search

pulumi / pulumi-aws-native

AWS Native Provider for Pulumi
Apache License 2.0
94 stars 17 forks source link

WAFv2 LoggingConfiguration seems to be buggy #706

Open fronti90 opened 1 year ago

fronti90 commented 1 year ago

What happened?

I am trying to set up a WAFv2 with logs in cloudwatch, but can't link the WAF to cloudwatch. I am not sure, if this is a bug or if the documentation might be unclear.

Steps to reproduce

const aclName = 'bot-control'
const logsName = `aws-waf-logs-${aclName}`
const verifiedBotLabel = 'awswaf:managed:aws:bot-control:bot:verified'

const visibilityConfig = {
    cloudWatchMetricsEnabled: true,
    metricName: logsName,
    sampledRequestsEnabled: true,
}

const acl = new aws.wafv2.WebACL(
    aclName,
    {
        name: aclName,
        defaultAction: {
            allow: {},
        },
        rules: [
            {
                priority: 1,
                name: aclName,
                overrideAction: {
                    count: {},
                },
                visibilityConfig,
                statement: {
                    managedRuleGroupStatement: {
                        name: 'AWSManagedRulesBotControlRuleSet',
                        vendorName: 'AWS',
                    },
                },
            },
        )

const logs = new aws.logs.LogGroup(
    logsName,
    {
        logGroupName: logsName,
        retentionInDays: 14,
    },
)

new aws.wafv2.LoggingConfiguration(
    `${aclName}-log`,
    {
        resourceArn: acl.arn,
        logDestinationConfigs: [logs.arn],
    },
)

Expected Behavior

WAF and LogGroup are created and linked to each other. In the AWS console WAF resource 'aws-waf-logs-bot-control' is selected in 'Amazon CloudWatch Logs log group', clicking on it leads to the linked cloudwatch resource.

Actual Behavior

WAF and LogGroup are created, but they are not linked to each other correctly. In the AWS console WAF resource '*' is selected in 'Amazon CloudWatch Logs log group', clicking on it leads to an error page: '1 validation error detected: Value '*' at 'logGroupName' failed to satisfy constraint: Member must satisfy regular expression pattern: [.-_/#A-Za-z0-9]+'

I can manually select the created LogGroup to link the resources to enable logging. So either 'logDestinationConfigs' isn't handled properly or I am using this resource wrong?

Output of pulumi about

CLI Version 3.46.1 Go Version go1.19.3 Go Compiler gc

Plugins NAME VERSION aws 5.20.0 aws-native 0.41.0 gitlab 4.9.0 kubernetes 3.22.1 nodejs unknown opsgenie 1.1.9 random 4.8.2

Host OS arch Version 22.0.0 Arch x86_64

Additional context

I ported my config above to the aws-classic provider and everything works there without any issues

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

guineveresaenger commented 1 year ago

Hi @fronti90 - thank you for filing this issue.

Thank you for verifying that this works as expected in aws-classic. I'll have the team take a look!

adrijardi commented 1 year ago

This seems to still be an issue and we are getting close to the 1 year anniversary. Any updates?