Caveats in Terraforming WAF V2 for CloudFront

By Shing Lyu June 23, 2020

Disclaimer: This content reflects my personal opinions, not those of any organizations I am or have been affiliated with. Code samples are provided for illustration purposes only, use with caution and test thoroughly before deployment.

If you want to add a WAF V2 (aws_wafv2_web_acl) to a CloudFront distribution (aws_cloudfront_distribution) using Terraform, there are a few caveats:

On aws_wafv2_web_acl:
- Use scope = "CLOUDFRONT".
- Use the AWS provider in us-east-1 region. (Although in the AWS Console it will still be listed under “Global”.)
On aws_cloudfront_distribution:
- You can use web_acl_id - aws_wafv2_web_acl.<name>.arn. Be careful that even though the name is id, but you need to pass the ARN instead. This bug only happens in V2.
- The IAM user/role you use to execute terraform apply must have the waf:GetWebACL permission.