AWS::WAFv2::LoggingConfiguration encounter invalid ARN when creating stack with Cloudformation

Question

I have a Cloudformation template that creates a WAFv2 along with Cloudwatch Logging. I encountered an issue when trying to set the LoggingConfiguration. The actual error I got looks something like this:

Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: LOG_DESTINATION, parameter: arn:aws:logs:us-east-1:xxxxx:log-group:aws-waf-bar-foo:*

My LoggingConfiguration looks something like this:

"webAcllogging": {
      "Type": "AWS::WAFv2::LoggingConfiguration",
      "Properties": {
        "ResourceArn": {
          "Fn::GetAtt": [
            "webAcl",
            "Arn"
          ]
        },
        "LogDestinationConfigs": [
          {
            "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-bar-foo:*"
          }
        ],
        "RedactedFields": [
          {
            "SingleHeader": {
              "Name": "password"
            }
          }
        ]
      }
    },

I tried changing a few things and I still encounter this error. Anyone knows why?

Answer 1

It turns out that you have to use a special naming convention for WAF logs.

The name needs to be prefixed by aws-waf-logs- .

So the LogDestinationConfigs should as follows:

"LogDestinationConfigs": [
    {
        "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-bar-foo:*"
    }
],