diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9eadb3b42..bccd9ae7c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ default_language_version: node: 20.17.0 repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -11,23 +11,17 @@ repos: - id: check-executables-have-shebangs - id: check-shebang-scripts-are-executable - - repo: https://github.com/awslabs/cfn-python-lint - rev: v1.5.0 + - repo: https://github.com/aws-cloudformation/cfn-lint + rev: v1.21.0 hooks: - - id: cfn-python-lint + - id: cfn-lint exclude: ^(ci|.github)/.*|docker-compose.*|.pre-commit-config.yaml$ - files: ^.*\.(yml|yaml)$ + files: template\.ya?ml$ - - repo: https://github.com/govuk-one-login/pre-commit-hooks.git - rev: 0.0.1 + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.2 hooks: - - id: terraform-format - - id: terraform-validate - - - repo: https://github.com/rhysd/actionlint - rev: v1.7.1 - hooks: - - id: actionlint + - id: terraform_fmt - repo: local hooks: @@ -43,6 +37,38 @@ repos: name: Run prettier language: node types: [text] - stages: [commit] + stages: [pre-commit] entry: yarn run prettier --write --ignore-unknown pass_filenames: true + - id: tfupdate-lock + name: Update terraform provider locks + files: ^ci/terraform/site.tf$ + pass_filenames: false + types: + - file + language: golang + additional_dependencies: + - github.com/minamijoyo/tfupdate@v0.8.5 + entry: tfupdate lock + args: + - --platform + - linux_amd64 + - --platform + - linux_arm64 + - --platform + - darwin_amd64 + - --platform + - darwin_arm64 + - --platform + - windows_amd64 + - -r + - ci/terraform + + - repo: https://github.com/lalten/check-gha-pinning + rev: v1.3.0 + hooks: + - id: check-gha-pinning + - repo: https://github.com/rhysd/actionlint + rev: v1.7.4 + hooks: + - id: actionlint diff --git a/ci/terraform/.terraform-version b/ci/terraform/.terraform-version deleted file mode 100644 index 943f9cbc4..000000000 --- a/ci/terraform/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -1.7.1 diff --git a/ci/terraform/.terraform.lock.hcl b/ci/terraform/.terraform.lock.hcl index f7812d324..885b52963 100644 --- a/ci/terraform/.terraform.lock.hcl +++ b/ci/terraform/.terraform.lock.hcl @@ -2,29 +2,29 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.45.0" - constraints = "5.45.0" + version = "5.75.1" + constraints = "5.75.1" hashes = [ - "h1:4Vgk51R7iTY1oczaTQDG+DkA9nE8TmjlUtecqXX6qDU=", - "h1:8m3+C1VNevzU/8FsABoKp2rTOx3Ue7674INfhfk0TZY=", - "h1:RSt0f6GHUbH1OCtF5r6BWRxuZxaFopsAcpuEAmOc2MY=", - "h1:ihJwo9TmCngWRqLb/+kBeLuvAWMjLu/WV0zGSvypBv4=", - "h1:xFKE0MsBjV86pMpbrLbAHCzv5kREDYO0xt5LRZMeZn8=", - "zh:1379bcf45aef3d486ee18b4f767bfecd40a0056510d26107f388be3d7994c368", - "zh:1615a6f5495acfb3a0cb72324587261dd4d72711a3cc51aff13167b14531501e", - "zh:18b69a0f33f8b1862fbd3f200756b7e83e087b73687085f2cf9c7da4c318e3e6", - "zh:2c5e7aecd197bc3d3b19290bad8cf4c390c2c6a77bb165da4e11f53f2dfe2e54", - "zh:3794da9bef97596e3bc60e12cdd915bda5ec2ed62cd1cd93723d58b4981905fe", - "zh:40a5e45ed91801f83db76dffd467dcf425ea2ca8642327cf01119601cb86021c", - "zh:4abfc3f53d0256a7d5d1fa5e931e4601b02db3d1da28f452341d3823d0518f1a", - "zh:4eb0e98078f79aeb06b5ff6115286dc2135d12a80287885698d04036425494a2", - "zh:75470efbadea4a8d783642497acaeec5077fc4a7f3df3340defeaa1c7de29bf7", - "zh:8861a0b4891d5fa2fa7142f236ae613cea966c45b5472e3915a4ac3abcbaf487", - "zh:8bf6f21cd9390b742ca0b4393fde92616ca9e6553fb75003a0999006ad233d35", + "h1:PIBnv1Mi0tX2GF6qUSdps3IouABeTqVgJZ4aAzIVzdI=", + "h1:R6IWpE+foH9oKVkmYVHtXxelMFOt5R60zmHmeXwkp6U=", + "h1:fr252BPFVqsCcVoLMN4PTVacXmrW3pbMlK1ibi/wHiU=", + "h1:ijX5mwbQZOnPVQGxxVsJs6Yh6h2w+V3mQmKznB6pIkw=", + "h1:uz55I4t3Pqy3p+82NZ35mkUA9mZ5yu4pS6beZMI8wpA=", + "zh:1075825e7311a8d2d233fd453a173910