Open jackywong-amazon opened 1 year ago
This looks to be an upstream issue. WAFv2 accepts log group ARNs with a wildcard suffix (see below), but the UI does not like it (I have not tested logging functionality itself). The following seems to work:
resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [trimsuffix(awscc_logs_log_group.example.arn, ":*")]
}
% aws cloudcontrol list-resources --type-name AWS::Logs::LogGroup
{
"ResourceDescriptions": [
{
"Identifier": "aws-waf-logs-awscc",
"Properties": "{\"LogGroupName\":\"aws-waf-logs-awscc\",\"Arn\":\"arn:aws:logs:ap-southeast-2:000000000000:log-group:aws-waf-logs-awscc:*\"}"
}
],
"TypeName": "AWS::Logs::LogGroup"
}
Looking at the docs this is a valid ARN (this surprised me).
% aws wafv2 get-logging-configuration --resource-arn arn:aws:wafv2:ap-southeast-2:000000000000:regional/webacl/potato/411b5efe-9c06-41f1-8d6b-676493444cca
{
"LoggingConfiguration": {
"ResourceArn": "arn:aws:wafv2:ap-southeast-2:000000000000:regional/webacl/potato/411b5efe-9c06-41f1-8d6b-676493444cca",
"LogDestinationConfigs": [
"arn:aws:logs:ap-southeast-2:000000000000:log-group:aws-waf-logs-awscc:*"
],
"ManagedByFirewallManager": false
}
}
🤔
Trimming the :*
suffix from the ARN fixes the display issue (as mentioned I did not test logging itself).
Perhaps worth including this in #1027 - otherwise this appears to be an upstream issue.
@jackywong-amazon , can you try the workaround as mentioned by @kadrach ?
resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [trimsuffix(awscc_logs_log_group.example.arn, ":*")]
}
Community Note
Terraform CLI and Terraform AWS Cloud Control Provider Version
Affected Resource(s)
awscc_logs_log_group
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
after the CW log group is provision, the arn should have the correct arn store in state file
"arn": "arn:aws:logs:us-east-1:********:log-group:aws-waf-logs-awscc",
When looking at the WAFv2 console, AWS WAF > Logging and metrics > Amazon CloudWatch Logs log group > display
aws-waf-logs-awscc
Actual Behavior
the actual arn after the resource is provision as
"arn": "arn:aws:logs:us-east-1::********:log-group:aws-waf-logs-awscc:*",
store in state fileWhen looking at the WAFv2 console, AWS WAF > Logging and metrics > Amazon CloudWatch Logs log group > display
*
, after clicking the *, it redirects to an error page.Steps to Reproduce
Terraform Plan Terraform Apply Inspect the state file
terraform apply
Important Factoids
References
0000