I tried to create waf web acl using below terraform script with the region of one of my aws account (abc) as ap-southeast-1 in .aws/config file, But getting below error after applying it. whereas Same script created waf web acl successfully if my another aws account (xyz) profile region was us-east-1 in .aws/config file.
resource "aws_wafv2_web_acl" "waf_acl" {
name = local.waf_name
description = "waf setup infront of cloudfront"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "AWS-AWSManagedRulesAmazonIpReputationList"
priority = 0
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesAnonymousIpList"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAnonymousIpList"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 2
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = local.waf_name
sampled_requests_enabled = true
}
}
Error as below
│ Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT
│ {
│ RespMetadata: {
│ StatusCode: 400,
│ RequestID: "b83b40074r-b3a55-49e76-b2353-e16f32830518632"
│ },
│ Field: "SCOPE_VALUE",
│ Message_: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT",
│ Parameter: "CLOUDFRONT",
│ Reason: "The scope is not valid."
│ }
│
│ with aws_wafv2_web_acl.waf_acl,
│ on main.tf line 122, in resource "aws_wafv2_web_acl" "waf_acl":
│ 122: resource "aws_wafv2_web_acl" "waf_acl" {
Please Note:- same script worked perfectly fine in us-east-1 region with the scope="CLOUDFRONT".
Any help would be really appreciable.
Thanks in advance.
2
Answers
Resolution:- add the resource in case you are not using provider.tf provider.tf
and put the value as in waf resource
will solve the issue. Thanks
You already answered on your question.
CLOUDFRONT
scope should be created atus-east-1
region.However it is possible to use multi-region deployment in terraform