Create WAFv2 logging configuration to Cloudwatch

tmetodie · January 4, 2022, 8:29am

Hello Team,

I am trying to setup a Terraform stack that will create WAF ACL and send the logs to Cloudwatch Log group. I see this is supported (link below) but the aws_wafv2_web_acl_logging_configuration resource does not seem to take any other ARN other than a Kinesis stream (based on the documentation for the resource). Is there a way to accomplish this using a native aws provider or this should be a feature request?

Thanks in advance!
Tihomir

tbugfinder · January 4, 2022, 6:08pm

Hi, I sounds like the documentation is inaccurate - just give it a try.

github.com/hashicorp/terraform-provider-aws

Support log delivery to S3 for wafv2 web_acl_logging_configuration

opened 09:50AM - 07 Dec 21 UTC

closed 10:46PM - 12 Feb 22 UTC

acidix

enhancement service/wafv2

## Community Note Please vote on this issue by adding a 👍 reaction to the origi…nal issue to help the community and maintainers prioritize this request Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment ## Description The "web_acl_logging_configuration" currently only supports a Kinesis Firehose Stream as a destination for log delivery. As of December 6, 2021 AWS is supporting to send logs to S3 buckets directly (https://aws.amazon.com/de/about-aws/whats-new/2021/12/awf-waf-cloudwatch-log-s3-bucket/). This functionality should be implemented in the terraform provider. ## New or Affected Resource(s) web_acl_logging_configuration ## Potential Terraform Configuration ```hcl resource "aws_wafv2_web_acl_logging_configuration" "example" { log_destination_configs = [aws_s3_bucket.example.arn] resource_arn = aws_wafv2_web_acl.example.arn redacted_fields { single_header { name = "user-agent" } } } ```

raghavanrrs · January 20, 2022, 10:32am

I managed to configure cw log group for wafv2 both regional and cloudfront.

NOTE: create logs group with prefix: aws-waf-logs-
eg: “aws-waf-logs-regional”, “aws-waf-logs-global”

Regional:
log_destination_configs = [module.wafv2_cloudwatch_loggroup.arn]
log_group_region: ap-southeast-1

Cloudfront:
log_destination_configs = [module.wafv2_cloudwatch_loggroup_global.arn]
log_group_region = us-east-1 (use provider config)

resource “aws_wafv2_web_acl_logging_configuration” “this” {

count = var.enable_logging_configuration ? 1 : 0

log_destination_configs = var.log_destination_configs

resource_arn = aws_wafv2_web_acl.wafv2_acl.arn

depends_on = [aws_wafv2_web_acl.wafv2_acl]

}

TF_version: 0.14.11
aws_provider_version: v3.72.0