AWS::WAFv2::WebACL - LoggingConfigration

[kenshinuesugi]

1. Title

AWS::WAFv2::WebACL-LoggingConfigration

2. Scope of request

AWS::WAFv2::WebACL-LoggingConfiguration - can create resource via API, but not via CloudFormation

3. Expected behavior

There is no option to configure the default IAM role used for WAFv2 Logging. The resource should automatically create the role when logging configuration is set

4. Suggest specific test cases

N/A

5. Helpful Links to speed up research and evaluation

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

https://docs.aws.amazon.com/cli/latest/reference/wafv2/put-logging-configuration.html

6. Category (required)

8. Security (IAM, KMS...)

[darylounet]

Please add LoggingConfiguration to AWS::WAF::WebACL and AWS::WAFRegional::WebACL too ! @kenshinuesugi can you correct the typo of LoggingConfiguration in the issue title and "2. Scope" content please ? It will be easier to search ^^

[kenshinuesugi]

Please add LoggingConfiguration to AWS::WAF::WebACL and AWS::WAFRegional::WebACL too ! @kenshinuesugi can you correct the typo of LoggingConfiguration in the issue title and "2. Scope" content please ? It will be easier to search ^^

Thanks for that! All done.

[Juberstine]

Any update on this?

[Haalia]

Please add LoggingConfiguration to AWS::WAF::WebACL and AWS::WAFRegional::WebACL too !

Seriously, can we please get this? I'm stuck using an older version of Terraform which doesn't fully support AWS WAFv2. No problem, I thought, I'll just include a Cloudformation Stack inside my TF. Wrong! No support for linking WAFv2 with Kinesis Firehose in Cloudformation either!

So far the only solutions I've found to programmatically do this are either using the WAF API, or involving lambdas as explained here: https://aws.amazon.com/blogs/security/enable-automatic-logging-of-web-acls-by-using-aws-config/ Unfortunately this is far more involved than my project needs at the moment.

[Haalia]

Please add LoggingConfiguration to AWS::WAF::WebACL and AWS::WAFRegional::WebACL too !

Seriously, can we please get this? I'm stuck using an older version of Terraform which doesn't fully support AWS WAFv2. No problem, I thought, I'll just include a Cloudformation Stack inside my TF. Wrong! No support for linking WAFv2 with Kinesis Firehose in Cloudformation either!

So far the only solutions I've found to programmatically do this are either using the WAF API, or involving lambdas as explained here: https://aws.amazon.com/blogs/security/enable-automatic-logging-of-web-acls-by-using-aws-config/ Unfortunately this is far more involved than my project needs at the moment.

Disregard, I now see that the very recently released AWS provider 2.68.0 fixes this issue! https://github.com/terraform-providers/terraform-provider-aws/releases/tag/v2.68.0

[AljoschaDembowsky2909]

+1 we would love to use this feature in the future

[ElijahGlover]

Would love to use this feature +1

[nicohartto]

This feature would be great to have at AWS CDK level also.

[pavana21]

Yes, Would love to use this feature at the AWS CDK level.

[gbooth27]

this would be really good to have on the aws cdk level

[johnkoehn]

Upvote

[EBeureux]

This feature should really be implemented, you should not have to jump through Lambda hoops and whatnot to enable logging (especially on security services!)...

[advaj]

Hey all - I have written a private resource for this feature, which will help you in deploying WAFv2 WebACL LoggingConfiguration using Cloudformation. The code is here. You can download the code and submit it to Cloudformation Registry as a Private Resource. (I have also provided instructions to do this).

Feedback, suggestions are welcome!

EDIT: I have changed the URL to point to the private resource. Given AWS' naming convention restrictions for private resources.

[cliff-wakefield-acurus]

@advaj tried to use the private resource but get errors when submitting about aws being a reserved namespace.

[mgorski-mg]

Another workaround is to use aws cli after stack deployment.

1. Create all required resources normally in CF
   • AWS::S3::Bucket
   • AWS::KinesisFirehose::DeliveryStream
   • AWS::IAM::Role

2. use aws cli to create LoggingConfiguration

   • Example in PowerShell

     
     $StackResources = aws cloudformation list-stack-resources --stack-name $ShortServiceName-$stackType-$EnvironmentName --region us-east-1 | ConvertFrom-Json | Select -ExpandProperty "StackResourceSummaries";

$wafPhysicalId = $StackResources | Where { $_.LogicalResourceId -eq "WebAcl" } | Select -ExpandProperty "PhysicalResourceId" $wafIds = $wafPhysicalId.Split("|") $wafArn = aws wafv2 get-web-acl --name $wafIds[0] --id $wafIds[1] --scope $wafIds[2] --region us-east-1 | ConvertFrom-Json | Select -ExpandProperty "WebACL" | Select -ExpandProperty "ARN";

$firehoseName = $StackResources | Where { $_.LogicalResourceId -eq "S3DeliveryStream" } | Select -ExpandProperty "PhysicalResourceId" $firehoseArn = aws firehose describe-delivery-stream --delivery-stream-name $firehoseName --region us-east-1 | ConvertFrom-Json | Select -ExpandProperty "DeliveryStreamDescription" | Select -ExpandProperty "DeliveryStreamARN";

$loggingConfiguration = '{\"LoggingConfiguration\":{\"ResourceArn\":\"'+$wafArn+'\",\"LogDestinationConfigs\":[\"'+$firehoseArn+'\"],\"LoggingFilter\":{\"Filters\":[{\"Behavior\":\"DROP\",\"Requirement\":\"MEETS_ALL\",\"Conditions\":[{\"ActionCondition\":{\"Action\":\"ALLOW\"}}]}],\"DefaultBehavior\":\"KEEP\"}}}'

aws wafv2 put-logging-configuration --cli-input-json $loggingConfiguration --region us-east-1;

[autarchprinceps]

Terraform supports this. How is it possible that AWS own tool takes years to support native AWS features?!

[ngamradt-turner]

Looks like this was just released?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html

[brianterry]

Confirmed. This has been released. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html