From 2ca30feeb267fac315000bf06e7e7f466ba05860 Mon Sep 17 00:00:00 2001
From: Himanshu Ahirwar <83774016+h1manshu98@users.noreply.github.com>
Date: Sat, 18 Nov 2023 01:07:36 +0530
Subject: [PATCH] feat: cloudwatch logs log-group as logging destination (#71)

---
 main.tf      | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 variables.tf | 32 +++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 8f00e74..a77ed95 100644
--- a/main.tf
+++ b/main.tf
@@ -30,7 +30,7 @@ resource "aws_wafv2_ip_set" "main" {
 resource "aws_wafv2_web_acl" "main" {
   count       = var.enable && var.waf_enabled ? 1 : 0
   name        = module.labels.id
-  description = "WAFv2 ACL for"
+  description = var.description
   scope       = var.waf_scop
 
   default_action {
@@ -1728,3 +1728,54 @@ resource "aws_wafv2_web_acl_logging_configuration" "main" {
     }
   }
 }
+
+#####
+# WAFv2 web acl logging configuration with CloudWatch Logs log group
+#####
+resource "aws_cloudwatch_log_group" "cloudwatch_logs" {
+  count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0
+
+  name              = "aws-waf-logs-${module.labels.id}"
+  retention_in_days = var.cloudwatch_logs_retention_in_days
+  kms_key_id        = var.kms_key_arn
+  tags              = module.labels.tags
+}
+
+resource "aws_wafv2_web_acl_logging_configuration" "cloudwatch_logs" {
+  count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0
+
+  log_destination_configs = [join("", aws_cloudwatch_log_group.cloudwatch_logs[*].arn)]
+  resource_arn            = join("", aws_wafv2_web_acl.main[*].arn)
+}
+
+resource "aws_cloudwatch_log_resource_policy" "cloudwatch_logs" {
+  count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0
+
+  policy_document = var.cloudwatch_logs_policy_document != "" ? var.cloudwatch_logs_policy_document : join("", data.aws_iam_policy_document.cloudwatch_logs[*].json)
+  policy_name     = "${module.labels.id}-cloudwatch-logs-policy"
+}
+
+data "aws_iam_policy_document" "cloudwatch_logs" {
+  count = var.enable && var.waf_enabled && var.enable_cloudwatch_logs ? 1 : 0
+
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    principals {
+      identifiers = ["delivery.logs.amazonaws.com"]
+      type        = "Service"
+    }
+    actions   = ["logs:CreateLogStream", "logs:PutLogEvents"]
+    resources = ["${join("", aws_cloudwatch_log_group.cloudwatch_logs[*].arn)}:*"]
+    condition {
+      test     = "ArnLike"
+      values   = ["arn:aws:logs:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:*"]
+      variable = "aws:SourceArn"
+    }
+    condition {
+      test     = "StringEquals"
+      values   = [tostring(data.aws_caller_identity.this.account_id)]
+      variable = "aws:SourceAccount"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
index 2fc3fba..c7995aa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -79,6 +79,13 @@ variable "firehose_buffer_interval" {
   default     = 900
   description = "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query."
 }
+
+variable "description" {
+  type        = string
+  default     = "WAFv2 ACL"
+  description = "Description for web acl"
+}
+
 variable "waf_scop" {
   type    = string
   default = "REGIONAL"
@@ -168,3 +175,28 @@ variable "versioning_status" {
   default     = "Enabled"
   description = "Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device."
 }
+
+#logs : CloudWatch Logs log group
+variable "enable_cloudwatch_logs" {
+  type        = bool
+  default     = false
+  description = "Enable WAF logging destination as CloudWatch Logs log group"
+}
+
+variable "cloudwatch_logs_retention_in_days" {
+  type        = number
+  default     = 7
+  description = "Retention period of CloudWatch Logs log group"
+}
+
+variable "kms_key_arn" {
+  type        = string
+  default     = null
+  description = "(Optional) KMS key ARN to encrypt CloudWatch Logs log group"
+}
+
+variable "cloudwatch_logs_policy_document" {
+  type        = string
+  default     = ""
+  description = "(Optional) Custome IAM Policy for CloudWatch Logs log group"
+}