A WAFv2 Logging Configuration Resource Provider
Creates a WAFv2 Web ACL Logging Configuration resource. Note that AWS Provider resources for aws_wafv2_web_acl and [aws_cloudwatch_log_group] (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) are used.
resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [aws_cloudwatch_log_group.example.arn]
tags = [{
key = "Modified By"
value = "AWSCC"
}]
}
resource "aws_cloudwatch_log_group" "example" {
name = "example"
}
resource "aws_wafv2_web_acl" "example" {
name = "managed-rule-example"
description = "Example of a managed rule."
scope = "REGIONAL"
default_action {
block {}
}
rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "ExternalACL"
sampled_requests_enabled = true
}
}
resource "awscc_wafv2_logging_configuration" "awscc_waf_logging_filter" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [aws_cloudwatch_log_group.example.arn]
logging_filter = {
default_behavior = "KEEP"
filters = [{
behavior = "DROP"
conditions = [{
action_condition = {
action = "BLOCK"
}
}]
requirement = "MEETS_ANY"
}]
}
}
resource "awscc_wafv2_logging_configuration" "awscc_waf_logging_redacted_fields" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [aws_cloudwatch_log_group.example.arn]
redacted_fields = [{
single_header = {
name = "authorization"
}
}]
}
log_destination_configs
(List of String) The Amazon Resource Names (ARNs) of the logging destinations that you want to associate with the web ACL.resource_arn
(String) The Amazon Resource Name (ARN) of the web ACL that you want to associate with LogDestinationConfigs.logging_filter
(Attributes) Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. (see below for nested schema)redacted_fields
(Attributes List) The parts of the request that you want to keep out of the logs. For example, if you redact the HEADER field, the HEADER field in the firehose will be xxx. (see below for nested schema)id
(String) Uniquely identifies the resource.managed_by_firewall_manager
(Boolean) Indicates whether the logging configuration was created by AWS Firewall Manager, as part of an AWS WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.logging_filter
Required:
default_behavior
(String) Default handling for logs that don't match any of the specified filtering conditions.filters
(Attributes List) The filters that you want to apply to the logs. (see below for nested schema)logging_filter.filters
Required:
behavior
(String) How to handle logs that satisfy the filter's conditions and requirement.conditions
(Attributes List) Match conditions for the filter. (see below for nested schema)requirement
(String) Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition.logging_filter.filters.conditions
Optional:
action_condition
(Attributes) A single action condition. (see below for nested schema)label_name_condition
(Attributes) A single label name condition. (see below for nested schema)logging_filter.filters.conditions.action_condition
Required:
action
(String) Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition.logging_filter.filters.conditions.label_name_condition
Required:
label_name
(String) The label name that a log record must contain in order to meet the condition. This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label.redacted_fields
Optional:
method
(String) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.query_string
(String) Inspect the query string. This is the part of a URL that appears after a ? character, if any.single_header
(Attributes) Inspect a single header. Provide the name of the header to inspect, for example, User-Agent or Referer. This setting isn't case sensitive. (see below for nested schema)uri_path
(String) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg.redacted_fields.single_header
Required:
name
(String) The name of the query header to inspect.Import is supported using the following syntax:
$ terraform import awscc_wafv2_logging_configuration.example <resource ID>