Terraform keeps complaining about being Unable to verify read permissions on Web ACL when it attempts an association

I’m creating a Cloudfront Distribution along with a WAF V2 Web ACL. Terraform has successfully created both resources, but I keep getting a failure when I try to associate the Cloudfront Distribution with the Web ACL.

How do I add read permissions on the Web ACL?

Here’s the error when I run Terraform apply:

Terraform will perform the following actions:

  # aws_cloudfront_distribution.my_web_app_hosting will be updated in-place
  ~ resource "aws_cloudfront_distribution" "my_web_app_hosting" {
        id                             = "E1DJTHPQ9VVYLJ"
        tags                           = {}
      + web_acl_id                     = "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:global/webacl/ma-pm-frontend/ba1fe7e7-6da8-40bf-9e8b-a76e7607b325"
        # (20 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions in workspace "dev"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_cloudfront_distribution.my_web_app_hosting: Modifying... [id=E1DJTHPQ9VVYLJ]
╷
│ Error: updating CloudFront Distribution (E1DJTHPQ9VVYLJ): InvalidWebACLId: Unable to verify read permissions on Web ACL. Please retry the request.
│       status code: 400, request id: 0b0ed272-a596-4ded-bdbb-ea74fa2ca040
│
│   with aws_cloudfront_distribution.my_web_app_hosting,
│   on cloudfront.tf line 5, in resource "aws_cloudfront_distribution" "my_web_app_hosting":
│    5: resource "aws_cloudfront_distribution" "my_web_app_hosting" {
│
╵
Releasing state lock. This may take a few moments...

And I have verified that the Web ACL exists with the AWS CLI list-web-acls call:

$ aws wafv2 list-web-acls --scope CLOUDFRONT --region us-east-1
{
    "NextMarker": "ma-pm-frontend",
    "WebACLs": [
        ...
        {
            "Name": "ma-pm-frontend",
            "Id": "ba1fe7e7-6da8-40bf-9e8b-a76e7607b325",
            "Description": "",
            "LockToken": "39100363-e676-49a0-8d63-bded2414cd24",
            "ARN": "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:global/webacl/ma-pm-frontend/ba1fe7e7-6da8-40bf-9e8b-a76e7607b325"
        }
    ]
}

Fixed it.

It turns out that my problem as that my gitlab runner role, that I’m also using from my dev environment, needed to have the right action in the policy statement to allow the association.

I added:

"wafv2:*",

To the Action section and the association was successfully performed during the terraform apply action.