Only log BLOCK requests

[asininemonkey]

Is your feature request related to a problem? Please describe. Enabling logging logs all requests

Describe the solution you'd like Option to log only BLOCK requests

Describe alternatives you've considered No other option beyond declaring the entire WAF resource myself

Additional context N/A

[rdadlani]

You could declare your own aws_wafv2_web_acl_logging_configuration and set the logging filter, like so:

  logging_filter {
    default_behavior = "KEEP"

    filter {
      behavior = "DROP"

      condition {
        action_condition {
          action = "ALLOW"
        }
      }
      requirement = "MEETS_ALL"
    }
  }

This has been my workaround for a while now using this module

[asininemonkey]

While that is a brilliant solution, having just tried it myself I see that my resource gets reverted by the module's own aws_wafv2_web_acl_logging_configuration.main[0] resource. Running apply numerous times just results in a ping ping replacement of one resource over the other.

Being able to control the module's own logging filter still appears to be the best solution unless the ping pong issue I've just described can also be solved.

[rdadlani]

It's hard to say more without first seeing your plan. My best guess without looking is that you may need/want to do some terraform state maneuvering.