1. Packages
  2. AWS Classic
  3. API Docs
  4. wafv2
  5. WebAclLoggingConfiguration

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

aws.wafv2.WebAclLoggingConfiguration

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

    This resource creates a WAFv2 Web ACL Logging Configuration.

    !> WARNING: When logging from a WAFv2 Web ACL to a CloudWatch Log Group, the WAFv2 service tries to create or update a generic Log Resource Policy named AWSWAF-LOGS. However, if there are a large number of Web ACLs or if the account frequently creates and deletes Web ACLs, this policy may exceed the maximum policy size. As a result, this resource type will fail to be created. More details about this issue can be found in this issue. To prevent this issue, you can manage a specific resource policy. Please refer to the example below for managing a CloudWatch Log Group with a managed CloudWatch Log Resource Policy.

    Example Usage

    With Redacted Fields

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.wafv2.WebAclLoggingConfiguration("example", {
        logDestinationConfigs: [exampleAwsKinesisFirehoseDeliveryStream.arn],
        resourceArn: exampleAwsWafv2WebAcl.arn,
        redactedFields: [{
            singleHeader: {
                name: "user-agent",
            },
        }],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.wafv2.WebAclLoggingConfiguration("example",
        log_destination_configs=[example_aws_kinesis_firehose_delivery_stream["arn"]],
        resource_arn=example_aws_wafv2_web_acl["arn"],
        redacted_fields=[aws.wafv2.WebAclLoggingConfigurationRedactedFieldArgs(
            single_header=aws.wafv2.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs(
                name="user-agent",
            ),
        )])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafv2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := wafv2.NewWebAclLoggingConfiguration(ctx, "example", &wafv2.WebAclLoggingConfigurationArgs{
    			LogDestinationConfigs: pulumi.StringArray{
    				exampleAwsKinesisFirehoseDeliveryStream.Arn,
    			},
    			ResourceArn: pulumi.Any(exampleAwsWafv2WebAcl.Arn),
    			RedactedFields: wafv2.WebAclLoggingConfigurationRedactedFieldArray{
    				&wafv2.WebAclLoggingConfigurationRedactedFieldArgs{
    					SingleHeader: &wafv2.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs{
    						Name: pulumi.String("user-agent"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.WafV2.WebAclLoggingConfiguration("example", new()
        {
            LogDestinationConfigs = new[]
            {
                exampleAwsKinesisFirehoseDeliveryStream.Arn,
            },
            ResourceArn = exampleAwsWafv2WebAcl.Arn,
            RedactedFields = new[]
            {
                new Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldArgs
                {
                    SingleHeader = new Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs
                    {
                        Name = "user-agent",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
    import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
    import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldArgs;
    import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()        
                .logDestinationConfigs(exampleAwsKinesisFirehoseDeliveryStream.arn())
                .resourceArn(exampleAwsWafv2WebAcl.arn())
                .redactedFields(WebAclLoggingConfigurationRedactedFieldArgs.builder()
                    .singleHeader(WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs.builder()
                        .name("user-agent")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:wafv2:WebAclLoggingConfiguration
        properties:
          logDestinationConfigs:
            - ${exampleAwsKinesisFirehoseDeliveryStream.arn}
          resourceArn: ${exampleAwsWafv2WebAcl.arn}
          redactedFields:
            - singleHeader:
                name: user-agent
    

