AWS WAF v2 Security Polcies & web ACLs

Hi all,

I have used terraform to create a WAFv2 Couldfront (global) Security Policy (or “aws_fms_policy” as terraform knows it). Attached to this is a rule group and ip set, all built by terraform. This is made in our organisational level account in cloudfront, then associated to a sub account within our organisation.

So far so awesome, but the next step in the process is that AWS kinda ‘magically’ creates a Web ACL in the sub account when it’s associated to the security policy. It looks a bit like this:


Where “paul-dev” is the name of the security policy that created it.

I want to attach this web ACL, so I’ve been looking at code like this when setting up the cloudfront distribution::

data “aws_wafv2_web_acl” “web_acl” {
name = “{var.myName}-{local.env_abbreviation[var.environment]}”
scope = “CLOUDFRONT”

resource “aws_cloudfront_distribution” “cf” {
origin {
origin_id = var.merchant_name
domain_name = aws_alb.alb.dns_name
custom_origin_config {
origin_protocol_policy = “https-only”
origin_ssl_protocols = [“TLSv1.2”] # TLSv1.1
http_port = 80
https_port = 443

viewer_certificate {
acm_certificate_arn = var.tls_cert_nv_arn
ssl_support_method = “sni-only”
minimum_protocol_version = “TLSv1.2_2019”
enabled = true
is_ipv6_enabled = false
aliases = [var.merchant_fqdn]

web_acl_id = aws_wafv2_web_acl.web_acl.arn

This doesn’t work, saying the “web_acl” isn’t defined. I’ve also tried the resource syntax, but critically I don’t want to create a web acl: AWS is already doing this. I just want terraform to find it and attach it.

Anyone able to point me int he right direction?

Thanks in advance!!