AWS WAF & Shield: WAFv2 Web ACL Logging Configuration with CloudWatch Log Group and Managed CloudWatch Log Resource Policy

Terraform Template

data "aws_caller_identity" "current" {
}

data "aws_iam_policy_document" "example" {

  statement {
    actions = ["logs:CreateLogStream", "logs:PutLogEvents"]

    condition {
      test = "ArnLike"
      values = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"]
      variable = "aws:SourceArn"
    }

    condition {
      test = "StringEquals"
      values = [tostring(data.aws_caller_identity.current.account_id)]
      variable = "aws:SourceAccount"
    }
    effect = "Allow"

    principals {
      identifiers = ["delivery.logs.amazonaws.com"]
      type = "Service"
    }
    resources = ["${aws_cloudwatch_log_group.example.arn}:*"]
  }
  version = "2012-10-17"
}

data "aws_region" "current" {
}

resource "aws_cloudwatch_log_group" "example" {
  name = "aws-waf-logs-some-uniq-suffix"
}

resource "aws_cloudwatch_log_resource_policy" "example" {
  policy_document = data.aws_iam_policy_document.example.json
  policy_name = "webacl-policy-uniq-name"
}

resource "aws_wafv2_web_acl_logging_configuration" "example" {
  log_destination_configs = [aws_cloudwatch_log_group.example.arn]
  resource_arn = "aws_wafv2_web_acl.example.arn"
}

Loading Library ...

WAFv2 Web ACL Logging Configuration with CloudWatch Log Group and Managed CloudWatch Log Resource Policy

example

depends_on

ignore_changes

replace_triggered_by

example

depends_on

ignore_changes

replace_triggered_by

example

log_destination_configs

depends_on

ignore_changes

replace_triggered_by

current

depends_on

ignore_changes

replace_triggered_by

example

override_policy_documents

source_policy_documents

actions

values

values

not_actions

identifiers

not_resources

identifiers

resources

depends_on

ignore_changes

replace_triggered_by

current

depends_on

ignore_changes

replace_triggered_by

Terraform Template