e891b0320e8a7698af44d1f90b02621d", + "zh:203c5d09a03fcaa946defb8459f01227f2fcda07df768f74777beb328d6751ae", + "zh:21bc79ccb09bfdeb711a3a5226c6c4a457ac7c4bb781dbda6ade7be38461739f", + "zh:2bac969855b62a0ff6716954be29387a1f9793626059122cda4681206396e309", + "zh:4b65ea5b51058f05b9ec8797f76184e19e5b38a609029fe2226af3fa4ad289b3", + "zh:5065d7df357fb3ee2b0a2520bbcff6335c0c47bfb9e8e9932bad088c3ab7efd3", + "zh:678a4015a4cd26af5c2b30dfd9290b8a01e900668fa0fec6585dfd1838f1cebd", + "zh:6ddc5dfdd4a0dddca027db99a7bfa9a0978933119d63af81acb6020728405119", + "zh:98c0d48b09842c444dbcbddd279e5b5b1e44113951817a8ecc28896bb4ad1dd7", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:ad73008a044e75d337acda910fb54d8b81a366873c8a413fec1291034899a814", - "zh:bf261713b0b8bebfe8c199291365b87d9043849f28a2dc764bafdde73ae43693", - "zh:da3bafa1fd830be418dfcc730e85085fe67c0d415c066716f2ac350a2306f40a", + "zh:aad169fea072842c0b54f1ff95f1ec6558d6c5af3ea4c159308583db59003b09", + "zh:bd2625ed8e1ff29ac6ed3a810d7b68a090add5fcb2fce4122669bd37e1eb9f1d", + "zh:c6f57625e26a6ef1ffb49bfa0e6148496ad12d80c857f6bb222e21f293a2a78a", + "zh:c7cd085326c5eb88804b11a4bc0fbc8376f06138f4b9624fb25cd06ea8687cdd", + "zh:f60c98139f983817d4d08f4138b1e53f31f91176ff638631e8dd38b6de36fce0", ] } diff --git a/ci/terraform/alb.tf b/ci/terraform/alb.tf index 3cfa45215..e46bdd07e 100644 --- a/ci/terraform/alb.tf +++ b/ci/terraform/alb.tf @@ -21,8 +21,6 @@ resource "aws_lb" "frontend_alb" { prefix = "frontend-alb" } } - - tags = local.default_tags } resource "aws_wafv2_web_acl_association" "alb_waf_association" { @@ -47,8 +45,6 @@ resource "aws_alb_target_group" "frontend_alb_target_group" { path = "/healthcheck/" unhealthy_threshold = "2" } - - tags = local.default_tags } resource "aws_alb_listener" "frontend_alb_listener_https" { @@ -67,8 +63,6 @@ resource "aws_alb_listener" "frontend_alb_listener_https" { depends_on = [ aws_acm_certificate_validation.frontend_acm_alb_certificate_validation ] - - tags = local.default_tags } resource "aws_alb_listener_rule" "frontend_alb_listener_https_robots" { @@ -105,8 +99,6 @@ resource "aws_alb_listener" "frontend_alb_listener_http" { status_code = "HTTP_301" } } - - tags = local.default_tags } #S3 Bucket for ElB access logs @@ -164,8 +156,9 @@ resource "aws_alb_target_group" "frontend_service_down_alb_target_group" { path = "/healthcheck/" unhealthy_threshold = "2" } - - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_alb_listener_rule" "service_down_rule" { @@ -183,4 +176,7 @@ resource "aws_alb_listener_rule" "service_down_rule" { values = ["/service-page-disabled/*"] } } + tags = { + Service = "service-down-page" + } } diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf index c1608d349..870e80b03 100644 --- a/ci/terraform/cloudfront.tf +++ b/ci/terraform/cloudfront.tf @@ -16,7 +16,6 @@ resource "aws_cloudformation_stack" "cloudfront" { StandardLoggingEnabled = true LogDestination = var.cloudfront_WafAcl_Logdestination } - tags = local.default_tags #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value @@ -40,5 +39,4 @@ resource "aws_cloudformation_stack" "cloudfront-monitoring" { CloudfrontDistribution = aws_cloudformation_stack.cloudfront.outputs["DistributionId"] } depends_on = [aws_cloudformation_stack.cloudfront] - tags = local.default_tags } diff --git a/ci/terraform/cloudwatch.tf b/ci/terraform/cloudwatch.tf index bcf00941c..8efc6f928 100644 --- a/ci/terraform/cloudwatch.tf +++ b/ci/terraform/cloudwatch.tf @@ -46,16 +46,12 @@ resource "aws_kms_key" "cloudwatch_log_encryption" { deletion_window_in_days = 30 enable_key_rotation = true policy = data.aws_iam_policy_document.cloudwatch.json - - tags = local.default_tags } resource "aws_cloudwatch_log_group" "ecs_frontend_task_log" { name = "/ecs/${var.environment}-frontend" kms_key_id = aws_kms_key.cloudwatch_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_cloudwatch_log_subscription_filter" "ecs_frontend_task_log_subscription" { @@ -106,8 +102,6 @@ resource "aws_cloudwatch_log_group" "alb_waf_log" { name = "aws-waf-logs-frontend-alb-${var.environment}" kms_key_id = aws_kms_key.cloudwatch_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_cloudwatch_log_subscription_filter" "alb_waf_log_subscription" { diff --git a/ci/terraform/dynatrace.tf b/ci/terraform/dynatrace.tf index de263f4ca..186277675 100644 --- a/ci/terraform/dynatrace.tf +++ b/ci/terraform/dynatrace.tf @@ -28,6 +28,4 @@ resource "aws_iam_policy" "dynatrace_policy" { policy = data.aws_iam_policy_document.dynatrace_policy.json path = "/${var.environment}/" name_prefix = "dynatrace-secret-policy" - - tags = local.default_tags } diff --git a/ci/terraform/ecs-roles.tf b/ci/terraform/ecs-roles.tf index c0e07a575..ff2e0aca4 100644 --- a/ci/terraform/ecs-roles.tf +++ b/ci/terraform/ecs-roles.tf @@ -13,8 +13,6 @@ data "aws_iam_policy_document" "ecs_assume_role_policy" { resource "aws_iam_role" "ecs_task_execution_role" { name = "${var.environment}-frontend-ecs-task-execution-role" assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attachment" { @@ -30,8 +28,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach resource "aws_iam_role" "ecs_task_role" { name = "${var.environment}-frontend-ecs-task-role" assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "account_management_ecs_task_role_ssm_policy_attachment" { @@ -59,7 +55,9 @@ resource "aws_iam_role" "service_down_ecs_task_execution_role" { name_prefix = "${var.environment}-service-down-page-exec-" assume_role_policy = data.aws_iam_policy_document.service_down_ecs_assume_role_policy[0].json - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_iam_role_policy_attachment" "service_down_ecs_task_execution_role_policy_attachment" { diff --git a/ci/terraform/ecs.tf b/ci/terraform/ecs.tf index 6402c1a92..d1b392229 100644 --- a/ci/terraform/ecs.tf +++ b/ci/terraform/ecs.tf @@ -309,8 +309,6 @@ resource "aws_ecs_service" "frontend_ecs_service" { container_name = var.basic_auth_password == "" ? local.frontend_container_definition.name : local.sidecar_container_definition.name container_port = local.application_port } - - tags = local.default_tags } resource "aws_ecs_task_definition" "frontend_task_definition" { @@ -327,8 +325,6 @@ resource "aws_ecs_task_definition" "frontend_task_definition" { local.frontend_container_definition, local.sidecar_container_definition, ]) - - tags = local.default_tags } @@ -367,7 +363,9 @@ resource "aws_ecs_service" "service_down_ecs_service" { container_port = local.service_down_page_app_port } - tags = local.default_tags + tags = { + Service = "service-down-page" + } depends_on = [ aws_alb_listener_rule.service_down_rule[0], @@ -403,7 +401,9 @@ resource "aws_ecs_task_definition" "service_down_page_task_definition" { }] }]) - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_cloudwatch_log_group" "service_down_page" { @@ -411,4 +411,8 @@ resource "aws_cloudwatch_log_group" "service_down_page" { name = "/ecs/${var.environment}-service-down-page" retention_in_days = 1 + + tags = { + Service = "service-down-page" + } } diff --git a/ci/terraform/kms.tf b/ci/terraform/kms.tf index 5f89b4553..3d6ce6d44 100644 --- a/ci/terraform/kms.tf +++ b/ci/terraform/kms.tf @@ -3,8 +3,6 @@ resource "aws_kms_key" "authentication_encryption_key" { deletion_window_in_days = 30 key_usage = "ENCRYPT_DECRYPT" customer_master_key_spec = "RSA_2048" - - tags = local.default_tags } resource "aws_kms_key_policy" "authentication_encryption_key_access_policy" { diff --git a/ci/terraform/redis.tf b/ci/terraform/redis.tf index 0b96ff007..bbac471ac 100644 --- a/ci/terraform/redis.tf +++ b/ci/terraform/redis.tf @@ -5,8 +5,6 @@ locals { resource "aws_elasticache_subnet_group" "frontend_redis_session_store" { name = "${var.environment}-frontend-redis-subnet" subnet_ids = local.private_subnet_ids - - tags = local.default_tags } @@ -51,6 +49,4 @@ resource "aws_elasticache_replication_group" "frontend_sessions_store" { engine_version ] } - - tags = local.default_tags } diff --git a/ci/terraform/route53.tf b/ci/terraform/route53.tf index 601e5b98c..1837f84b2 100644 --- a/ci/terraform/route53.tf +++ b/ci/terraform/route53.tf @@ -34,8 +34,6 @@ resource "aws_acm_certificate" "frontend_alb_certificate" { domain_name = aws_route53_record.frontend.name validation_method = "DNS" - tags = local.default_tags - lifecycle { create_before_destroy = true } @@ -103,8 +101,6 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" { domain_name = local.frontend_fqdn validation_method = "DNS" - tags = local.default_tags - lifecycle { create_before_destroy = true } diff --git a/ci/terraform/security-groups.tf b/ci/terraform/security-groups.tf index 98ce70d4d..4a6fc0ee8 100644 --- a/ci/terraform/security-groups.tf +++ b/ci/terraform/security-groups.tf @@ -6,8 +6,6 @@ resource "aws_security_group" "frontend_redis_security_group" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_incoming_frontend_redis_from_private_subnet" { @@ -41,8 +39,6 @@ resource "aws_security_group" "allow_access_to_frontend_redis" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_connection_to_frontend_redis" { @@ -62,8 +58,6 @@ resource "aws_security_group" "frontend_alb_sg" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_alb_http_ingress_from_anywhere" { @@ -106,8 +100,6 @@ resource "aws_security_group" "frontend_ecs_tasks_sg" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_ecs_task_ingress_from_alb" { @@ -132,6 +124,9 @@ resource "aws_security_group" "service_down_page" { lifecycle { create_before_destroy = true } + tags = { + Service = "service-down-page" + } } resource "aws_security_group_rule" "allow_incoming_http_from_frontend_alb" { diff --git a/ci/terraform/site.tf b/ci/terraform/site.tf index dd1859049..d6cc24f34 100644 --- a/ci/terraform/site.tf +++ b/ci/terraform/site.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.7.1" + required_version = ">= 1.9.8" required_providers { aws = { source = "hashicorp/aws" - version = "= 5.45.0" + version = "5.75.1" } random = { source = "hashicorp/random" @@ -16,11 +16,29 @@ terraform { } } +locals { + provider_default_tags = { + Environment = var.environment + Owner = "di-authentication@digital.cabinet-office.gov.uk" + Product = "GOV.UK Sign In" + System = "Authentication" + Service = "frontend" + application = "auth-frontend" + } +} + provider "aws" { region = var.aws_region - assume_role { - role_arn = var.deployer_role_arn + dynamic "assume_role" { + for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : [] + content { + role_arn = assume_role.value + } + } + + default_tags { + tags = local.provider_default_tags } } @@ -29,8 +47,15 @@ provider "aws" { region = "us-east-1" - assume_role { - role_arn = var.deployer_role_arn + dynamic "assume_role" { + for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : [] + content { + role_arn = assume_role.value + } + } + + default_tags { + tags = local.provider_default_tags } } @@ -41,10 +66,3 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} data "aws_partition" "current" {} - -locals { - default_tags = { - environment = var.environment - application = "auth-frontend" - } -} diff --git a/ci/terraform/sns.tf