seittema
commented
4 years ago I agree this is a pain point. I suspect though it's more of a WafV2 limitation than a cloudformation one. Looking at using WafV2 API's, you have to use them in us-east-1, you can't use them in another region. I bet cloudformation just exposes the API but has to abide by the service provider (wafv2) rules. It would be nice if CFT could handle it for us though.
jk2l
With Wafv1, we were able to create WAF and CloudFront resources in the same template if we were on a region other than us-east-1 (For example, us-west-2).
Now it is impossible to do this with WafV2 automatically without a Custom Resource, as WafV2 requires the ACL to be created in us-east-1 if it is a CloudFront ACL. If you have your entire stack in another region, now you either need to pass the WafV2's att.Arn as a parameter or you need to create a custom resource to look up the arn for you. This is more obtuse than the original WAF, and IMO will stymie the adoption of WafV2 as now I have no incentive to want to jump through hoops when I can just use Wafv1.
Please allow WafV2 to be a "Global WAF", like the wafv1, so that we can create the resource in the same template as the CloudFront/S3/CodeBuild resources that support an application.