Web
This resource creates a WAFv2 Web ACL Logging Configuration. !>WARNING: When logging from a WAFv2 Web ACL to a CloudWatch Log Group, the WAFv2 service tries to create or update a generic Log Resource Policy named AWSWAF-LOGS. However, if there are a large number of Web ACLs or if the account frequently creates and deletes Web ACLs, this policy may exceed the maximum policy size. As a result, this resource type will fail to be created. More details about this issue can be found in this issue. To prevent this issue, you can manage a specific resource policy. Please refer to the example below for managing a CloudWatch Log Group with a managed CloudWatch Log Resource Policy.
Example Usage
With Redacted Fields
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()
.logDestinationConfigs(aws_kinesis_firehose_delivery_stream.example().arn())
.resourceArn(aws_wafv2_web_acl.example().arn())
.redactedFields(WebAclLoggingConfigurationRedactedFieldArgs.builder()
.singleHeader(WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs.builder()
.name("user-agent")
.build())
.build())
.build());
}
}With Logging Filter
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationLoggingFilterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()
.logDestinationConfigs(aws_kinesis_firehose_delivery_stream.example().arn())
.resourceArn(aws_wafv2_web_acl.example().arn())
.loggingFilter(WebAclLoggingConfigurationLoggingFilterArgs.builder()
.defaultBehavior("KEEP")
.filters(
WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
.behavior("DROP")
.conditions(
WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
.actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
.action("COUNT")
.build())
.build(),
WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
.labelNameCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs.builder()
.labelName("awswaf:111122223333:rulegroup:testRules:LabelNameZ")
.build())
.build())
.requirement("MEETS_ALL")
.build(),
WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
.behavior("KEEP")
.conditions(WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
.actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
.action("ALLOW")
.build())
.build())
.requirement("MEETS_ANY")
.build())
.build())
.build());
}
}Import
Using pulumi import, import WAFv2 Web ACL Logging Configurations using the ARN of the WAFv2 Web ACL. For example:
$ pulumi import aws:wafv2/webAclLoggingConfiguration:WebAclLoggingConfiguration example arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-logs/a1b2c3d4-5678-90ab-cdefProperties
Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.