-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wafv2_web_acl_logging_configuration throws WAFLogDestinationPermissionIssueException when using cloud watch log group #25296
Comments
Also this appears to work for a Regional WAF, but is failing on a CloudFront Global WAF |
It actually appears this might be related to https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html and the fact our us-east-1 resource policy doc has exceeded the character limit. 5120 characters It works for regional because thats not us-east-1 for us. I have also updated my aws support ticket, as I can see no way to clean this resource policy up |
Hey @lorelei-rupp-imprivata 👋 Thank you for the update -- I was just looking into this when I saw your comment come through 🙂. It looks like this resource hasn't changed since January, so I suspect it's not an issue with a recent change to the provider, but I'll keep an eye out for any additional updates with what you hear back from the AWS support ticket. |
Thanks @justinretzolk so I think this is good info for the community.
So WAF in particular was automatically adding to this policy, and eventually you will hit the limit I think we might want to consider updating the Terraform DOCs for the AWS Support also said you can "fix this via the CLI" too by "re putting the policy" and using "regex" or * or combining, grouping. Its not great IMO. The fact they do not clean this up when you delete a log group or disable WAF logging is not great and anyone could get stuck like me
I hope this will help someone else. Can we keep this open and ill post whether the TF policy works? Not sure if you want to update the docs too~ |
FYI -- this works. I rolled out a resource policy per region with a regex for what my log groups for waf logging use. This works perfectly and gets around this AWS Bug/Issue. I would highly recommend we update the Note about wafv2_web_acl_logging_configuration with Cloud Watch logs, not only should you name it aws-waf-logs, but you probably should roll your own logging resource policy since you can easily hit the AWS limit with no way to clean up without even realizing it @justinretzolk |
Hi @lorelei-rupp-imprivata I am running into this same issue...thank you very much for your comments. Did you need to do anything besides create a resource policy for all of your WAF logs to use? I see you mention attaching the policy to the log group, but I'm not finding any good information on how to do this. Thanks in advance. |
We used terraform, there was a resource to create the policy. All we had to do was create this https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy |
Hi all just to update you are able to run a CLI Command like the following to add a Resource Policy: (Won't be formatted amazingly on here)
|
Hi, I have just hit this and I found that adding my own policy using aws_cloudwatch_log_resource_policy just for my webacl/log group meant that I no longer got this issue. It also means the policy is cleaned up when I destroy as it is all in the same code base. I will look to do a PR to add an example in the docs |
Provides help to avoid issues such as hashicorp#25296 from being raised.
Provides help to avoid issues such as hashicorp#25296 from being raised.
Provides help to avoid issues such as hashicorp#25296 from being raised.
Provides help to avoid issues such as hashicorp#25296 from being raised.
This functionality has been released in v5.3.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform 0.14.7
AWS Provider 3.73.0
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Error: error putting WAFv2 Logging Configuration for resource (arn*****): WAFLogDestinationPermissionIssueException: Unable to deliver logs to the configured destination. You might need to grant log delivery permissions for the destination. If you're using S3 as your log destination, you might have exceeded your bucket limit.
on main.tf line 224, in resource "aws_wafv2_web_acl_logging_configuration" "example":
224: resource "aws_wafv2_web_acl_logging_configuration" "example" {
Expected Behavior
This worked last week, but no longer works. We opened an AWS Support ticket but they are telling me we need to run a CLI command to add a resource policy to the cloud watch log group. We have never had to do this before
Actual Behavior
It fails with the error WAFLogDestinationPermissionIssueException: Unable to deliver logs to the configured destination. You might need to grant log delivery permissions for the destination. If you're using S3 as your log destination, you might have exceeded your bucket limit.
The docs too for https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration don't say anything about needing to also set up a policy.
Steps to Reproduce
Try to apply a log group and waf logging to a waf
This also fails in the AWS Console as well
Important Factoids
We opened an AWS Support ticket but they don't seem to think its an issue and say you have to run manual CLI commands. We have had this terraform code in place for MONTHS and it has worked until last week
Even this past ticket #23934 shows an example identical to what we are using. There is no mention of an additional policy?
The text was updated successfully, but these errors were encountered: