diff --git a/Jenkinsfile b/Jenkinsfile
index fb06399..25283d2 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -57,6 +57,7 @@ def deployTo(params = [:]) {
         def internalCertificateARN = terraformOutputs.tls_certificate_arn.value
         def rootDnsZone = terraformOutputs.root_dns_zone_name.value
         def internalDnsZone = terraformOutputs.internal_dns_zone_name.value
+        def rootWAFACLARN = terraformOutputs.eks_cluster_waf_acl_arn.value
 
         sh("""#!/bin/bash
             set -e
@@ -70,6 +71,7 @@ def deployTo(params = [:]) {
                 --set ingress.root.scheme="${rootIngressScheme}" \
                 --set ingress.root.dns_zone="${rootDnsZone}" \
                 --set ingress.root.certificate_arns="${rootCertificateARN}" \
+                --set ingress.root.waf_acl_arn="${rootWAFACLARN}" \
                 --set ingress.internal.enabled="true" \
                 --set ingress.internal.dns_zone="${internalDnsZone}" \
                 --set ingress.internal.certificate_arns="${internalCertificateARN}" \
diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml
index e59cf91..82fdd41 100644
--- a/chart/templates/ingress.yaml
+++ b/chart/templates/ingress.yaml
@@ -19,6 +19,7 @@ metadata:
     alb.ingress.kubernetes.io/actions.redirect-api: '{"Type": "redirect", "RedirectConfig":{"Protocol": "HTTPS", "Port": "443", "Host": "data.{{ .Values.ingress.root.dns_zone }}", "StatusCode": "HTTP_301"}}'
     alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
     alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+    alb.ingress.kubernetes.io/wafv2-acl-arn: {{ .Values.ingress.root.waf_acl_arn }}
 spec:
   backend:
     serviceName: {{ .Values.service.name }}