I’m creating a Cloudfront Distribution along with a WAF V2 Web ACL. Terraform has successfully created both resources, but I keep getting a failure when I try to associate the Cloudfront Distribution with the Web ACL.
How do I add read permissions on the Web ACL?
Here’s the error when I run Terraform apply:
Terraform will perform the following actions:
# aws_cloudfront_distribution.my_web_app_hosting will be updated in-place
~ resource "aws_cloudfront_distribution" "my_web_app_hosting" {
id = "E1DJTHPQ9VVYLJ"
tags = {}
+ web_acl_id = "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:global/webacl/ma-pm-frontend/ba1fe7e7-6da8-40bf-9e8b-a76e7607b325"
# (20 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions in workspace "dev"?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_cloudfront_distribution.my_web_app_hosting: Modifying... [id=E1DJTHPQ9VVYLJ]
╷
│ Error: updating CloudFront Distribution (E1DJTHPQ9VVYLJ): InvalidWebACLId: Unable to verify read permissions on Web ACL. Please retry the request.
│ status code: 400, request id: 0b0ed272-a596-4ded-bdbb-ea74fa2ca040
│
│ with aws_cloudfront_distribution.my_web_app_hosting,
│ on cloudfront.tf line 5, in resource "aws_cloudfront_distribution" "my_web_app_hosting":
│ 5: resource "aws_cloudfront_distribution" "my_web_app_hosting" {
│
╵
Releasing state lock. This may take a few moments...
And I have verified that the Web ACL exists with the AWS CLI list-web-acls call:
$ aws wafv2 list-web-acls --scope CLOUDFRONT --region us-east-1
{
"NextMarker": "ma-pm-frontend",
"WebACLs": [
...
{
"Name": "ma-pm-frontend",
"Id": "ba1fe7e7-6da8-40bf-9e8b-a76e7607b325",
"Description": "",
"LockToken": "39100363-e676-49a0-8d63-bded2414cd24",
"ARN": "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:global/webacl/ma-pm-frontend/ba1fe7e7-6da8-40bf-9e8b-a76e7607b325"
}
]
}