Caveats in Terraforming WAF V2 for CloudFront
Disclaimer: This content reflects my personal opinions, not those of any organizations I am or have been affiliated with. Code samples are provided for illustration purposes only, use with caution and test thoroughly before deployment.
If you want to add a WAF V2 (aws_wafv2_web_acl) to a CloudFront distribution (aws_cloudfront_distribution) using Terraform, there are a few caveats:
- On
aws_wafv2_web_acl:- Use
scope = "CLOUDFRONT". - Use the AWS provider in us-east-1 region. (Although in the AWS Console it will still be listed under “Global”.)
- Use
- On
aws_cloudfront_distribution:- You can use
web_acl_id - aws_wafv2_web_acl.<name>.arn. Be careful that even though the name isid, but you need to pass the ARN instead. This bug only happens in V2. - The IAM user/role you use to execute
terraform applymust have thewaf:GetWebACLpermission.
- You can use
