From 288d9686aad1e58e349eb01c2a5a7d626745d9aa Mon Sep 17 00:00:00 2001
From: Chris Park <chris.park@aligent.com.au>
Date: Tue, 10 Sep 2024 09:17:39 +0930
Subject: [PATCH] introduce logging to WAF, bumping up to 2.2.0

---
 packages/waf/lib/waf.ts   | 34 +++++++++++++++++++++++++++++++++-
 packages/waf/package.json |  2 +-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/packages/waf/lib/waf.ts b/packages/waf/lib/waf.ts
index 68f58803..1aa351c6 100644
--- a/packages/waf/lib/waf.ts
+++ b/packages/waf/lib/waf.ts
@@ -1,4 +1,5 @@
-import { aws_wafv2 } from "aws-cdk-lib";
+import { aws_wafv2, RemovalPolicy } from "aws-cdk-lib";
+import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
 
 export const REGIONAL = "REGIONAL";
@@ -76,6 +77,21 @@ export interface WebApplicationFirewallProps {
    * Priority numbers must be equal to or bigger than 30
    */
   postProcessCustomRules?: aws_wafv2.CfnWebACL.RuleProperty[];
+
+  /**
+   * Enable CloudWatch logging. Default: false
+   */
+  enableLogging?: boolean;
+
+  /**
+   * Define CloudWatch log retention period. Default: 1 year
+   */
+  logRetentionDays?: RetentionDays;
+
+  /**
+   * Define CloudWatch log removal policy. Default: RETAIN
+   */
+  logRemovalPolicy?: RemovalPolicy;
 }
 
 export class WebApplicationFirewall extends Construct {
@@ -391,5 +407,21 @@ export class WebApplicationFirewall extends Construct {
         });
       });
     }
+
+    if (props.enableLogging) {
+      const wafLogGroup = new LogGroup(this, `WAF-Logs-${this.web_acl.name}`, {
+        retention: props.logRetentionDays
+          ? props.logRetentionDays
+          : RetentionDays.ONE_YEAR,
+        removalPolicy: props.logRemovalPolicy
+          ? props.logRemovalPolicy
+          : RemovalPolicy.RETAIN,
+        logGroupName: `aws-waf-logs-${this.web_acl.name}`,
+      });
+      new aws_wafv2.CfnLoggingConfiguration(this, "CloudWatchLogging", {
+        logDestinationConfigs: [`${wafLogGroup.logGroupArn}`],
+        resourceArn: this.web_acl.attrArn,
+      });
+    }
   }
 }
diff --git a/packages/waf/package.json b/packages/waf/package.json
index c1ffe710..917eea1f 100644
--- a/packages/waf/package.json
+++ b/packages/waf/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@aligent/cdk-waf",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "main": "index.js",
   "license": "GPL-3.0-only",
   "homepage": "https://github.com/aligent/aws-cdk-waf-stack#readme",