Feature Request: Support Comprehensive Logging Functionality for AWS WAF

[vladholubiev]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a feature for AWS WAF which allows wiring up Kinesis Firehose stream to route all the logs about incoming requests and matched rules.

https://aws.amazon.com/about-aws/whats-new/2018/08/aws-waf-launches-new-comprehensive-logging-functionality/

Screenshot

New or Affected Resource(s)

• aws_waf_web_acl
• aws_wafregional_web_acl

Potential Terraform Configuration

resource "aws_waf_web_acl" "waf_acl" {
  depends_on = [
    "aws_waf_ipset.ipset",
    "aws_waf_rule.wafrule",
  ]

  name        = "tfWebACL"
  metric_name = "tfWebACL"

  logging {
    firehose_stream_arn = "${aws_kinesis_firehose_delivery_stream.test.arn}"

    redacted_fields {
      http_method  = true
      query_string = true
      uri          = true

      headers = [
        "Accept",
        "Content-Type",
      ]
    }
  }

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule.wafrule.id}"
    type     = "REGULAR"
  }
}

[anilkasu]

Any update on this enhancement, when can we expect to release this? Any chances including this feature in v0.12?

[bflad]

I provided an initial pull request review of #6059 which adds logging support for the aws_waf_web_acl resource and submitted a pull request (#7480) which does the same for the aws_wafregional_web_acl resource.

Any update on this enhancement, when can we expect to release this?

The aws_waf_web_acl resource pull request will be reviewed again when the community contributor has completed the feedback items or the maintainers will finish and release it in two weeks if there is no response. The aws_wafregional_web_acl resource pull request needs another maintainer review and can likely be released next week.

Any chances including this feature in v0.12?

@anilkasu please note since Terraform 0.10, providers are no longer distributed as part of Terraform Core and have their own release cadence. Here are the Terraform AWS Provider CHANGELOG and the Terraform documentation on provider versioning for reference.

[bflad]

Support for a new logging_configuration configuration block has been added to both the aws_waf_web_acl and aws_wafregional_web_acl resources which will release in version 1.59.0 of the Terraform AWS Provider, likely in the next day or two. 👍

[bflad]

This has been released in version 1.59.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!