logging_configurations

Creates, updates, deletes or gets a logging_configuration resource or lists logging_configurations in a region

Overview

Name	`logging_configurations`
Type	Resource
Description	A WAFv2 Logging Configuration Resource Provider
Id	`awscc.wafv2.logging_configurations`

Fields

get (all properties)
list (identifiers only)

Name	Datatype	Description
`resource_arn`	`string`	The Amazon Resource Name (ARN) of the web ACL that you want to associate with LogDestinationConfigs.
`log_destination_configs`	`array`	The Amazon Resource Names (ARNs) of the logging destinations that you want to associate with the web ACL.
▶`redacted_fields`	`array`	The parts of the request that you want to keep out of the logs. For example, if you redact the HEADER field, the HEADER field in the firehose will be xxx.
`managed_by_firewall_manager`	`boolean`	Indicates whether the logging configuration was created by AWS Firewall Manager, as part of an AWS WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.
▶`logging_filter`	`object`	Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
`region`	`string`	AWS region.

Name	Datatype	Description
`resource_arn`	`string`	The Amazon Resource Name (ARN) of the web ACL that you want to associate with LogDestinationConfigs.
`region`	`string`	AWS region.

For more information, see AWS::WAFv2::LoggingConfiguration.

Methods

Name	Resource	Accessible by	Required Params
`create_resource`	`logging_configurations`	`INSERT`	`ResourceArn, LogDestinationConfigs, region`
`delete_resource`	`logging_configurations`	`DELETE`	`Identifier, region`
`update_resource`	`logging_configurations`	`UPDATE`	`Identifier, PatchDocument, region`
`list_resources`	`logging_configurations_list_only`	`SELECT`	`region`
`get_resource`	`logging_configurations`	`SELECT`	`Identifier, region`

`SELECT` examples

get (all properties)
list (identifiers only)

Gets all properties from an individual logging_configuration.

SELECT
  region,
  resource_arn,
  log_destination_configs,
  redacted_fields,
  managed_by_firewall_manager,
  logging_filter
FROM awscc.wafv2.logging_configurations
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ resource_arn }}';

Lists all logging_configurations in a region.

SELECT
  region,
  resource_arn
FROM awscc.wafv2.logging_configurations_list_only
WHERE
  region = 'us-east-1';

`INSERT` example

Use the following StackQL query and manifest file to create a new logging_configuration resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.wafv2.logging_configurations (
  ResourceArn,
  LogDestinationConfigs,
  region
)
SELECT
  '{{ resource_arn }}',
  '{{ log_destination_configs }}',
  '{{ region }}';

/*+ create */
INSERT INTO awscc.wafv2.logging_configurations (
  ResourceArn,
  LogDestinationConfigs,
  RedactedFields,
  LoggingFilter,
  region
)
SELECT
  '{{ resource_arn }}',
  '{{ log_destination_configs }}',
  '{{ redacted_fields }}',
  '{{ logging_filter }}',
  '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: logging_configuration
    props:
      - name: resource_arn
        value: '{{ resource_arn }}'
      - name: log_destination_configs
        value:
          - '{{ log_destination_configs[0] }}'
      - name: redacted_fields
        value:
          - single_header:
              name: '{{ name }}'
            single_query_argument:
              name: '{{ name }}'
            all_query_arguments: {}
            uri_path: {}
            query_string: {}
            body:
              oversize_handling: '{{ oversize_handling }}'
            method: {}
            json_body:
              match_pattern:
                all: {}
                included_paths:
                  - '{{ included_paths[0] }}'
              match_scope: '{{ match_scope }}'
              invalid_fallback_behavior: '{{ invalid_fallback_behavior }}'
              oversize_handling: null
            headers:
              match_pattern:
                all: {}
                included_headers:
                  - '{{ included_headers[0] }}'
                excluded_headers:
                  - '{{ excluded_headers[0] }}'
              match_scope: '{{ match_scope }}'
              oversize_handling: null
            cookies:
              match_pattern:
                all: {}
                included_cookies:
                  - '{{ included_cookies[0] }}'
                excluded_cookies:
                  - '{{ excluded_cookies[0] }}'
              match_scope: null
              oversize_handling: null
            j_a3_fingerprint:
              fallback_behavior: '{{ fallback_behavior }}'
            j_a4_fingerprint:
              fallback_behavior: '{{ fallback_behavior }}'
            uri_fragment:
              fallback_behavior: '{{ fallback_behavior }}'
      - name: logging_filter
        value:
          default_behavior: '{{ default_behavior }}'
          filters:
            - behavior: '{{ behavior }}'
              conditions:
                - action_condition:
                    action: '{{ action }}'
                  label_name_condition:
                    label_name: '{{ label_name }}'
              requirement: '{{ requirement }}'

`UPDATE` example

Use the following StackQL query and manifest file to update a logging_configuration resource, using stack-deploy.

/*+ update */
UPDATE awscc.wafv2.logging_configurations
SET PatchDocument = string('{{ {
    "LogDestinationConfigs": log_destination_configs,
    "RedactedFields": redacted_fields,
    "LoggingFilter": logging_filter
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ resource_arn }}';

`DELETE` example

/*+ delete */
DELETE FROM awscc.wafv2.logging_configurations
WHERE
  Identifier = '{{ resource_arn }}' AND
  region = 'us-east-1';

Permissions

To operate on the logging_configurations resource, the following permissions are required:

Create
Read
Update
Delete
List

wafv2:PutLoggingConfiguration,
wafv2:GetLoggingConfiguration,
firehose:ListDeliveryStreams,
iam:CreateServiceLinkedRole,
iam:DescribeOrganization,
logs:CreateLogDelivery,
s3:PutBucketPolicy,
s3:GetBucketPolicy,
logs:PutResourcePolicy,
logs:DescribeResourcePolicies,
logs:DescribeLogGroups

wafv2:GetLoggingConfiguration

wafv2:PutLoggingConfiguration,
wafv2:GetLoggingConfiguration,
firehose:ListDeliveryStreams,
iam:CreateServiceLinkedRole,
iam:DescribeOrganization,
logs:CreateLogDelivery,
s3:PutBucketPolicy,
s3:GetBucketPolicy,
logs:PutResourcePolicy,
logs:DescribeResourcePolicies,
logs:DescribeLogGroups

wafv2:DeleteLoggingConfiguration,
wafv2:GetLoggingConfiguration,
logs:DeleteLogDelivery

wafv2:ListLoggingConfigurations

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

UPDATE example​

DELETE example​

Permissions​