Docs for WAFv2

Author: Vlaaaaaaad

docs/examples/iam-policy.json

@@ -114,6 +114,16 @@
       ],
       "Resource": "*"
     },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:GetWebACL",
+        "wafv2:GetWebACLForResource",
+        "wafv2:AssociateWebACL",
+        "wafv2:DisassociateWebACL"
+      ],
+      "Resource": "*"
+    },
     {
       "Effect": "Allow",
       "Action": [

docs/guide/ingress/annotation.md

@@ -47,6 +47,7 @@ You can add kubernetes annotations to ingress and service objects to customize t
 |[alb.ingress.kubernetes.io/target-type](#target-type)|instance \| ip|instance|ingress,service|
 |[alb.ingress.kubernetes.io/unhealthy-threshold-count](#unhealthy-threshold-count)|integer|'2'|ingress,service|
 |[alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id)|string|N/A|ingress|
+|[alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn)|string|N/A|ingress|
 
 ## Traffic Listening
 Traffic Listening can be controlled with following annotations:
@@ -497,6 +498,22 @@ Health check on target groups can be controlled with following annotations:
         ```alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe
         ```
 
+## WAFv2
+- <a name="wafv2-acl-arn">`alb.ingress.kubernetes.io/wafv2-acl-arn`</a> specifies ARN for the Amazon WAFv2 web ACL.
+
+    !!!warning ""
+        Only Regional WAF is supported.
+
+    !!!example
+        ```alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-west-2:xxxxx:regional/webacl/xxxxxxx/3ab78708-85b0-49d3-b4e1-7a9615a6613b
+        ```
+
+    !!!tip ""
+        To get the WAFv2 Web ACL ARN from the Console, click the gear icon in the upper right and enable the ARN column.
+
+    !!!warning ""
+        To detach a WAFv2 Web ACL from an ALB, set the annotation to `""`.
+
 ## Shield Advanced
 - <a name="shield-advanced-protection">`alb.ingress.kubernetes.io/shield-advanced-protection`</a> turns on / off the AWS Shield Advanced protection for the load balancer.