diff --git a/packages/waf/lib/waf.ts b/packages/waf/lib/waf.ts index 68f58803..2597b738 100644 --- a/packages/waf/lib/waf.ts +++ b/packages/waf/lib/waf.ts @@ -1,4 +1,5 @@ -import { aws_wafv2 } from "aws-cdk-lib"; +import { aws_wafv2, RemovalPolicy } from "aws-cdk-lib"; +import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs"; import { Construct } from "constructs"; export const REGIONAL = "REGIONAL"; @@ -76,6 +77,21 @@ export interface WebApplicationFirewallProps { * Priority numbers must be equal to or bigger than 30 */ postProcessCustomRules?: aws_wafv2.CfnWebACL.RuleProperty[]; + + /** + * Enable CloudWatch logging. Default: true + */ + enableLogging?: boolean; + + /** + * Define CloudWatch log retention period. Default: 1 year + */ + logRetentionDays?: RetentionDays; + + /** + * Define CloudWatch log removal policy. Default: RETAIN + */ + logRemovalPolicy?: RemovalPolicy; } export class WebApplicationFirewall extends Construct { @@ -391,5 +407,22 @@ export class WebApplicationFirewall extends Construct { }); }); } + + const enableLogging = props.enableLogging ?? true; + if (enableLogging) { + const wafLogGroup = new LogGroup(this, `WAF-Logs-${this.web_acl.name}`, { + retention: props.logRetentionDays + ? props.logRetentionDays + : RetentionDays.ONE_YEAR, + removalPolicy: props.logRemovalPolicy + ? props.logRemovalPolicy + : RemovalPolicy.RETAIN, + logGroupName: `aws-waf-logs-${this.web_acl.name}`, + }); + new aws_wafv2.CfnLoggingConfiguration(this, "CloudWatchLogging", { + logDestinationConfigs: [`${wafLogGroup.logGroupArn}`], + resourceArn: this.web_acl.attrArn, + }); + } } } diff --git a/packages/waf/package.json b/packages/waf/package.json index c1ffe710..917eea1f 100644 --- a/packages/waf/package.json +++ b/packages/waf/package.json @@ -1,6 +1,6 @@ { "name": "@aligent/cdk-waf", - "version": "2.1.0", + "version": "2.2.0", "main": "index.js", "license": "GPL-3.0-only", "homepage": "https://github.com/aligent/aws-cdk-waf-stack#readme",