From 2ca30feeb267fac315000bf06e7e7f466ba05860 Mon Sep 17 00:00:00 2001 From: Himanshu Ahirwar <83774016+h1manshu98@users.noreply.github.com> Date: Sat, 18 Nov 2023 01:07:36 +0530 Subject: [PATCH] feat: cloudwatch logs log-group as logging destination (#71) --- main.tf | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++- variables.tf | 32 +++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8f00e74..a77ed95 100644 --- a/main.tf +++ b/main.tf @@ -30,7 +30,7 @@ resource "aws_wafv2_ip_set" "main" { resource "aws_wafv2_web_acl" "main" { count = var.enable && var.waf_enabled ? 1 : 0 name = module.labels.id - description = "WAFv2 ACL for" + description = var.description scope = var.waf_scop default_action { @@ -1728,3 +1728,54 @@ resource "aws_wafv2_web_acl_logging_configuration" "main" { } } } + +##### +# WAFv2 web acl logging configuration with CloudWatch Logs log group +##### +resource "aws_cloudwatch_log_group" "cloudwatch_logs" { + count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0 + + name = "aws-waf-logs-${module.labels.id}" + retention_in_days = var.cloudwatch_logs_retention_in_days + kms_key_id = var.kms_key_arn + tags = module.labels.tags +} + +resource "aws_wafv2_web_acl_logging_configuration" "cloudwatch_logs" { + count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0 + + log_destination_configs = [join("", aws_cloudwatch_log_group.cloudwatch_logs[*].arn)] + resource_arn = join("", aws_wafv2_web_acl.main[*].arn) +} + +resource "aws_cloudwatch_log_resource_policy" "cloudwatch_logs" { + count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0 + + policy_document = var.cloudwatch_logs_policy_document != "" ? var.cloudwatch_logs_policy_document : join("", data.aws_iam_policy_document.cloudwatch_logs[*].json) + policy_name = "${module.labels.id}-cloudwatch-logs-policy" +} + +data "aws_iam_policy_document" "cloudwatch_logs" { + count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0 + + version = "2012-10-17" + statement { + effect = "Allow" + principals { + identifiers = ["delivery.logs.amazonaws.com"] + type = "Service" + } + actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + resources = ["${join("", aws_cloudwatch_log_group.cloudwatch_logs[*].arn)}:*"] + condition { + test = "ArnLike" + values = ["arn:aws:logs:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:*"] + variable = "aws:SourceArn" + } + condition { + test = "StringEquals" + values = [tostring(data.aws_caller_identity.this.account_id)] + variable = "aws:SourceAccount" + } + } +} diff --git a/variables.tf b/variables.tf index 2fc3fba..c7995aa 100644 --- a/variables.tf +++ b/variables.tf @@ -79,6 +79,13 @@ variable "firehose_buffer_interval" { default = 900 description = "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query." } + +variable "description" { + type = string + default = "WAFv2 ACL" + description = "Description for web acl" +} + variable "waf_scop" { type = string default = "REGIONAL" @@ -168,3 +175,28 @@ variable "versioning_status" { default = "Enabled" description = "Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device." } + +#logs : CloudWatch Logs log group +variable "enable_cloudwatch_logs" { + type = bool + default = false + description = "Enable WAF logging destination as CloudWatch Logs log group" +} + +variable "cloudwatch_logs_retention_in_days" { + type = number + default = 7 + description = "Retention period of CloudWatch Logs log group" +} + +variable "kms_key_arn" { + type = string + default = null + description = "(Optional) KMS key ARN to encrypt CloudWatch Logs log group" +} + +variable "cloudwatch_logs_policy_document" { + type = string + default = "" + description = "(Optional) Custome IAM Policy for CloudWatch Logs log group" +}