feature: add waf logging (#895)

ran-isenberg · Ran Isenberg · web-flow · commit cfaeabd86819 · 2024-11-02T14:37:16.000+02:00
---------

Co-authored-by: Ran Isenberg &lt;ran.isenberg@ranthebuilder.cloud&gt;
diff --git a/cdk/service/api_construct.py b/cdk/service/api_construct.py
@@ -28,7 +28,7 @@ def __init__(self, scope: Construct, id_: str, appconfig_app_name: str, is_produ
         self._build_swagger_endpoints(rest_api=self.rest_api, dest_func=self.create_order_func)
         self.monitoring = CrudMonitoring(self, id_, self.rest_api, self.api_db.db, self.api_db.idempotency_db, [self.create_order_func])
 
-        if is_production_env:
+        if not is_production_env:
             # add WAF
             self.waf = WafToApiGatewayConstruct(self, f'{id_}waf', self.rest_api)
 
diff --git a/cdk/service/waf_construct.py b/cdk/service/waf_construct.py
@@ -1,4 +1,7 @@
+from aws_cdk import Aws, CfnOutput, RemovalPolicy
 from aws_cdk import aws_apigateway as apigateway
+from aws_cdk import aws_iam as iam
+from aws_cdk import aws_logs as logs
 from aws_cdk import aws_wafv2 as waf
 from constructs import Construct
 
@@ -86,3 +89,40 @@ def __init__(self, scope: Construct, id: str, api: apigateway.RestApi, **kwargs)
 
         # Associate WAF with API Gateway
         waf.CfnWebACLAssociation(self, 'ApiGatewayWafAssociation', resource_arn=api.deployment_stage.stage_arn, web_acl_arn=web_acl.attr_arn)
+
+        # Enable logging for WAF, must start with 'aws-waf-logs-' prefix
+        log_group_name = f'aws-waf-logs-{id}'
+        # Create CloudWatch Log Group for WAF logging
+        waf_log_group = logs.LogGroup(
+            self,
+            'WafLogGroup',
+            log_group_name=log_group_name,
+            retention=logs.RetentionDays.TWO_WEEKS,
+            removal_policy=RemovalPolicy.DESTROY,
+        )
+
+        # Attach resource policy to allow WAF to write to the log group
+        waf_log_group.add_to_resource_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                principals=[iam.AnyPrincipal()],
+                actions=['logs:PutLogEvents', 'logs:CreateLogStream', 'logs:DescribeLogGroups'],
+                resources=[f'{waf_log_group.log_group_arn}:*'],
+            )
+        )
+
+        # Output the Log Group ARN for visibility
+        CfnOutput(self, id='WafLogGroupArn', value=waf_log_group.log_group_arn).override_logical_id('WafLogGroupArn')
+
+        # Construct the Log Group ARN manually as its not available in the CDK
+        log_group_arn = f'arn:{Aws.PARTITION}:logs:{Aws.REGION}:{Aws.ACCOUNT_ID}:log-group:{log_group_name}:*'
+
+        enable_waf_logging = waf.CfnLoggingConfiguration(
+            self,
+            'WafLoggingConfiguration',
+            resource_arn=web_acl.attr_arn,
+            log_destination_configs=[log_group_arn],
+        )
+
+        web_acl.node.add_dependency(waf_log_group)
+        enable_waf_logging.node.add_dependency(web_acl)  # Ensure WebACL is created first