    With Logging Filter

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.wafv2.WebAclLoggingConfiguration("example", {
        logDestinationConfigs: [exampleAwsKinesisFirehoseDeliveryStream.arn],
        resourceArn: exampleAwsWafv2WebAcl.arn,
        loggingFilter: {
            defaultBehavior: "KEEP",
            filters: [
                {
                    behavior: "DROP",
                    conditions: [
                        {
                            actionCondition: {
                                action: "COUNT",
                            },
                        },
                        {
                            labelNameCondition: {
                                labelName: "awswaf:111122223333:rulegroup:testRules:LabelNameZ",
                            },
                        },
                    ],
                    requirement: "MEETS_ALL",
                },
                {
                    behavior: "KEEP",
                    conditions: [{
                        actionCondition: {
                            action: "ALLOW",
                        },
                    }],
                    requirement: "MEETS_ANY",
                },
            ],
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.wafv2.WebAclLoggingConfiguration("example",
        log_destination_configs=[example_aws_kinesis_firehose_delivery_stream["arn"]],
        resource_arn=example_aws_wafv2_web_acl["arn"],
        logging_filter=aws.wafv2.WebAclLoggingConfigurationLoggingFilterArgs(
            default_behavior="KEEP",
            filters=[
                aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterArgs(
                    behavior="DROP",
                    conditions=[
                        aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs(
                            action_condition=aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs(
                                action="COUNT",
                            ),
                        ),
                        aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs(
                            label_name_condition=aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs(
                                label_name="awswaf:111122223333:rulegroup:testRules:LabelNameZ",
                            ),
                        ),
                    ],
                    requirement="MEETS_ALL",
                ),
                aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterArgs(
                    behavior="KEEP",
                    conditions=[aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs(
                        action_condition=aws.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs(
                            action="ALLOW",
                        ),
                    )],
                    requirement="MEETS_ANY",
                ),
            ],
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafv2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := wafv2.NewWebAclLoggingConfiguration(ctx, "example", &wafv2.WebAclLoggingConfigurationArgs{
    			LogDestinationConfigs: pulumi.StringArray{
    				exampleAwsKinesisFirehoseDeliveryStream.Arn,
    			},
    			ResourceArn: pulumi.Any(exampleAwsWafv2WebAcl.Arn),
    			LoggingFilter: &wafv2.WebAclLoggingConfigurationLoggingFilterArgs{
    				DefaultBehavior: pulumi.String("KEEP"),
    				Filters: wafv2.WebAclLoggingConfigurationLoggingFilterFilterArray{
    					&wafv2.WebAclLoggingConfigurationLoggingFilterFilterArgs{
    						Behavior: pulumi.String("DROP"),
    						Conditions: wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArray{
    							&wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs{
    								ActionCondition: &wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs{
    									Action: pulumi.String("COUNT"),
    								},
    							},
    							&wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs{
    								LabelNameCondition: &wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs{
    									LabelName: pulumi.String("awswaf:111122223333:rulegroup:testRules:LabelNameZ"),
    								},
    							},
    						},
    						Requirement: pulumi.String("MEETS_ALL"),
    					},
    					&wafv2.WebAclLoggingConfigurationLoggingFilterFilterArgs{
    						Behavior: pulumi.String("KEEP"),
    						Conditions: wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArray{
    							&wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs{
    								ActionCondition: &wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs{
    									Action: pulumi.String("ALLOW"),
    								},
    							},
    						},
    						Requirement: pulumi.String("MEETS_ANY"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.WafV2.WebAclLoggingConfiguration("example", new()
        {
            LogDestinationConfigs = new[]
            {
                exampleAwsKinesisFirehoseDeliveryStream.Arn,
            },
            ResourceArn = exampleAwsWafv2WebAcl.Arn,
            LoggingFilter = new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterArgs
            {
                DefaultBehavior = "KEEP",
                Filters = new[]
                {
                    new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterArgs
                    {
                        Behavior = "DROP",
                        Conditions = new[]
                        {
                            new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs
                            {
                                ActionCondition = new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs
                                {
                                    Action = "COUNT",
                                },
                            },
                            new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs
                            {
                                LabelNameCondition = new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs
                                {
                                    LabelName = "awswaf:111122223333:rulegroup:testRules:LabelNameZ",
                                },
                            },
                        },
                        Requirement = "MEETS_ALL",
                    },
                    new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterArgs
                    {
                        Behavior = "KEEP",
                        Conditions = new[]
                        {
                            new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionArgs
                            {
                                ActionCondition = new Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs
                                {
                                    Action = "ALLOW",
                                },
                            },
                        },
                        Requirement = "MEETS_ANY",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.wafv2.WebAclLoggingConfiguration;
    import com.pulumi.aws.wafv2.WebAclLoggingConfigurationArgs;
    import com.pulumi.aws.wafv2.inputs.WebAclLoggingConfigurationLoggingFilterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WebAclLoggingConfiguration("example", WebAclLoggingConfigurationArgs.builder()        
                .logDestinationConfigs(exampleAwsKinesisFirehoseDeliveryStream.arn())
                .resourceArn(exampleAwsWafv2WebAcl.arn())
                .loggingFilter(WebAclLoggingConfigurationLoggingFilterArgs.builder()
                    .defaultBehavior("KEEP")
                    .filters(                
                        WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
                            .behavior("DROP")
                            .conditions(                        
                                WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                                    .actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
                                        .action("COUNT")
                                        .build())
                                    .build(),
                                WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                                    .labelNameCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs.builder()
                                        .labelName("awswaf:111122223333:rulegroup:testRules:LabelNameZ")
                                        .build())
                                    .build())
                            .requirement("MEETS_ALL")
                            .build(),
                        WebAclLoggingConfigurationLoggingFilterFilterArgs.builder()
                            .behavior("KEEP")
                            .conditions(WebAclLoggingConfigurationLoggingFilterFilterConditionArgs.builder()
                                .actionCondition(WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs.builder()
                                    .action("ALLOW")
                                    .build())
                                .build())
                            .requirement("MEETS_ANY")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:wafv2:WebAclLoggingConfiguration
        properties:
          logDestinationConfigs:
            - ${exampleAwsKinesisFirehoseDeliveryStream.arn}
          resourceArn: ${exampleAwsWafv2WebAcl.arn}
          loggingFilter:
            defaultBehavior: KEEP
            filters:
              - behavior: DROP
                conditions:
                  - actionCondition:
                      action: COUNT
                  - labelNameCondition:
                      labelName: awswaf:111122223333:rulegroup:testRules:LabelNameZ
                requirement: MEETS_ALL
              - behavior: KEEP
                conditions:
                  - actionCondition:
                      action: ALLOW
                requirement: MEETS_ANY
    

