From 24492c5e365cac1d9d2e0f0304a964cd4d6785ba Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Thu, 24 Jul 2025 11:29:22 +0100
Subject: [PATCH] CCM-11361 Extending logging configuration for WAF

---
 .../cdn/cloudwatch_log_group_waf.tf           |  7 ++++
 .../cdn/cloudwatch_log_resource_policy_waf.tf | 42 +++++++++++++++++++
 .../wafv2_web_acl_logging_configuration.tf    | 12 ++++++
 3 files changed, 61 insertions(+)
 create mode 100644 infrastructure/terraform/components/cdn/cloudwatch_log_group_waf.tf
 create mode 100644 infrastructure/terraform/components/cdn/cloudwatch_log_resource_policy_waf.tf
 create mode 100644 infrastructure/terraform/components/cdn/wafv2_web_acl_logging_configuration.tf

diff --git a/infrastructure/terraform/components/cdn/cloudwatch_log_group_waf.tf b/infrastructure/terraform/components/cdn/cloudwatch_log_group_waf.tf
new file mode 100644
index 0000000..950987a
--- /dev/null
+++ b/infrastructure/terraform/components/cdn/cloudwatch_log_group_waf.tf
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_group" "waf" {
+  provider = aws.us-east-1
+
+  name              = "aws-waf-logs-${local.csi}" # Mandatory prefix
+  kms_key_id        = module.kms.key_arn
+  retention_in_days = var.log_retention_in_days
+}
diff --git a/infrastructure/terraform/components/cdn/cloudwatch_log_resource_policy_waf.tf b/infrastructure/terraform/components/cdn/cloudwatch_log_resource_policy_waf.tf
new file mode 100644
index 0000000..559717f
--- /dev/null
+++ b/infrastructure/terraform/components/cdn/cloudwatch_log_resource_policy_waf.tf
@@ -0,0 +1,42 @@
+
+resource "aws_cloudwatch_log_resource_policy" "waf" {
+  provider = aws.us-east-1
+
+  policy_document = data.aws_iam_policy_document.waf.json
+  policy_name     = "webacl-policy-${local.csi}"
+}
+
+data "aws_iam_policy_document" "waf" {
+  version = "2012-10-17"
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      identifiers = ["delivery.logs.amazonaws.com"]
+      type        = "Service"
+    }
+
+    actions   = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["${aws_cloudwatch_log_group.waf.arn}:*"]
+
+    condition {
+      test     = "ArnLike"
+      values   = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}",
+        "arn:aws:logs:us-east-1:${var.aws_account_id}",
+      ]
+      variable = "aws:SourceArn"
+    }
+
+    condition {
+      test     = "StringEquals"
+      values   = [tostring(var.aws_account_id)]
+      variable = "aws:SourceAccount"
+    }
+  }
+}
diff --git a/infrastructure/terraform/components/cdn/wafv2_web_acl_logging_configuration.tf b/infrastructure/terraform/components/cdn/wafv2_web_acl_logging_configuration.tf
new file mode 100644
index 0000000..7d1f7cb
--- /dev/null
+++ b/infrastructure/terraform/components/cdn/wafv2_web_acl_logging_configuration.tf
@@ -0,0 +1,12 @@
+resource "aws_wafv2_web_acl_logging_configuration" "main" {
+  provider = aws.us-east-1
+
+  log_destination_configs = [aws_cloudwatch_log_group.waf.arn]
+  resource_arn            = aws_wafv2_web_acl.main.arn
+
+  redacted_fields {
+    single_header {
+      name = "authorization"
+    }
+  }
+}