Create WAFv2 logging configuration to Cloudwatch

Hello Team,

I am trying to setup a Terraform stack that will create WAF ACL and send the logs to Cloudwatch Log group. I see this is supported (link below) but the aws_wafv2_web_acl_logging_configuration resource does not seem to take any other ARN other than a Kinesis stream (based on the documentation for the resource). Is there a way to accomplish this using a native aws provider or this should be a feature request?

Thanks in advance!

Hi, I sounds like the documentation is inaccurate - just give it a try.

I managed to configure cw log group for wafv2 both regional and cloudfront.

NOTE: create logs group with prefix: aws-waf-logs-
eg: “aws-waf-logs-regional”, “aws-waf-logs-global”

log_destination_configs = [module.wafv2_cloudwatch_loggroup.arn]
log_group_region: ap-southeast-1

log_destination_configs = [module.wafv2_cloudwatch_loggroup_global.arn]
log_group_region = us-east-1 (use provider config)

resource “aws_wafv2_web_acl_logging_configuration” “this” {

count = var.enable_logging_configuration ? 1 : 0

log_destination_configs = var.log_destination_configs

resource_arn = aws_wafv2_web_acl.wafv2_acl.arn

depends_on = [aws_wafv2_web_acl.wafv2_acl]


TF_version: 0.14.11
aws_provider_version: v3.72.0