    Create WebAclLoggingConfiguration Resource

    new WebAclLoggingConfiguration(name: string, args: WebAclLoggingConfigurationArgs, opts?: CustomResourceOptions);
    @overload
    def WebAclLoggingConfiguration(resource_name: str,
                                   opts: Optional[ResourceOptions] = None,
                                   log_destination_configs: Optional[Sequence[str]] = None,
                                   logging_filter: Optional[WebAclLoggingConfigurationLoggingFilterArgs] = None,
                                   redacted_fields: Optional[Sequence[WebAclLoggingConfigurationRedactedFieldArgs]] = None,
                                   resource_arn: Optional[str] = None)
    @overload
    def WebAclLoggingConfiguration(resource_name: str,
                                   args: WebAclLoggingConfigurationArgs,
                                   opts: Optional[ResourceOptions] = None)
    func NewWebAclLoggingConfiguration(ctx *Context, name string, args WebAclLoggingConfigurationArgs, opts ...ResourceOption) (*WebAclLoggingConfiguration, error)
    public WebAclLoggingConfiguration(string name, WebAclLoggingConfigurationArgs args, CustomResourceOptions? opts = null)
    public WebAclLoggingConfiguration(String name, WebAclLoggingConfigurationArgs args)
    public WebAclLoggingConfiguration(String name, WebAclLoggingConfigurationArgs args, CustomResourceOptions options)
    
    type: aws:wafv2:WebAclLoggingConfiguration
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args WebAclLoggingConfigurationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args WebAclLoggingConfigurationArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args WebAclLoggingConfigurationArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args WebAclLoggingConfigurationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args WebAclLoggingConfigurationArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    WebAclLoggingConfiguration Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The WebAclLoggingConfiguration resource accepts the following input properties:

    LogDestinationConfigs List<string>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    ResourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    LoggingFilter Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    RedactedFields List<Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedField>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    LogDestinationConfigs []string
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    ResourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    LoggingFilter WebAclLoggingConfigurationLoggingFilterArgs
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    RedactedFields []WebAclLoggingConfigurationRedactedFieldArgs
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    logDestinationConfigs List<String>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    resourceArn String
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    loggingFilter WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields List<WebAclLoggingConfigurationRedactedField>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    logDestinationConfigs string[]
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    resourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    loggingFilter WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields WebAclLoggingConfigurationRedactedField[]
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    log_destination_configs Sequence[str]
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    resource_arn str
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    logging_filter WebAclLoggingConfigurationLoggingFilterArgs
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redacted_fields Sequence[WebAclLoggingConfigurationRedactedFieldArgs]
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    logDestinationConfigs List<String>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    resourceArn String
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    loggingFilter Property Map
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields List<Property Map>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the WebAclLoggingConfiguration resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing WebAclLoggingConfiguration Resource

