Skip to content

Resource: awsWafv2WebAclLoggingConfiguration

Creates a WAFv2 Web ACL Logging Configuration resource.

-> Note: To start logging from a WAFv2 Web ACL, an Amazon Kinesis Data Firehose (e.g., awsKinesisFirehoseDeliveryStream resource must also be created with a PUT source (not a stream) and in the region that you are operating. If you are capturing logs for Amazon CloudFront, always create the firehose in US East (N. Virginia). Be sure to give the data firehose, cloudwatch log group, and/or s3 bucket a name that starts with the prefix awsWafLogs.

Example Usage

With Redacted Fields

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafv2WebAclLoggingConfiguration.Wafv2WebAclLoggingConfiguration(
  this,
  "example",
  {
    logDestinationConfigs: [
      "${aws_kinesis_firehose_delivery_stream.example.arn}",
    ],
    redactedFields: [
      {
        singleHeader: {
          name: "user-agent",
        },
      },
    ],
    resourceArn: "${aws_wafv2_web_acl.example.arn}",
  }
);

With Logging Filter

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.wafv2WebAclLoggingConfiguration.Wafv2WebAclLoggingConfiguration(
  this,
  "example",
  {
    logDestinationConfigs: [
      "${aws_kinesis_firehose_delivery_stream.example.arn}",
    ],
    loggingFilter: {
      defaultBehavior: "KEEP",
      filter: [
        {
          behavior: "DROP",
          condition: [
            {
              actionCondition: {
                action: "COUNT",
              },
            },
            {
              labelNameCondition: {
                labelName: "awswaf:111122223333:rulegroup:testRules:LabelNameZ",
              },
            },
          ],
          requirement: "MEETS_ALL",
        },
        {
          behavior: "KEEP",
          condition: [
            {
              actionCondition: {
                action: "ALLOW",
              },
            },
          ],
          requirement: "MEETS_ANY",
        },
      ],
    },
    resourceArn: "${aws_wafv2_web_acl.example.arn}",
  }
);

Argument Reference

The following arguments are supported:

  • logDestinationConfigs - (Required) The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL.
  • loggingFilter - (Optional) A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. See Logging Filter below for more details.
  • redactedFields - (Optional) The parts of the request that you want to keep out of the logs. Up to 100 redactedFields blocks are supported. See Redacted Fields below for more details.
  • resourceArn - (Required) The Amazon Resource Name (ARN) of the web ACL that you want to associate with logDestinationConfigs.

Logging Filter

The loggingFilter block supports the following arguments:

  • defaultBehavior - (Required) Default handling for logs that don't match any of the specified filtering conditions. Valid values: keep or drop.
  • filter - (Required) Filter(s) that you want to apply to the logs. See Filter below for more details.

Filter

The filter block supports the following arguments:

  • behavior - (Required) How to handle logs that satisfy the filter's conditions and requirement. Valid values: keep or drop.
  • condition - (Required) Match condition(s) for the filter. See Condition below for more details.
  • requirement - (Required) Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition. Valid values: MEETS_ALL or MEETS_ANY.

Condition

The condition block supports the following arguments:

\~> Note: Either actionCondition or labelNameCondition must be specified.

  • actionCondition - (Optional) A single action condition. See Action Condition below for more details.
  • labelNameCondition - (Optional) A single label name condition. See Label Name Condition below for more details.

Action Condition

The actionCondition block supports the following argument:

  • action - (Required) The action setting that a log record must contain in order to meet the condition. Valid values: allow, block, count.

Label Name Condition

The labelNameCondition block supports the following argument:

  • labelName - (Required) The label name that a log record must contain in order to meet the condition. This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label.

Redacted Fields

The redactedFields block supports the following arguments:

\~> NOTE: Only one of method, queryString, singleHeader or uriPath can be specified.

  • allQueryArguments - (Optional, DEPRECATED) Redact all query arguments.
  • body - (Optional, DEPRECATED) Redact the request body, which immediately follows the request headers.
  • method - (Optional) Redact the HTTP method. Must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
  • queryString - (Optional) Redact the query string. Must be specified as an empty configuration block {}. This is the part of a URL that appears after a ? character, if any.
  • singleHeader - (Optional) Redact a single header. See Single Header below for details.
  • singleQueryArgument - (Optional, DEPRECATED) Redact a single query argument. See Single Query Argument below for details.
  • uriPath - (Optional) Redact the request URI path. Must be specified as an empty configuration block {}. This is the part of a web request that identifies a resource, for example, /images/dailyAdJpg.

Single Header

Redact a single header. Provide the name of the header to redact, for example, userAgent or referer (provided as lowercase strings).

The singleHeader block supports the following arguments:

  • name - (Optional) The name of the query header to redact. This setting must be provided as lower case characters.

Single Query Argument (DEPRECATED)

Redact a single query argument. Provide the name of the query argument to redact, such as userName or salesRegion (provided as lowercase strings).

The singleQueryArgument block supports the following arguments:

  • name - (Optional) The name of the query header to redact. This setting must be provided as lower case characters.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The Amazon Resource Name (ARN) of the WAFv2 Web ACL.

Import

WAFv2 Web ACL Logging Configurations can be imported using the WAFv2 Web ACL ARN e.g.,

$ terraform import aws_wafv2_web_acl_logging_configuration.example arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-logs/a1b2c3d4-5678-90ab-cdef