b/ci/terraform/sns.tf index 5913e0d5f..ebe302901 100644 --- a/ci/terraform/sns.tf +++ b/ci/terraform/sns.tf @@ -4,8 +4,6 @@ resource "aws_sns_topic" "slack_events" { provider = aws.cloudfront name = "${var.environment}-cloudfront-alerts" lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn - - tags = local.default_tags } data "aws_iam_policy_document" "sns_topic_policy" { @@ -56,8 +54,6 @@ resource "aws_iam_role" "sns_logging_iam_role" { name_prefix = "sns-failed-slack-alerts-role" path = "/${var.environment}/" assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy.json - - tags = local.default_tags } data "aws_iam_policy_document" "sns_can_assume_policy" { @@ -112,8 +108,6 @@ resource "aws_iam_policy" "api_gateway_logging_policy" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" { diff --git a/ci/terraform/ssm.tf b/ci/terraform/ssm.tf index a55f01df3..30d6b9bb0 100644 --- a/ci/terraform/ssm.tf +++ b/ci/terraform/ssm.tf @@ -32,8 +32,6 @@ resource "aws_kms_key" "parameter_store_key" { customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" - - tags = local.default_tags } resource "aws_kms_alias" "parameter_store_key_alias" { @@ -46,8 +44,6 @@ resource "aws_ssm_parameter" "redis_master_host" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.primary_endpoint_address - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_replica_host" { @@ -55,8 +51,6 @@ resource "aws_ssm_parameter" "redis_replica_host" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.reader_endpoint_address - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_tls" { @@ -64,8 +58,6 @@ resource "aws_ssm_parameter" "redis_tls" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = "true" - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_password" { @@ -73,8 +65,6 @@ resource "aws_ssm_parameter" "redis_password" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = random_password.redis_password.result - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_port" { @@ -82,8 +72,6 @@ resource "aws_ssm_parameter" "redis_port" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.port - - tags = local.default_tags } data "aws_iam_policy_document" "redis_parameter_policy" { @@ -123,6 +111,4 @@ resource "aws_iam_policy" "parameter_policy" { policy = data.aws_iam_policy_document.redis_parameter_policy.json path = "/${var.environment}/redis/${local.redis_key}/" name_prefix = "parameter-store-policy" - - tags = local.default_tags } diff --git a/ci/terraform/waf.tf b/ci/terraform/waf.tf index 27df753d4..cea7c91ca 100644 --- a/ci/terraform/waf.tf +++ b/ci/terraform/waf.tf @@ -23,8 +23,6 @@ resource "aws_wafv2_ip_set" "cf_gds_ip_set" { "18.132.149.145/32" ] - - tags = local.default_tags } resource "aws_wafv2_web_acl" "frontend_cloudfront_waf_web_acl" { @@ -384,8 +382,6 @@ resource "aws_wafv2_web_acl" "frontend_cloudfront_waf_web_acl" { metric_name = "${replace(var.environment, "-", "")}FrontendcloudfrontWafRules" sampled_requests_enabled = true } - - tags = local.default_tags } # Cloudwatch Logging for frontend Cloudfront WAF @@ -442,8 +438,6 @@ resource "aws_kms_key" "frontent_cloudfront_cw_log_encryption" { deletion_window_in_days = 30 enable_key_rotation = true policy = data.aws_iam_policy_document.frontend_cloudfront_cloudwatch.json - - tags = local.default_tags } resource "aws_cloudwatch_log_group" "frontend_cloudfront_waf_log_group" { @@ -452,8 +446,6 @@ resource "aws_cloudwatch_log_group" "frontend_cloudfront_waf_log_group" { name = "aws-waf-logs-frontend-cloudfront-${var.environment}" kms_key_id = aws_kms_key.frontent_cloudfront_cw_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_wafv2_web_acl_logging_configuration" "frontend_cloudfront_waf_logging_config" {