skip to Main Content

I tried to create waf web acl using below terraform script with the region of one of my aws account (abc) as ap-southeast-1 in .aws/config file, But getting below error after applying it. whereas Same script created waf web acl successfully if my another aws account (xyz) profile region was us-east-1 in .aws/config file.

resource "aws_wafv2_web_acl" "waf_acl" {
  name        = local.waf_name
  description = "waf setup infront of cloudfront"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesAnonymousIpList"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAnonymousIpList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = local.waf_name
    sampled_requests_enabled   = true
  }
}

Error as below

│ Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "b83b40074r-b3a55-49e76-b2353-e16f32830518632"
│   },
│   Field: "SCOPE_VALUE",
│   Message_: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT",
│   Parameter: "CLOUDFRONT",
│   Reason: "The scope is not valid."
│ }
│ 
│   with aws_wafv2_web_acl.waf_acl,
│   on main.tf line 122, in resource "aws_wafv2_web_acl" "waf_acl":
│  122: resource "aws_wafv2_web_acl" "waf_acl" {

Please Note:- same script worked perfectly fine in us-east-1 region with the scope="CLOUDFRONT".
Any help would be really appreciable.

Thanks in advance.

2

Answers


  1. Chosen as BEST ANSWER

    Resolution:- add the resource in case you are not using provider.tf provider.tf

    provider "aws" {
      region = "us-east-1"
      alias  = "useast1"
    }
    

    and put the value as in waf resource

    .
    .
    scope       = "CLOUDFRONT"
    provider    = aws.useast1
    .
    .
    

    will solve the issue. Thanks


  2. You already answered on your question. CLOUDFRONT scope should be created at us-east-1 region.

    AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

    However it is possible to use multi-region deployment in terraform

    provider "aws" {
      region = "ap-southeast-1"
    }
    
    # Additional provider configuration for us-east-1 region; resources can
    # reference this as `aws.east`.
    provider "aws" {
      alias  = "east"
      region = "us-east-1"
    }
    
    resource "aws_wafv2_web_acl" "waf_acl" {
      provider = aws.east
    
      # ...
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search