Skip to content

Logging config is not enabled when specifying a Kinesis Data Firehose #31

Open
@gpetras

Description

@gpetras

Describe the Bug

Using the latest version of the module with the following args does not end up creating a logging configuration that works:

module "firewall_manager" {
  source  = "cloudposse/firewall-manager/aws"
  version = "0.4.0"

  # Specify our own Kinesis Firehose
  firehose_enabled = false
  firehose_arn     = module.firehose.kinesis_firehose_arn

  providers = {
    aws.admin = aws.admin
    aws       = aws
  }
  security_groups_usage_audit_policies = []
  waf_v2_policies                      = []
}

module "firehose" {
  source        = "fdmsantos/kinesis-firehose/aws"
  version       = "1.9.0"
  name          = "firewall-manager"
  destination   = "s3"
  s3_bucket_arn = module.s3-bucket.s3_bucket_arn
}

module "s3-bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.14.0"
  bucket  = "aws-waf-logs-${data.aws_caller_identity.current.account_id}-firewall-manager"
}

data "aws_caller_identity" "current" {}

Expected Behavior

I would expect the module to associate my Firehose ARN with the Firewall Manager instance. But instead I receive this error:

╷
│ Error: updating FMS Policy (<uuid>): InvalidInputException: Error in the SecurityServiceData.ManagedServiceData at [Source: (String)"{"defaultAction":{"type":"ALLOW"},"loggingConfiguration":"{\"logDestinationConfigs\":[null],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}","overrideCustomerWebACLAssociation":false,"postProcessRuleGroups":[],"preProcessRuleGroups":[{"excludeRules":[],"managedRuleGroupIdentifier":null,"overrideAction":{"type":"NONE"},"ruleGroupArn":"arn:aws:wafv2:us-east-2:XXXX:regional/rulegroup/myRuleGroup/xx"[truncated 1804 chars]; line: 1, column: 58]
│ 
│   with module.firewall_manager.aws_fms_policy.waf_v2["load-balancer"],
│   on .terraform/modules/firewall_manager/waf_v2.tf line 11, in resource "aws_fms_policy" "waf_v2":
│   11: resource "aws_fms_policy" "waf_v2" {
│ 
╵

I also get the same error if I try to use the supplied Kinesis Firehose.

Steps to Reproduce

Run terraform init / plan / apply with the above code.

Screenshots

No response

Environment

  • OS: macOS
  • Version: 13.4.1
  • Module version: 0.4.0
  • Terraform version: 1.4.6

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug🐛 An issue with the system

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions