aws-wafv2: Creating WAF with condition gives error: "Template format error: Unresolved resource dependencies [XXXX] in the Resources block of the template"

[ujjwol05]

Describe the bug

In my main stack located in the ap-southeast-2 region, I have a CloudFront distribution, which operates globally. This setup is functioning correctly.

However, I faced difficulties creating an AWS WAF in the same stack because WAF needs to be in a different stack due to regional constraints. I resolved this by creating a separate stack for the WAF and enabled crossRegionReferences in the main stack to reference the WAF.

// override env for my waf stack
env: { region: 'us-east-1' }

When the condition to enable the WAF is true, everything works as expected. But when I set the condition to false, I receive an error: Template format error: Unresolved resource dependencies [XXXX] in the Resources block of the template. Upon reviewing the synthesized template, I see that the Lambda function and the role were created without considering the condition. I believe this is the issue? The lambda and the role should also have condition attached to it? Example of synth temp is

CustomCrossRegionExportWriterCustomResourceProviderHandlerXXXX": {
   "Type": "AWS::Lambda::Function",
   "Properties": {
    "Code": {
     "S3Bucket": {
      "Fn::Sub": "XXXXXX-us-east-1"
     },
     "S3Key": "XXXX.zip"
      ......
    },

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

When the condition is false, the stack should deploy successfully, and no resources should be created.

Current Behavior

Throws and error "Template format error: Unresolved resource dependencies [XXXX] in the Resources block of the template"

Reproduction Steps

• Create Cloudfront in your main stack. ('ap-southeast-2')
• Create WAF in new stack , set env region as us-east-1
• Enable crossRegionReferences on your consuming stack

  
  const wafStack = new WafStack(
  app,
  `waf-stack`,
  {
      createWAF: false,
  },
  {
      env: { region: 'us-east-1' },
  }
  );

new MainStack( app, main-stack, { webAclArnExport: wafStack?.webAclArnOutput, }, { env: { region: process.env.CDK_DEFAULT_REGION, }, crossRegionReferences: true, } );

// WAF stack const isWafEnabled = new cdk.CfnCondition(this, 'waf', { expression: cdk.Fn.conditionEquals( 'false', 'true' ), });

const webAcl = new wafv2.CfnWebACL(this, 'web-acl', { scope: 'CLOUDFRONT', ... }

webAcl.cfnOptions.condition = isWafEnabled;

### Possible Solution

_No response_

### Additional Information/Context

_No response_

### CDK CLI Version

2.155.0

### Framework Version

_No response_

### Node.js Version

v20.11.0

### OS

Sonoma

### Language

TypeScript

### Language Version

_No response_

### Other information

_No response_

[pahud]

When you enable the crossRegionReferences: true,, what's happening behind the scene is that there would be a custom resource as the writer being created to write the state to SSM parameter. It won't be conditional and it would always happen. If you are referencing something that could be conditionally created cross-region, that might be an issue.

I guess you probably need to create a mock or dummy webAclArnOutput and still output from the waf stack even when the waf is not going to be created and that might be a workaround.