Support for WAF access logs

[takeshi-hatamoto]

Is the feature request related to the issue?
When trying to configure WAFv2 access logging via ACK (wafv2.services.k8s.aws/v1alpha1), Kinesis Firehose integration CloudWatch Logs log group, and S3 bucket is currently not supported.
Since AWS WAFv2 requires Kinesis Firehose, CloudWatch Logs log group, and S3 bucket as logging destinations for access logs, it is not possible to fully manage WAFv2 access logging via ACK unless it is manually configured outside Kubernetes.

About your preferred solution
I would like ACK to support the ability to configure Kinesis Firehose, s3 buckets, and CloudWatch Logs log groups as the destination for WAFv2 access logging in the WebACLLLoggingConfiguration resource.

Associate logs with webacl similar to [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration] Add support for

[github-actions]

Hello @takeshi-hatamoto 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[rushmash91]

Hi @takeshi-hatamoto ,

Baking the logging settings right into the existing WebACL resource will give the cleanest experience—your ACL and its logging config live side-by-side.

How does embedding a loggingConfiguration block on WebACL sound? let us know what you think!

[takeshi-hatamoto]

@rushmash91
I can't configure logging because WEBACL's loggingConfiguration is not supported.

https://aws-controllers-k8s.github.io/community/reference/wafv2/v1alpha1/webacl/

How exactly will it be incorporated?

[rushmash91]

Yes, loggingConfiguration is not currently supported but we can add support for it in WebACL resource. Does that sound good for your use case?

Example:

spec:
  loggingConfiguration:
    logDestinationConfigs:
      - arn: arn:aws:logs:…

[takeshi-hatamoto]

@rushmash91
Yes, my problem is solved if there is a loggingConfiguration setting that allows Cloudwatch Log Group, Kinesis firehose and S3 to be specified as log destinations.
Please add this to the WebACL resource.