Hi all,
I have used terraform to create a WAFv2 Couldfront (global) Security Policy (or “aws_fms_policy” as terraform knows it). Attached to this is a rule group and ip set, all built by terraform. This is made in our organisational level account in cloudfront, then associated to a sub account within our organisation.
So far so awesome, but the next step in the process is that AWS kinda ‘magically’ creates a Web ACL in the sub account when it’s associated to the security policy. It looks a bit like this:
FMManagedWebACLV2paul-dev32987983742
Where “paul-dev” is the name of the security policy that created it.
I want to attach this web ACL, so I’ve been looking at code like this when setting up the cloudfront distribution::
data “aws_wafv2_web_acl” “web_acl” {
name = “{var.myName}-{local.env_abbreviation[var.environment]}”
scope = “CLOUDFRONT”
}
resource “aws_cloudfront_distribution” “cf” {
origin {
origin_id = var.merchant_name
domain_name = aws_alb.alb.dns_name
custom_origin_config {
origin_protocol_policy = “https-only”
origin_ssl_protocols = [“TLSv1.2”] # TLSv1.1
http_port = 80
https_port = 443
}
}
viewer_certificate {
acm_certificate_arn = var.tls_cert_nv_arn
ssl_support_method = “sni-only”
minimum_protocol_version = “TLSv1.2_2019”
}
enabled = true
is_ipv6_enabled = false
aliases = [var.merchant_fqdn]
web_acl_id = aws_wafv2_web_acl.web_acl.arn
This doesn’t work, saying the “web_acl” isn’t defined. I’ve also tried the resource syntax, but critically I don’t want to create a web acl: AWS is already doing this. I just want terraform to find it and attach it.
Anyone able to point me int he right direction?
Thanks in advance!!