From 288d9686aad1e58e349eb01c2a5a7d626745d9aa Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 10 Sep 2024 09:17:39 +0930 Subject: [PATCH 1/2] introduce logging to WAF, bumping up to 2.2.0 --- packages/waf/lib/waf.ts | 34 +++++++++++++++++++++++++++++++++- packages/waf/package.json | 2 +- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/packages/waf/lib/waf.ts b/packages/waf/lib/waf.ts index 68f58803..1aa351c6 100644 --- a/packages/waf/lib/waf.ts +++ b/packages/waf/lib/waf.ts @@ -1,4 +1,5 @@ -import { aws_wafv2 } from "aws-cdk-lib"; +import { aws_wafv2, RemovalPolicy } from "aws-cdk-lib"; +import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs"; import { Construct } from "constructs"; export const REGIONAL = "REGIONAL"; @@ -76,6 +77,21 @@ export interface WebApplicationFirewallProps { * Priority numbers must be equal to or bigger than 30 */ postProcessCustomRules?: aws_wafv2.CfnWebACL.RuleProperty[]; + + /** + * Enable CloudWatch logging. Default: false + */ + enableLogging?: boolean; + + /** + * Define CloudWatch log retention period. Default: 1 year + */ + logRetentionDays?: RetentionDays; + + /** + * Define CloudWatch log removal policy. Default: RETAIN + */ + logRemovalPolicy?: RemovalPolicy; } export class WebApplicationFirewall extends Construct { @@ -391,5 +407,21 @@ export class WebApplicationFirewall extends Construct { }); }); } + + if (props.enableLogging) { + const wafLogGroup = new LogGroup(this, `WAF-Logs-${this.web_acl.name}`, { + retention: props.logRetentionDays + ? props.logRetentionDays + : RetentionDays.ONE_YEAR, + removalPolicy: props.logRemovalPolicy + ? props.logRemovalPolicy + : RemovalPolicy.RETAIN, + logGroupName: `aws-waf-logs-${this.web_acl.name}`, + }); + new aws_wafv2.CfnLoggingConfiguration(this, "CloudWatchLogging", { + logDestinationConfigs: [`${wafLogGroup.logGroupArn}`], + resourceArn: this.web_acl.attrArn, + }); + } } } diff --git a/packages/waf/package.json b/packages/waf/package.json index c1ffe710..917eea1f 100644 --- a/packages/waf/package.json +++ b/packages/waf/package.json @@ -1,6 +1,6 @@ { "name": "@aligent/cdk-waf", - "version": "2.1.0", + "version": "2.2.0", "main": "index.js", "license": "GPL-3.0-only", "homepage": "https://github.com/aligent/aws-cdk-waf-stack#readme", From e514d12e9d983e9cda3769750e8d6205228e3932 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 10 Sep 2024 09:39:17 +0930 Subject: [PATCH 2/2] DO-1705: WAF - make logging enabled by default --- packages/waf/lib/waf.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/waf/lib/waf.ts b/packages/waf/lib/waf.ts index 1aa351c6..2597b738 100644 --- a/packages/waf/lib/waf.ts +++ b/packages/waf/lib/waf.ts @@ -79,7 +79,7 @@ export interface WebApplicationFirewallProps { postProcessCustomRules?: aws_wafv2.CfnWebACL.RuleProperty[]; /** - * Enable CloudWatch logging. Default: false + * Enable CloudWatch logging. Default: true */ enableLogging?: boolean; @@ -408,7 +408,8 @@ export class WebApplicationFirewall extends Construct { }); } - if (props.enableLogging) { + const enableLogging = props.enableLogging ?? true; + if (enableLogging) { const wafLogGroup = new LogGroup(this, `WAF-Logs-${this.web_acl.name}`, { retention: props.logRetentionDays ? props.logRetentionDays