Hello Team,
I am trying to setup a Terraform stack that will create WAF ACL and send the logs to Cloudwatch Log group. I see this is supported (link below) but the aws_wafv2_web_acl_logging_configuration resource does not seem to take any other ARN other than a Kinesis stream (based on the documentation for the resource). Is there a way to accomplish this using a native aws provider or this should be a feature request?
Thanks in advance!
Tihomir
Hi, I sounds like the documentation is inaccurate - just give it a try.
opened 09:50AM - 07 Dec 21 UTC
closed 10:46PM - 12 Feb 22 UTC
enhancement
service/wafv2
## Community Note
Please vote on this issue by adding a 👍 reaction to the origi… nal issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
## Description
The "web_acl_logging_configuration" currently only supports a Kinesis Firehose Stream as a destination for log delivery. As of December 6, 2021 AWS is supporting to send logs to S3 buckets directly (https://aws.amazon.com/de/about-aws/whats-new/2021/12/awf-waf-cloudwatch-log-s3-bucket/). This functionality should be implemented in the terraform provider.
## New or Affected Resource(s)
web_acl_logging_configuration
## Potential Terraform Configuration
```hcl
resource "aws_wafv2_web_acl_logging_configuration" "example" {
log_destination_configs = [aws_s3_bucket.example.arn]
resource_arn = aws_wafv2_web_acl.example.arn
redacted_fields {
single_header {
name = "user-agent"
}
}
}
```
I managed to configure cw log group for wafv2 both regional and cloudfront.
NOTE: create logs group with prefix: aws-waf-logs-
eg: “aws-waf-logs-regional”, “aws-waf-logs-global”
Regional:
log_destination_configs = [module.wafv2_cloudwatch_loggroup.arn]
log_group_region: ap-southeast-1
Cloudfront:
log_destination_configs = [module.wafv2_cloudwatch_loggroup_global.arn]
log_group_region = us-east-1 (use provider config)
resource “aws_wafv2_web_acl_logging_configuration” “this” {
count = var.enable_logging_configuration ? 1 : 0
log_destination_configs = var.log_destination_configs
resource_arn = aws_wafv2_web_acl.wafv2_acl.arn
depends_on = [aws_wafv2_web_acl.wafv2_acl]
}
TF_version: 0.14.11
aws_provider_version: v3.72.0