logging_configurations

Creates, updates, deletes or gets a logging_configuration resource or lists logging_configurations in a region

Overview

Name	`logging_configurations`
Type	Resource
Description	A WAFv2 Logging Configuration Resource Provider
Id	`aws.wafv2.logging_configurations`

Fields

Name	Datatype	Description
`resource_arn`	`string`	The Amazon Resource Name (ARN) of the web ACL that you want to associate with LogDestinationConfigs.
`log_destination_configs`	`array`	The Amazon Resource Names (ARNs) of the logging destinations that you want to associate with the web ACL.
`redacted_fields`	`array`	The parts of the request that you want to keep out of the logs. For example, if you redact the HEADER field, the HEADER field in the firehose will be xxx.
`managed_by_firewall_manager`	`boolean`	Indicates whether the logging configuration was created by AWS Firewall Manager, as part of an AWS WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.
`logging_filter`	`object`	Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`ResourceArn, LogDestinationConfigs, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all logging_configurations in a region.

SELECT
region,
resource_arn,
log_destination_configs,
redacted_fields,
managed_by_firewall_manager,
logging_filter
FROM aws.wafv2.logging_configurations
;

Gets all properties from an individual logging_configuration.

SELECT
region,
resource_arn,
log_destination_configs,
redacted_fields,
managed_by_firewall_manager,
logging_filter
FROM aws.wafv2.logging_configurations
WHERE data__Identifier = '<ResourceArn>';

`INSERT` example

Use the following StackQL query and manifest file to create a new logging_configuration resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.wafv2.logging_configurations (
 ResourceArn,
 LogDestinationConfigs,
 region
)
SELECT 
'{{ ResourceArn }}',
 '{{ LogDestinationConfigs }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.wafv2.logging_configurations (
 ResourceArn,
 LogDestinationConfigs,
 RedactedFields,
 LoggingFilter,
 region
)
SELECT 
 '{{ ResourceArn }}',
 '{{ LogDestinationConfigs }}',
 '{{ RedactedFields }}',
 '{{ LoggingFilter }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: logging_configuration
    props:
      - name: ResourceArn
        value: '{{ ResourceArn }}'
      - name: LogDestinationConfigs
        value:
          - '{{ LogDestinationConfigs[0] }}'
      - name: RedactedFields
        value:
          - SingleHeader:
              Name: '{{ Name }}'
            SingleQueryArgument:
              Name: '{{ Name }}'
            AllQueryArguments: {}
            UriPath: {}
            QueryString: {}
            Body:
              OversizeHandling: '{{ OversizeHandling }}'
            Method: {}
            JsonBody:
              MatchPattern:
                All: {}
                IncludedPaths:
                  - '{{ IncludedPaths[0] }}'
              MatchScope: '{{ MatchScope }}'
              InvalidFallbackBehavior: '{{ InvalidFallbackBehavior }}'
              OversizeHandling: null
            Headers:
              MatchPattern:
                All: {}
                IncludedHeaders:
                  - '{{ IncludedHeaders[0] }}'
                ExcludedHeaders:
                  - '{{ ExcludedHeaders[0] }}'
              MatchScope: '{{ MatchScope }}'
              OversizeHandling: null
            Cookies:
              MatchPattern:
                All: {}
                IncludedCookies:
                  - '{{ IncludedCookies[0] }}'
                ExcludedCookies:
                  - '{{ ExcludedCookies[0] }}'
              MatchScope: null
              OversizeHandling: null
            JA3Fingerprint:
              FallbackBehavior: '{{ FallbackBehavior }}'
      - name: LoggingFilter
        value:
          DefaultBehavior: '{{ DefaultBehavior }}'
          Filters:
            - Behavior: '{{ Behavior }}'
              Conditions:
                - ActionCondition:
                    Action: '{{ Action }}'
                  LabelNameCondition:
                    LabelName: '{{ LabelName }}'
              Requirement: '{{ Requirement }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.wafv2.logging_configurations
WHERE data__Identifier = '<ResourceArn>'
AND region = 'us-east-1';

Permissions

To operate on the logging_configurations resource, the following permissions are required:

Create

wafv2:PutLoggingConfiguration,
wafv2:GetLoggingConfiguration,
firehose:ListDeliveryStreams,
iam:CreateServiceLinkedRole,
iam:DescribeOrganization,
logs:CreateLogDelivery,
s3:PutBucketPolicy,
s3:GetBucketPolicy,
logs:PutResourcePolicy,
logs:DescribeResourcePolicies,
logs:DescribeLogGroups

Read

wafv2:GetLoggingConfiguration

Update

wafv2:PutLoggingConfiguration,
wafv2:GetLoggingConfiguration,
firehose:ListDeliveryStreams,
iam:CreateServiceLinkedRole,
iam:DescribeOrganization,
logs:CreateLogDelivery,
s3:PutBucketPolicy,
s3:GetBucketPolicy,
logs:PutResourcePolicy,
logs:DescribeResourcePolicies,
logs:DescribeLogGroups

Delete

wafv2:DeleteLoggingConfiguration,
wafv2:GetLoggingConfiguration,
logs:DeleteLogDelivery

List

wafv2:ListLoggingConfigurations

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Update​

Delete​

List​