aws_wafv2: Cannot generate logging definition with filter

[hukm]

Describe the bug

When defining logging for AWS WAF with filter according to documentation creation is failing with following error.

[#/LoggingFilter: extraneous key [defaultBehavior] is not permitted, #/LoggingFilter: extraneous key [filters] is not permitted]

My definition for logging configuration looks like this:

web_acl_log_config = wafv2.CfnLoggingConfiguration(
            self,
            f'MainInternetLoadBalancerWAFLoggingConfiguration-{stage}',
            log_destination_configs=[waf_log_group.log_group_arn],
            resource_arn=web_acl.attr_arn,
            logging_filter=wafv2.CfnLoggingConfiguration.LoggingFilterProperty(
                default_behavior="DROP",
                filters=[
                    wafv2.CfnLoggingConfiguration.FilterProperty(
                        requirement="MEETS_ANY",
                        behavior="KEEP",
                        conditions=[
                            wafv2.CfnLoggingConfiguration.ConditionProperty(
                                action_condition=wafv2.CfnLoggingConfiguration.ActionConditionProperty(
                                    action="COUNT"
                                )
                            ),
                            wafv2.CfnLoggingConfiguration.ConditionProperty(
                                action_condition=wafv2.CfnLoggingConfiguration.ActionConditionProperty(
                                    action="BLOCK"
                                )
                            ),
                            wafv2.CfnLoggingConfiguration.ConditionProperty(
                                action_condition=wafv2.CfnLoggingConfiguration.ActionConditionProperty(
                                    action="EXCLUDED_AS_COUNT"
                                )
                            ),
                        ]
                    )
                ]
            )
        )

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

Resources creates with filter

Current Behavior

[#/LoggingFilter: extraneous key [defaultBehavior] is not permitted, #/LoggingFilter: extraneous key [filters] is not permitted]

Reproduction Steps

Included in description

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.195.0

AWS CDK CLI version

2.1012.0

Node.js Version

20.18.0

OS

MacOS

Language

Python

Language Version

No response

Other information

No response

[ykethan]

Hey @hukm, thank you for reaching. This issue appear to be a duplicate of #23709. Refer to the comments providing additional information #23709 (comment).
Further more WAFV2 currently does not contain any hand written L2 constructs, this is currently being tracked on #17749 , do add 👍 on this issue to help us prioritize this request.

[hukm]

@ykethan thanks for a swift response. Can you please clarify if there is any workaround to this issue and if so provide some example. I don't understand the result of the discussion in the duplicate ticket.

Since this bug is known for at least 2 years now, maybe the documentation should be also updated to reflect it?

[ykethan]

Hey @hukm, from the discussion on #23709 it appear you would need to rely on CDK escape hatches instead of the defining this directly on CfnLoggingConfiguration for example on #12611 (comment)

While i am not expert on python, on a quick test with a typescript app i was able to deploy this resource using the following code

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as logs from 'aws-cdk-lib/aws-logs';
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';

export class Wafv2LoggingFinalFixStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create a CloudWatch log group with the required naming convention
    // WAF log group names MUST start with "aws-waf-logs-"
    const logGroup = new logs.LogGroup(this, 'WafLogGroup', {
      logGroupName: 'aws-waf-logs-demo',
      retention: logs.RetentionDays.ONE_WEEK,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    // Give the log group a resource policy that allows WAF logging
    // Following the exact permissions from AWS WAF documentation
    const resourcePolicy = new logs.CfnResourcePolicy(
      this,
      'WafLogResourcePolicy',
      {
        policyName: 'waf-logs-policy',
        policyDocument: JSON.stringify({
          Version: '2012-10-17',
          Statement: [
            {
              Sid: 'AWSLogDeliveryWrite',
              Effect: 'Allow',
              Principal: { Service: 'delivery.logs.amazonaws.com' },
              Action: ['logs:CreateLogStream', 'logs:PutLogEvents'],
              Resource: logGroup.logGroupArn,
              // Following AWS recommendations for WAF logging
              Condition: {
                StringEquals: {
                  'aws:SourceAccount': cdk.Stack.of(this).account,
                },
              },
            },
          ],
        }),
      }
    );

    // Create an IAM role with the permissions required for WAF logging
    // as specified in the AWS WAF documentation
    const wafLoggingRole = new cdk.aws_iam.Role(this, 'WafLoggingRole', {
      assumedBy: new cdk.aws_iam.ServicePrincipal('wafv2.amazonaws.com'),
      description: 'Role for WAF logging to CloudWatch Logs',
      inlinePolicies: {
        wafLoggingPolicy: new cdk.aws_iam.PolicyDocument({
          statements: [
            new cdk.aws_iam.PolicyStatement({
              sid: 'LoggingConfigurationAPI',
              effect: cdk.aws_iam.Effect.ALLOW,
              actions: [
                'wafv2:PutLoggingConfiguration',
                'wafv2:DeleteLoggingConfiguration',
              ],
              resources: ['*'],
            }),
            new cdk.aws_iam.PolicyStatement({
              sid: 'WebACLLoggingCWL',
              effect: cdk.aws_iam.Effect.ALLOW,
              actions: [
                'logs:CreateLogDelivery',
                'logs:DeleteLogDelivery',
                'logs:PutResourcePolicy',
                'logs:DescribeResourcePolicies',
                'logs:DescribeLogGroups',
              ],
              resources: ['*'],
            }),
          ],
        }),
      },
    });

    // Create a simple WAF Web ACL
    const webAcl = new wafv2.CfnWebACL(this, 'WebACL', {
      name: 'test-web-acl-v2',
      scope: 'REGIONAL',
      defaultAction: { allow: {} },
      visibilityConfig: {
        cloudWatchMetricsEnabled: true,
        metricName: 'test-web-acl-v2',
        sampledRequestsEnabled: true,
      },
      rules: [],
    });

