Provides an AWS Network Firewall Logging Configuration Resource
resource "aws_networkfirewall_logging_configuration" "example" {
firewall_arn = aws_networkfirewall_firewall.example.arn
logging_configuration {
log_destination_config {
log_destination = {
bucketName = aws_s3_bucket.example.bucket
prefix = "/example"
}
log_destination_type = "S3"
log_type = "FLOW"
}
}
}
resource "aws_networkfirewall_logging_configuration" "example" {
firewall_arn = aws_networkfirewall_firewall.example.arn
logging_configuration {
log_destination_config {
log_destination = {
logGroup = aws_cloudwatch_log_group.example.name
}
log_destination_type = "CloudWatchLogs"
log_type = "ALERT"
}
}
}
resource "aws_networkfirewall_logging_configuration" "example" {
firewall_arn = aws_networkfirewall_firewall.example.arn
logging_configuration {
log_destination_config {
log_destination = {
deliveryStream = aws_kinesis_firehose_delivery_stream.example.name
}
log_destination_type = "KinesisDataFirehose"
log_type = "ALERT"
}
}
}
This resource supports the following arguments:
firewall_arn
- (Required, Forces new resource) The Amazon Resource Name (ARN) of the Network Firewall firewall.
logging_configuration
- (Required) A configuration block describing how AWS Network Firewall performs logging for a firewall. See Logging Configuration below for details.
The logging_configuration
block supports the following arguments:
log_destination_config
- (Required) Set of configuration blocks describing the logging details for a firewall. See Log Destination Config below for details. At most, only two blocks can be specified; one for FLOW
logs and one for ALERT
logs.The log_destination_config
block supports the following arguments:
log_destination
- (Required) A map describing the logging destination for the chosen log_destination_type
.
bucketName
with the name of the bucket and optionally specify the key prefix
with a path.logGroup
with the name of the CloudWatch log group.deliveryStream
with the name of the delivery stream.log_destination_type
- (Required) The location to send logs to. Valid values: S3
, CloudWatchLogs
, KinesisDataFirehose
.
log_type
- (Required) The type of log to send. Valid values: ALERT
or FLOW
. Alert logs report traffic that matches a StatefulRule
with an action setting that sends a log message. Flow logs are standard network traffic flow logs.
This resource exports the following attributes in addition to the arguments above:
id
- The Amazon Resource Name (ARN) of the associated firewall.In Terraform v1.5.0 and later, use an import
block to import Network Firewall Logging Configurations using the firewall_arn
. For example:
import {
to = aws_networkfirewall_logging_configuration.example
id = "arn:aws:network-firewall:us-west-1:123456789012:firewall/example"
}
Using terraform import
, import Network Firewall Logging Configurations using the firewall_arn
. For example:
% terraform import aws_networkfirewall_logging_configuration.example arn:aws:network-firewall:us-west-1:123456789012:firewall/example