Error: deleting WAFv2 WebACL - How to unassign WAF from the CloudFront and delete it


We have a simple configuration with CloudFront and conditionally added WAF, but with modules.

Adding works fine, but when we are trying to set waf_enable = false, Terraform firstly trying to remove WAF and then probably to update CloudFront distribution, which is not a right order.

module "cloudfront" {
  source = "./modules/cloudfront"

    web_acl_id  = var.waf_enable ? module.waf.web_acl_id : null


Terraform will perform the following actions:

  # module.cloudfront.aws_cloudfront_distribution.common will be updated in-place
  ~ resource "aws_cloudfront_distribution" "common" {
        id                             = "E3R2RYBFLFA9P2"
        tags                           = {}
      - web_acl_id                     = "arn:aws:wafv2:us-east-1:123456789012:global/webacl/common/c45decba-fdfe-4e26-a919-7c2ea7a24139" -> null

  # module.waf.aws_wafv2_web_acl.common[0] will be destroyed

module.waf.aws_wafv2_web_acl.common[0]: Still destroying… [id=c45decba-fdfe-4e26-a919-7c2ea7a24139, 5m0s elapsed]

│ Error: deleting WAFv2 WebACL (c45decba-fdfe-4e26-a919-7c2ea7a24139): WAFAssociatedItemException: AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource.

Is there a way to manage this removal order?

Thank you!

With all that, terraform destroy is handling all in a right order and all resources are destroyed.

So, we are able to

  1. Create everything with WAF
  2. Create everything without WAF and then assign it
  3. Destroy everything

But it is not clear how to optionally remove and destroy just WAF.

@stmx38 we have same problem on terraform version 1.2.9. Which one are you using? Also is there a latest aws provider used in your terraform configuration?

@tmiklu, just did one more try with the latest versions

terraform version
Terraform v1.4.4
on darwin_arm64
+ provider v4.61.0

Terraform 1.4.4 (March 30, 2023)
AWS Provider v4.61.0 (March 31, 2023)

Something similar, related to the WAF, already reported

  1. [Bug]: destruction of wafv2 rule group happens in wrong order #28331
  2. aws_wafv2_web_acl resource dependency wrong way around #17601

Having the same issue.
If you manually delete the Cloudfront WAF ACL association first, then terraform is able to handle deleting the WAF ACL.
This workaround is not ideal though because it requires manual intervention in AWS console.

1 Like

I had re-read the post and added lifecycle to the aws_wafv2_web_acl resource

resource "aws_wafv2_web_acl" "common" {

  lifecycle {
    create_before_destroy = true

Now, Terraform firstly detach WAF from CloudFront and then remove it

module.cloudfront.aws_cloudfront_distribution.common: Still modifying... [id=EB6TU5M2X4TPY, 3m10s elapsed]
module.cloudfront.aws_cloudfront_distribution.common: Still modifying... [id=EB6TU5M2X4TPY, 3m20s elapsed]
module.cloudfront.aws_cloudfront_distribution.common: Modifications complete after 3m30s [id=EB6TU5M2X4TPY]
module.waf.aws_wafv2_web_acl.common[0]: Destroying... [id=4e1090ff-33d0-45bc-9afa-93bd2cee9ad2]
module.waf.aws_wafv2_web_acl.common[0]: Destruction complete after 1s

Apply complete! Resources: 0 added, 1 changed, 1 destroyed.

Before posting on the forum, I read both above mentioned GitHub issues and tried to apply lifecycle, but probably to the CloudFront distribution and It should be on WAF side.

At least we have an automated workaround.