Resource: awsWafv2WebAclLoggingConfiguration
Creates a WAFv2 Web ACL Logging Configuration resource.
-> Note: To start logging from a WAFv2 Web ACL, an Amazon Kinesis Data Firehose (e.g., awsKinesisFirehoseDeliveryStream
resource must also be created with a PUT source (not a stream) and in the region that you are operating. If you are capturing logs for Amazon CloudFront, always create the firehose in US East (N. Virginia). Be sure to give the data firehose, cloudwatch log group, and/or s3 bucket a name that starts with the prefix awsWafLogs
.
Example Usage
With Redacted Fields
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafv2WebAclLoggingConfiguration.Wafv2WebAclLoggingConfiguration(
this,
"example",
{
logDestinationConfigs: [
"${aws_kinesis_firehose_delivery_stream.example.arn}",
],
redactedFields: [
{
singleHeader: {
name: "user-agent",
},
},
],
resourceArn: "${aws_wafv2_web_acl.example.arn}",
}
);
With Logging Filter
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafv2WebAclLoggingConfiguration.Wafv2WebAclLoggingConfiguration(
this,
"example",
{
logDestinationConfigs: [
"${aws_kinesis_firehose_delivery_stream.example.arn}",
],
loggingFilter: {
defaultBehavior: "KEEP",
filter: [
{
behavior: "DROP",
condition: [
{
actionCondition: {
action: "COUNT",
},
},
{
labelNameCondition: {
labelName: "awswaf:111122223333:rulegroup:testRules:LabelNameZ",
},
},
],
requirement: "MEETS_ALL",
},
{
behavior: "KEEP",
condition: [
{
actionCondition: {
action: "ALLOW",
},
},
],
requirement: "MEETS_ANY",
},
],
},
resourceArn: "${aws_wafv2_web_acl.example.arn}",
}
);
Argument Reference
The following arguments are supported:
logDestinationConfigs
- (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL.loggingFilter
- (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. See Logging Filter below for more details.redactedFields
- (Optional) The parts of the request that you want to keep out of the logs. Up to 100redactedFields
blocks are supported. See Redacted Fields below for more details.resourceArn
- (Required) The Amazon Resource Name (ARN) of the web ACL that you want to associate withlogDestinationConfigs
.
Logging Filter
The loggingFilter
block supports the following arguments:
defaultBehavior
- (Required) Default handling for logs that don't match any of the specified filtering conditions. Valid values:keep
ordrop
.filter
- (Required) Filter(s) that you want to apply to the logs. See Filter below for more details.
Filter
The filter
block supports the following arguments:
behavior
- (Required) How to handle logs that satisfy the filter's conditions and requirement. Valid values:keep
ordrop
.condition
- (Required) Match condition(s) for the filter. See Condition below for more details.requirement
- (Required) Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition. Valid values:MEETS_ALL
orMEETS_ANY
.
Condition
The condition
block supports the following arguments:
\~> Note: Either actionCondition
or labelNameCondition
must be specified.
actionCondition
- (Optional) A single action condition. See Action Condition below for more details.labelNameCondition
- (Optional) A single label name condition. See Label Name Condition below for more details.
Action Condition
The actionCondition
block supports the following argument:
action
- (Required) The action setting that a log record must contain in order to meet the condition. Valid values:allow
,block
,count
.
Label Name Condition
The labelNameCondition
block supports the following argument:
labelName
- (Required) The label name that a log record must contain in order to meet the condition. This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label.
Redacted Fields
The redactedFields
block supports the following arguments:
\~> NOTE: Only one of method
, queryString
, singleHeader
or uriPath
can be specified.
allQueryArguments
- (Optional, DEPRECATED) Redact all query arguments.body
- (Optional, DEPRECATED) Redact the request body, which immediately follows the request headers.method
- (Optional) Redact the HTTP method. Must be specified as an empty configuration block{}
. The method indicates the type of operation that the request is asking the origin to perform.queryString
- (Optional) Redact the query string. Must be specified as an empty configuration block{}
. This is the part of a URL that appears after a?
character, if any.singleHeader
- (Optional) Redact a single header. See Single Header below for details.singleQueryArgument
- (Optional, DEPRECATED) Redact a single query argument. See Single Query Argument below for details.uriPath
- (Optional) Redact the request URI path. Must be specified as an empty configuration block{}
. This is the part of a web request that identifies a resource, for example,/images/dailyAdJpg
.
Single Header
Redact a single header. Provide the name of the header to redact, for example, userAgent
or referer
(provided as lowercase strings).
The singleHeader
block supports the following arguments:
name
- (Optional) The name of the query header to redact. This setting must be provided as lower case characters.
Single Query Argument (DEPRECATED)
Redact a single query argument. Provide the name of the query argument to redact, such as userName
or salesRegion
(provided as lowercase strings).
The singleQueryArgument
block supports the following arguments:
name
- (Optional) The name of the query header to redact. This setting must be provided as lower case characters.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The Amazon Resource Name (ARN) of the WAFv2 Web ACL.
Import
WAFv2 Web ACL Logging Configurations can be imported using the WAFv2 Web ACL ARN e.g.,