pulumi-aws-kotlin/com.pulumi.aws.wafv2.kotlin/WebAclLoggingConfigurationArgs

WebAclLoggingConfigurationArgs

data class WebAclLoggingConfigurationArgs(val logDestinationConfigs: Output<List<String>>? = null, val loggingFilter: Output<WebAclLoggingConfigurationLoggingFilterArgs>? = null, val redactedFields: Output<List<WebAclLoggingConfigurationRedactedFieldArgs>>? = null, val resourceArn: Output<String>? = null) : ConvertibleToJava<WebAclLoggingConfigurationArgs>

Creates a WAFv2 Web ACL Logging Configuration resource.

Note: To start logging from a WAFv2 Web ACL, an Amazon Kinesis Data Firehose (e.g., aws.kinesis.FirehoseDeliveryStream resource must also be created with a PUT source (not a stream) and in the region that you are operating. If you are capturing logs for Amazon CloudFront, always create the firehose in US East (N. Virginia). Be sure to give the data firehose, cloudwatch log group, and/or s3 bucket a name that starts with the prefix aws-waf-logs-.

Example Usage

With Redacted Fields

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()
            .logDestinationConfigs(aws_kinesis_firehose_delivery_stream.example().arn())
            .resourceArn(aws_wafv2_web_acl.example().arn())
            .redactedFields(WebAclLoggingConfigurationRedactedFieldArgs.builder()
                .singleHeader(WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs.builder()
                    .name("user-agent")
                    .build())
                .build())
            .build());
    }
}
Content copied to clipboard

With Logging Filter

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationLoggingFilterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()
            .logDestinationConfigs(aws_kinesis_firehose_delivery_stream.example().arn())
            .resourceArn(aws_wafv2_web_acl.example().arn())
            .loggingFilter(WebAclLoggingConfigurationLoggingFilterArgs.builder()
                .defaultBehavior("KEEP")
                .filters(
                    WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
                        .behavior("DROP")
                        .conditions(
                            WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                                .actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
                                    .action("COUNT")
                                    .build())
                                .build(),
                            WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                                .labelNameCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs.builder()
                                    .labelName("awswaf:111122223333:rulegroup:testRules:LabelNameZ")
                                    .build())
                                .build())
                        .requirement("MEETS_ALL")
                        .build(),
                    WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
                        .behavior("KEEP")
                        .conditions(WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                            .actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
                                .action("ALLOW")
                                .build())
                            .build())
                        .requirement("MEETS_ANY")
                        .build())
                .build())
            .build());
    }
}
Content copied to clipboard

Import

WAFv2 Web ACL Logging Configurations can be imported using the WAFv2 Web ACL ARN e.g.,

$ pulumi import aws:wafv2/webAclLoggingConfiguration:WebAclLoggingConfiguration example arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-logs/a1b2c3d4-5678-90ab-cdef
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(logDestinationConfigs: Output<List<String>>? = null, loggingFilter: Output<WebAclLoggingConfigurationLoggingFilterArgs>? = null, redactedFields: Output<List<WebAclLoggingConfigurationRedactedFieldArgs>>? = null, resourceArn: Output<String>? = null)

Properties

Link copied to clipboard
val logDestinationConfigs: Output<List<String>>? = null

The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL.

Link copied to clipboard
val loggingFilter: Output<WebAclLoggingConfigurationLoggingFilterArgs>? = null

A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. See Logging Filter below for more details.

Link copied to clipboard
val redactedFields: Output<List<WebAclLoggingConfigurationRedactedFieldArgs>>? = null

The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.

Link copied to clipboard
val resourceArn: Output<String>? = null

The Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.

Functions

Link copied to clipboard
open override fun toJava(): WebAclLoggingConfigurationArgs