Create WAF v2 CLOUDFRONT ACL in correct region

[fubar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I have a Terraform stack with provider "aws" that has region set to something other than us-east-1. The docs at https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#argument-reference state:

scope - (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.

There can be only 1 AWS provider. Since v2 CLOUDFRONT ACLs need to be created in us-east-1, this means that Terraform fails to support stacks outside of us-east-1.

What I would like to see is for Terraform to follow AWS requirements and always create wafv2_web_acl in region us-east-1 if scope is set to CLOUDFRONT, regardless of the region specified in the provider.

Thanks!

New or Affected Resource(s)

• wafv2_web_acl

[camjc]

Heya, you can get around this by using provider aliases. (I agree this isn't obvious though)

Here's an example of making a cloudfront one and a regional one (for ALBs/API-gateways)

provider "aws" {
  alias   = "cloudfront-global"
  profile = "default"
  region  = "us-east-1" // NOTE: This needs to be us-east-1 for WAFv2 on scope CLOUDFRONT
  version = "~> 2.68"
}

module "cloudfront-waf" {
  providers = {
    aws = aws.cloudfront-global // aws.aliasname
  }
  scope  = "CLOUDFRONT"
  source = "./modules/waf"
}

module "regional-waf" { // In my normal region
  scope     = "REGIONAL"
  source    = "./modules/waf"
}

[fubar]

@camjc that's brilliant, thanks for the suggestion! Seems like an approach that Terraform could take under the hood.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.