Skip to content

Resource: awsNetworkfirewallLoggingConfiguration

Provides an AWS Network Firewall Logging Configuration Resource

Example Usage

Logging to S3

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
  this,
  "example",
  {
    firewallArn: "${aws_networkfirewall_firewall.example.arn}",
    loggingConfiguration: {
      logDestinationConfig: [
        {
          logDestination: {
            bucketName: "${aws_s3_bucket.example.bucket}",
            prefix: "/example",
          },
          logDestinationType: "S3",
          logType: "FLOW",
        },
      ],
    },
  }
);

Logging to CloudWatch

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
  this,
  "example",
  {
    firewallArn: "${aws_networkfirewall_firewall.example.arn}",
    loggingConfiguration: {
      logDestinationConfig: [
        {
          logDestination: {
            logGroup: "${aws_cloudwatch_log_group.example.name}",
          },
          logDestinationType: "CloudWatchLogs",
          logType: "ALERT",
        },
      ],
    },
  }
);

Logging to Kinesis Data Firehose

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
  this,
  "example",
  {
    firewallArn: "${aws_networkfirewall_firewall.example.arn}",
    loggingConfiguration: {
      logDestinationConfig: [
        {
          logDestination: {
            deliveryStream:
              "${aws_kinesis_firehose_delivery_stream.example.name}",
          },
          logDestinationType: "KinesisDataFirehose",
          logType: "ALERT",
        },
      ],
    },
  }
);

Argument Reference

The following arguments are supported:

  • firewallArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the Network Firewall firewall.

  • loggingConfiguration - (Required) A configuration block describing how AWS Network Firewall performs logging for a firewall. See Logging Configuration below for details.

Logging Configuration

The loggingConfiguration block supports the following arguments:

  • logDestinationConfig - (Required) Set of configuration blocks describing the logging details for a firewall. See Log Destination Config below for details. At most, only two blocks can be specified; one for flow logs and one for alert logs.

Log Destination Config

The logDestinationConfig block supports the following arguments:

  • logDestination - (Required) A map describing the logging destination for the chosen logDestinationType.

    • For an Amazon S3 bucket, specify the key bucketName with the name of the bucket and optionally specify the key prefix with a path.
    • For a CloudWatch log group, specify the key logGroup with the name of the CloudWatch log group.
    • For a Kinesis Data Firehose delivery stream, specify the key deliveryStream with the name of the delivery stream.

  • logDestinationType - (Required) The location to send logs to. Valid values: s3, cloudWatchLogs, kinesisDataFirehose.

  • logType - (Required) The type of log to send. Valid values: alert or flow. Alert logs report traffic that matches a statefulRule with an action setting that sends a log message. Flow logs are standard network traffic flow logs.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The Amazon Resource Name (ARN) of the associated firewall.

Import

Network Firewall Logging Configurations can be imported using the firewallArn e.g

$ terraform import aws_networkfirewall_logging_configuration.example arn:aws:network-firewall:us-west-1:123456789012:firewall/example