    Get an existing WebAclLoggingConfiguration resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: WebAclLoggingConfigurationState, opts?: CustomResourceOptions): WebAclLoggingConfiguration
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            log_destination_configs: Optional[Sequence[str]] = None,
            logging_filter: Optional[WebAclLoggingConfigurationLoggingFilterArgs] = None,
            redacted_fields: Optional[Sequence[WebAclLoggingConfigurationRedactedFieldArgs]] = None,
            resource_arn: Optional[str] = None) -> WebAclLoggingConfiguration
    func GetWebAclLoggingConfiguration(ctx *Context, name string, id IDInput, state *WebAclLoggingConfigurationState, opts ...ResourceOption) (*WebAclLoggingConfiguration, error)
    public static WebAclLoggingConfiguration Get(string name, Input<string> id, WebAclLoggingConfigurationState? state, CustomResourceOptions? opts = null)
    public static WebAclLoggingConfiguration get(String name, Output<String> id, WebAclLoggingConfigurationState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    LogDestinationConfigs List<string>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    LoggingFilter Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    RedactedFields List<Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedField>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    ResourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    LogDestinationConfigs []string
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    LoggingFilter WebAclLoggingConfigurationLoggingFilterArgs
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    RedactedFields []WebAclLoggingConfigurationRedactedFieldArgs
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    ResourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    logDestinationConfigs List<String>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    loggingFilter WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields List<WebAclLoggingConfigurationRedactedField>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    resourceArn String
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    logDestinationConfigs string[]
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    loggingFilter WebAclLoggingConfigurationLoggingFilter
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields WebAclLoggingConfigurationRedactedField[]
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    resourceArn string
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    log_destination_configs Sequence[str]
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    logging_filter WebAclLoggingConfigurationLoggingFilterArgs
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redacted_fields Sequence[WebAclLoggingConfigurationRedactedFieldArgs]
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    resource_arn str
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.
    logDestinationConfigs List<String>
    Configuration block that allows you to associate Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) with the web ACL. Note: data firehose, log group, or bucket name must be prefixed with aws-waf-logs-, e.g. aws-waf-logs-example-firehose, aws-waf-logs-example-log-group, or aws-waf-logs-example-bucket.
    loggingFilter Property Map
    Configuration block that specifies which web requests are kept in the logs and which are dropped. It allows filtering based on the rule action and the web request labels applied by matching rules during web ACL evaluation. For more details, refer to the Logging Filter section below.
    redactedFields List<Property Map>
    Configuration for parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. See Redacted Fields below for more details.
    resourceArn String
    Amazon Resource Name (ARN) of the web ACL that you want to associate with log_destination_configs.

    Supporting Types

    WebAclLoggingConfigurationLoggingFilter, WebAclLoggingConfigurationLoggingFilterArgs

    DefaultBehavior string
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    Filters List<Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilter>
    Filter(s) that you want to apply to the logs. See Filter below for more details.
    DefaultBehavior string
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    Filters []WebAclLoggingConfigurationLoggingFilterFilter
    Filter(s) that you want to apply to the logs. See Filter below for more details.
    defaultBehavior String
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    filters List<WebAclLoggingConfigurationLoggingFilterFilter>
    Filter(s) that you want to apply to the logs. See Filter below for more details.
    defaultBehavior string
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    filters WebAclLoggingConfigurationLoggingFilterFilter[]
    Filter(s) that you want to apply to the logs. See Filter below for more details.
    default_behavior str
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    filters Sequence[WebAclLoggingConfigurationLoggingFilterFilter]
    Filter(s) that you want to apply to the logs. See Filter below for more details.
    defaultBehavior String
    Default handling for logs that don't match any of the specified filtering conditions. Valid values for default_behavior are KEEP or DROP.
    filters List<Property Map>
    Filter(s) that you want to apply to the logs. See Filter below for more details.

    WebAclLoggingConfigurationLoggingFilterFilter, WebAclLoggingConfigurationLoggingFilterFilterArgs

    Behavior string
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    Conditions List<Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterCondition>
    Match condition(s) for the filter. See Condition below for more details.
    Requirement string
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.
    Behavior string
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    Conditions []WebAclLoggingConfigurationLoggingFilterFilterCondition
    Match condition(s) for the filter. See Condition below for more details.
    Requirement string
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.
    behavior String
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    conditions List<WebAclLoggingConfigurationLoggingFilterFilterCondition>
    Match condition(s) for the filter. See Condition below for more details.
    requirement String
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.
    behavior string
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    conditions WebAclLoggingConfigurationLoggingFilterFilterCondition[]
    Match condition(s) for the filter. See Condition below for more details.
    requirement string
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.
    behavior str
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    conditions Sequence[WebAclLoggingConfigurationLoggingFilterFilterCondition]
    Match condition(s) for the filter. See Condition below for more details.
    requirement str
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.
    behavior String
    Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for behavior are KEEP or DROP.
    conditions List<Property Map>
    Match condition(s) for the filter. See Condition below for more details.
    requirement String
    Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for requirement are MEETS_ALL or MEETS_ANY.

