AWSAWS WAFaws_wafv2_web_acl_logging_configurationPro

How to Import an AWS WAFv2 Web ACL Logging Configuration into Terraform

To import an existing AWS WAFv2 Web ACL Logging Configuration into Terraform, scan it with Terraback and run terraback aws import --method bulk. Terraback writes the matching aws_wafv2_web_acl_logging_configuration resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the Web ACL ARN (for example, arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example/abcd1234-5678-90ab-cdef-1234567890ab).

Import AWS WAFv2 Web ACL Logging Configuration with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the AWS WAF resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS WAFv2 Web ACL Logging Configuration to managed Terraform.

1

Scan your AWS account

terraback scan all aws --region us-east-1
2

Generate import blocks and import into state

terraback aws import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = aws_wafv2_web_acl_logging_configuration.example
  id = "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example/abcd1234-5678-90ab-cdef-1234567890ab"
}

Example aws_wafv2_web_acl_logging_configuration configuration

Here is a realistic AWS WAFv2 Web ACL Logging Configuration block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "aws_wafv2_web_acl_logging_configuration" "example" {
  resource_arn            = "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example/abcd1234-5678-90ab-cdef-1234567890ab"
  log_destination_configs = ["arn:aws:logs:us-east-1:123456789012:log-group:aws-waf-logs-example"]

  redacted_fields {
    single_header {
      name = "authorization"
    }
  }
}

Gotchas when importing a AWS WAFv2 Web ACL Logging Configuration

  • Logging is a one-to-one child of an aws_wafv2_web_acl and is imported by the web ACL ARN (the resource_arn), not by a logging ID; the web ACL must already exist.
  • log_destination_configs must point at a CloudWatch log group, S3 bucket, or Firehose whose name starts with aws-waf-logs-; an arbitrary destination name is rejected by WAF.
  • redacted_fields and logging_filter are read back as nested blocks and often diff after import until the HCL matches the live configuration exactly.
  • There is exactly one logging configuration per web ACL, so never declare two of these for the same resource_arn.

Doing it manually with terraform import

The native approach is to write the aws_wafv2_web_acl_logging_configuration block by hand, then run terraform import aws_wafv2_web_acl_logging_configuration.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole AWS account in minutes

Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.