Resource: awsNetworkfirewallLoggingConfiguration
Provides an AWS Network Firewall Logging Configuration Resource
Example Usage
Logging to S3
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
this,
"example",
{
firewallArn: "${aws_networkfirewall_firewall.example.arn}",
loggingConfiguration: {
logDestinationConfig: [
{
logDestination: {
bucketName: "${aws_s3_bucket.example.bucket}",
prefix: "/example",
},
logDestinationType: "S3",
logType: "FLOW",
},
],
},
}
);
Logging to CloudWatch
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
this,
"example",
{
firewallArn: "${aws_networkfirewall_firewall.example.arn}",
loggingConfiguration: {
logDestinationConfig: [
{
logDestination: {
logGroup: "${aws_cloudwatch_log_group.example.name}",
},
logDestinationType: "CloudWatchLogs",
logType: "ALERT",
},
],
},
}
);
Logging to Kinesis Data Firehose
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallLoggingConfiguration.NetworkfirewallLoggingConfiguration(
this,
"example",
{
firewallArn: "${aws_networkfirewall_firewall.example.arn}",
loggingConfiguration: {
logDestinationConfig: [
{
logDestination: {
deliveryStream:
"${aws_kinesis_firehose_delivery_stream.example.name}",
},
logDestinationType: "KinesisDataFirehose",
logType: "ALERT",
},
],
},
}
);
Argument Reference
The following arguments are supported:
-
firewallArn
- (Required, Forces new resource) The Amazon Resource Name (ARN) of the Network Firewall firewall. -
loggingConfiguration
- (Required) A configuration block describing how AWS Network Firewall performs logging for a firewall. See Logging Configuration below for details.
Logging Configuration
The loggingConfiguration
block supports the following arguments:
logDestinationConfig
- (Required) Set of configuration blocks describing the logging details for a firewall. See Log Destination Config below for details. At most, only two blocks can be specified; one forflow
logs and one foralert
logs.
Log Destination Config
The logDestinationConfig
block supports the following arguments:
-
logDestination
- (Required) A map describing the logging destination for the chosenlogDestinationType
.- For an Amazon S3 bucket, specify the key
bucketName
with the name of the bucket and optionally specify the keyprefix
with a path. - For a CloudWatch log group, specify the key
logGroup
with the name of the CloudWatch log group. - For a Kinesis Data Firehose delivery stream, specify the key
deliveryStream
with the name of the delivery stream.
- For an Amazon S3 bucket, specify the key
-
logDestinationType
- (Required) The location to send logs to. Valid values:s3
,cloudWatchLogs
,kinesisDataFirehose
. -
logType
- (Required) The type of log to send. Valid values:alert
orflow
. Alert logs report traffic that matches astatefulRule
with an action setting that sends a log message. Flow logs are standard network traffic flow logs.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The Amazon Resource Name (ARN) of the associated firewall.
Import
Network Firewall Logging Configurations can be imported using the firewallArn
e.g