    WebAclLoggingConfigurationLoggingFilterFilterCondition, WebAclLoggingConfigurationLoggingFilterFilterConditionArgs

    ActionCondition Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition
    Configuration for a single action condition. See Action Condition below for more details.
    LabelNameCondition Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition
    Condition for a single label name. See Label Name Condition below for more details.
    ActionCondition WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition
    Configuration for a single action condition. See Action Condition below for more details.
    LabelNameCondition WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition
    Condition for a single label name. See Label Name Condition below for more details.
    actionCondition WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition
    Configuration for a single action condition. See Action Condition below for more details.
    labelNameCondition WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition
    Condition for a single label name. See Label Name Condition below for more details.
    actionCondition WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition
    Configuration for a single action condition. See Action Condition below for more details.
    labelNameCondition WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition
    Condition for a single label name. See Label Name Condition below for more details.
    action_condition WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition
    Configuration for a single action condition. See Action Condition below for more details.
    label_name_condition WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition
    Condition for a single label name. See Label Name Condition below for more details.
    actionCondition Property Map
    Configuration for a single action condition. See Action Condition below for more details.
    labelNameCondition Property Map
    Condition for a single label name. See Label Name Condition below for more details.

    WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition, WebAclLoggingConfigurationLoggingFilterFilterConditionActionConditionArgs

    Action string
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.
    Action string
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.
    action String
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.
    action string
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.
    action str
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.
    action String
    Action setting that a log record must contain in order to meet the condition. Valid values for action are ALLOW, BLOCK, and COUNT.

    WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition, WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameConditionArgs

    LabelName string
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.
    LabelName string
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.
    labelName String
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.
    labelName string
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.
    label_name str
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.
    labelName String
    Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.

    WebAclLoggingConfigurationRedactedField, WebAclLoggingConfigurationRedactedFieldArgs

    Method Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldMethod
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    QueryString Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldQueryString
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    SingleHeader Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldSingleHeader
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    UriPath Pulumi.Aws.WafV2.Inputs.WebAclLoggingConfigurationRedactedFieldUriPath
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.
    Method WebAclLoggingConfigurationRedactedFieldMethod
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    QueryString WebAclLoggingConfigurationRedactedFieldQueryString
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    SingleHeader WebAclLoggingConfigurationRedactedFieldSingleHeader
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    UriPath WebAclLoggingConfigurationRedactedFieldUriPath
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.
    method WebAclLoggingConfigurationRedactedFieldMethod
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    queryString WebAclLoggingConfigurationRedactedFieldQueryString
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    singleHeader WebAclLoggingConfigurationRedactedFieldSingleHeader
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    uriPath WebAclLoggingConfigurationRedactedFieldUriPath
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.
    method WebAclLoggingConfigurationRedactedFieldMethod
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    queryString WebAclLoggingConfigurationRedactedFieldQueryString
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    singleHeader WebAclLoggingConfigurationRedactedFieldSingleHeader
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    uriPath WebAclLoggingConfigurationRedactedFieldUriPath
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.
    method WebAclLoggingConfigurationRedactedFieldMethod
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    query_string WebAclLoggingConfigurationRedactedFieldQueryString
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    single_header WebAclLoggingConfigurationRedactedFieldSingleHeader
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    uri_path WebAclLoggingConfigurationRedactedFieldUriPath
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.
    method Property Map
    HTTP method to be redacted. It must be specified as an empty configuration block {}. The method indicates the type of operation that the request is asking the origin to perform.
    queryString Property Map
    Whether to redact the query string. It must be specified as an empty configuration block {}. The query string is the part of a URL that appears after a ? character, if any.
    singleHeader Property Map
    "single_header" refers to the redaction of a single header. For more information, please see the details below under Single Header.
    uriPath Property Map
    Configuration block that redacts the request URI path. It should be specified as an empty configuration block {}. The URI path is the part of a web request that identifies a resource, such as /images/daily-ad.jpg.

    WebAclLoggingConfigurationRedactedFieldSingleHeader, WebAclLoggingConfigurationRedactedFieldSingleHeaderArgs

    Name string
    Name of the query header to redact. This setting must be provided in lowercase characters.
    Name string
    Name of the query header to redact. This setting must be provided in lowercase characters.
    name String
    Name of the query header to redact. This setting must be provided in lowercase characters.
    name string
    Name of the query header to redact. This setting must be provided in lowercase characters.
    name str
    Name of the query header to redact. This setting must be provided in lowercase characters.
    name String
    Name of the query header to redact. This setting must be provided in lowercase characters.

    Import

    Using pulumi import, import WAFv2 Web ACL Logging Configurations using the ARN of the WAFv2 Web ACL. For example:

    $ pulumi import aws:wafv2/webAclLoggingConfiguration:WebAclLoggingConfiguration example arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-logs/a1b2c3d4-5678-90ab-cdef
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi