configured.
  • Ensure your target AWS resources (e.g., ALBs, CloudFront distributions) are available for WAF association.
  • For IP blocking, have an SSM SecureString parameter containing the JSON-encoded IP list. The module creates this, however you will need to populate it.

Support

To raise an issue with this module, please create a ticket in the
Modernisation Platform repository.

Last reviewed: 20 February 2026Review status: ✓ Up to dateOwner: #modernisation-platformSource: View source on GitHub

Was this page useful?