    // Create the WAF logging configuration
    const loggingConfig = new wafv2.CfnLoggingConfiguration(
      this,
      'WebAclLoggingConfig',
      {
        logDestinationConfigs: [logGroup.logGroupArn],
        resourceArn: webAcl.attrArn,
      }
    );

    // Ensure the logging configuration is created after the resource policy
    loggingConfig.addDependency(resourcePolicy);

    // Use escape hatch to add LoggingFilter with correct PascalCase property names
    loggingConfig.addPropertyOverride('LoggingFilter', {
      DefaultBehavior: 'DROP', // Note: PascalCase, not camelCase
      Filters: [
        // Note: PascalCase, not camelCase
        {
          Behavior: 'KEEP',
          Requirement: 'MEETS_ANY',
          Conditions: [
            {
              ActionCondition: {
                Action: 'COUNT',
              },
            },
            {
              ActionCondition: {
                Action: 'BLOCK',
              },
            },
          ],
        },
      ],
    });
  }
}

In python this be along the lines of

import json
import aws_cdk as cdk
from constructs import Construct
from aws_cdk import (
    aws_logs as logs,
    aws_wafv2 as wafv2,
    aws_iam as iam
)

class Wafv2LoggingFixPythonStack(cdk.Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        # Create a CloudWatch log group with the required naming convention
        # WAF log group names MUST start with "aws-waf-logs-"
        log_group = logs.LogGroup(self, "WafLogGroup",
            log_group_name="aws-waf-logs-python-demo",
            retention=logs.RetentionDays.ONE_WEEK

            )

        # Give the log group a resource policy that allows WAF logging
        # Following the exact permissions from AWS WAF documentation
        resource_policy = logs.CfnResourcePolicy(self, "WafLogResourcePolicy",
            policy_name="waf-logs-policy",
            policy_document=json.dumps({
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "AWSLogDeliveryWrite",
                        "Effect": "Allow",
                        "Principal": {"Service": "delivery.logs.amazonaws.com"},
                        "Action": ["logs:CreateLogStream", "logs:PutLogEvents"],
                        "Resource": log_group.log_group_arn,
                        # Following AWS recommendations for WAF logging
                        "Condition": {
                            "StringEquals": {
                                "aws:SourceAccount": cdk.Stack.of(self).account
                            }
                        }
                    }
                ]
            })
        )

        # Create an IAM role with the permissions required for WAF logging
        # as specified in the AWS WAF documentation
        waf_logging_role = iam.Role(self, "WafLoggingRole",
            assumed_by=iam.ServicePrincipal("wafv2.amazonaws.com"),
            description="Role for WAF logging to CloudWatch Logs"
        )

        # Add required logging permissions to the IAM role
        waf_logging_role.add_to_policy(iam.PolicyStatement(
            sid="LoggingConfigurationAPI",
            effect=iam.Effect.ALLOW,
            actions=[
                "wafv2:PutLoggingConfiguration",
                "wafv2:DeleteLoggingConfiguration"
            ],
            resources=["*"]
        ))

        waf_logging_role.add_to_policy(iam.PolicyStatement(
            sid="WebACLLoggingCWL",
            effect=iam.Effect.ALLOW,
            actions=[
                "logs:CreateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:PutResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:DescribeLogGroups"
            ],
            resources=["*"]
        ))

        # Create a simple WAF Web ACL
        web_acl = wafv2.CfnWebACL(self, "WebACL",
            name="test-web-acl-python",
            scope="REGIONAL",
            default_action={"allow": {}},
            visibility_config={
                "cloud_watch_metrics_enabled": True,
                "metric_name": "test-web-acl-python",
                "sampled_requests_enabled": True
            },
            rules=[]
        )

        # Create the WAF logging configuration
        logging_config = wafv2.CfnLoggingConfiguration(self, "WebAclLoggingConfig",
            log_destination_configs=[log_group.log_group_arn],
            resource_arn=web_acl.attr_arn
        )

        # Ensure the logging configuration is created after the resource policy
        logging_config.add_dependency(resource_policy)

        # Use escape hatch to add LoggingFilter with correct PascalCase property names
        # This is the key workaround for the case mismatch issue
        logging_config.add_property_override("LoggingFilter", {
            "DefaultBehavior": "DROP",  # Note: PascalCase, not camelCase
            "Filters": [                # Note: PascalCase, not camelCase
                {
                    "Behavior": "KEEP",
                    "Requirement": "MEETS_ANY",
                    "Conditions": [
                        {
                            "ActionCondition": {
                                "Action": "COUNT"
                            }
                        },
                        {
                            "ActionCondition": {
                                "Action": "BLOCK"
                            }
                        }
                    ]
                }
            ]
        })

will need to bring this up internally with the team

[pahud]

Yes and we can just literally define the loggingFilter as below without using addPropertyOverride(). This works as well.

    // Create the WAF logging configuration
    const loggingConfig = new wafv2.CfnLoggingConfiguration(
      this,
      'WebAclLoggingConfig',
      {
        logDestinationConfigs: [logGroup.logGroupArn],
        resourceArn: webAcl.attrArn,
        loggingFilter:  { 
          // as loggingFilter is type Any, we use the object literal
          // Note: PascalCase, not camelCase
          DefaultBehavior: 'DROP', // Note: PascalCase, not camelCase
          Filters: [
            {
              Behavior: 'KEEP',
              Requirement: 'MEETS_ANY',
              Conditions: [
                {
                  ActionCondition: {
                    Action: 'COUNT',
                  },
                },
                {
                  ActionCondition: {
                    Action: 'BLOCK',
                  },
                },
              ],
            },
          ],
        }
      }
    );

[hukm]

Thanks