Getting error as "The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT", in terraform
U

2

9

I tried to create waf web acl using below terraform script with the region of one of my aws account (abc) as ap-southeast-1 in .aws/config file, But getting below error after applying it. whereas Same script created waf web acl successfully if my another aws account (xyz) profile region was us-east-1 in .aws/config file.

resource "aws_wafv2_web_acl" "waf_acl" {
  name        = local.waf_name
  description = "waf setup infront of cloudfront"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesAnonymousIpList"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAnonymousIpList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = local.waf_name
    sampled_requests_enabled   = true
  }
}

Error as below

│ Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "b83b40074r-b3a55-49e76-b2353-e16f32830518632"
│   },
│   Field: "SCOPE_VALUE",
│   Message_: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT",
│   Parameter: "CLOUDFRONT",
│   Reason: "The scope is not valid."
│ }
│ 
│   with aws_wafv2_web_acl.waf_acl,
│   on main.tf line 122, in resource "aws_wafv2_web_acl" "waf_acl":
│  122: resource "aws_wafv2_web_acl" "waf_acl" {

Please Note:- same script worked perfectly fine in us-east-1 region with the scope="CLOUDFRONT". Any help would be really appreciable.

Thanks in advance.

Unprovided answered 15/9, 2022 at 12:36 Comment(0)
M
21

You already answered on your question. CLOUDFRONT scope should be created at us-east-1 region.

AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

However it is possible to use multi-region deployment in terraform

provider "aws" {
  region = "ap-southeast-1"
}

# Additional provider configuration for us-east-1 region; resources can
# reference this as `aws.east`.
provider "aws" {
  alias  = "east"
  region = "us-east-1"
}

resource "aws_wafv2_web_acl" "waf_acl" {
  provider = aws.east

  # ...
}
Metternich answered 15/9, 2022 at 13:9 Comment(0)
U
3

Resolution:- add the resource in case you are not using provider.tf provider.tf

provider "aws" {
  region = "us-east-1"
  alias  = "useast1"
}

and put the value as in waf resource

.
.
scope       = "CLOUDFRONT"
provider    = aws.useast1
.
.

will solve the issue. Thanks

Unprovided answered 16/9, 2022 at 6:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.