如何解决更新 CloudFront Distribution (E32RNPFGEUHQ6J) 时出错:InvalidWebACLId:请求者无法访问 Web ACL
我正在使用 terraform
在 web-acl
中创建一个 aws
,并希望将该 web-acl
与 CloudFront 分配相关联。
所以,我的代码如下所示:
provider "aws" {
alias = "east1"
region = "us-east-1"
}
# -------------------------------------------
# -------------------------------------------
# Cloud Front
module "front_end_cloudfront" {
source = "./modules/front-end/CF"
# CF_ALIASES = ["terraformer-frontend.dev.effi.com.au"]
CF_LAMBDA_ARN = module.frontend_lambda.cf_lambda_qualified_arn
CF_BUCKET_DOMAIN_NAME = module.front_end_bucket.website_endpoint
CF_BUCKET_ORIGIN_ID = module.front_end_bucket.website_domain
CF_TAGS_LIST = { "Name" : "terraformer-front-end-cloudfrontv2" }
CF_CERTFICATE_ARN = var.CLOUDFRONT_US_EAST_1_ACM_ARN
# WEB_ACL = module.waf.web_acl_id
WEB_ACL = module.waf_cf.web_acl_id
depends_on = [module.waf_cf]
}
# -------------------------------------------
# -------------------------------------------
# WAF for CF
module "waf_cf" {
source = "./modules/waf"
providers = {
aws = aws.east1
}
WAF_NAME = "terraform-web-acl-cf"
WAF_DESCRIPTION = "terraform web acl-cf"
WAF_ScopE = "CLOUDFRONT"
WAF_RULE_NAME_1 = "AWSManagedRulesCommonRuleSet"
WAF_RULE_NAME_2 = "AWSManagedRulesAmazonIpReputationList"
WAF_RULE_NAME_3 = "AWSManagedRulesLinuxRuleSet"
WAF_RULE_NAME_4 = "AWSManagedRulesKNownBadInputsRuleSet"
WAF_vendOR = "AWS"
WAF_METRIC_1 = "aws-waf-logs-terraformer-metric"
WAF_METRIC_2 = "aws-waf-logs-terraformer-metric"
WAF_METRIC_3 = "aws-waf-logs-terraformer-metric"
WAF_METRIC_4 = "aws-waf-logs-terraformer-metric"
WAF_TAG_LIST = {
"Tag1" : "Name"
"Tag2" : "terraformer-rule-cf"
}
WAF_METRIC = "aws-waf-logs-friendly-metric-name"
CLOUDWATCH_METRICS_ENABLED = false
SAMPLE_REQUESTS_ENABLED = false
}
这些是我写的terraform
模块,上面模块的具体resource
文件分别如下。
# CF
resource "aws_cloudfront_distribution" "aws_cloudfront_distribution" {
# aliases = var.CF_ALIASES
default_cache_behavior {
allowed_methods = ["GET","HEAD"]
cached_methods = ["GET","HEAD"]
compress = "true"
default_ttl = "0"
forwarded_values {
cookies {
forward = "none"
}
query_string = "false"
}
lambda_function_association {
event_type = "origin-response"
include_body = "false"
lambda_arn = var.CF_LAMBDA_ARN
}
max_ttl = "0"
min_ttl = "0"
smooth_streaming = "false"
target_origin_id = var.CF_BUCKET_ORIGIN_ID
viewer_protocol_policy = "redirect-to-https"
}
enabled = "true"
http_version = "http2"
is_ipv6_enabled = "true"
origin {
custom_origin_config {
http_port = "80"
https_port = "443"
origin_keepalive_timeout = "5"
origin_protocol_policy = "http-only"
origin_read_timeout = "30"
origin_ssl_protocols = ["TLSv1","TLSv1.1","TLSv1.2"]
}
domain_name = var.CF_BUCKET_DOMAIN_NAME
origin_id = var.CF_BUCKET_ORIGIN_ID
}
price_class = "PriceClass_All"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
retain_on_delete = "false"
tags = var.CF_TAGS_LIST
viewer_certificate {
acm_certificate_arn = var.CF_CERTFICATE_ARN
cloudfront_default_certificate = "false"
minimum_protocol_version = "TLSv1.2_2018"
ssl_support_method = "sni-only"
}
web_acl_id = var.WEB_ACL
}
# WAF
resource "aws_wafv2_web_acl" "aws_wafv2_web_acl" {
name = var.WAF_NAME
description = var.WAF_DESCRIPTION
scope = var.WAF_ScopE
default_action {
allow {}
}
rule {
name = var.WAF_RULE_NAME_1
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = var.WAF_RULE_NAME_1
vendor_name = var.WAF_vendOR
# excluded_rule {
# name = "SizeRestrictions_QUERYSTRING"
# }
# excluded_rule {
# name = "NoUserAgent_HEADER"
# }
}
}
visibility_config {
cloudwatch_metrics_enabled = var.CLOUDWATCH_METRICS_ENABLED
metric_name = var.WAF_METRIC_1
sampled_requests_enabled = var.SAMPLE_REQUESTS_ENABLED
}
}
rule {
name = var.WAF_RULE_NAME_2
priority = 2
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = var.WAF_RULE_NAME_2
vendor_name = var.WAF_vendOR
}
}
visibility_config {
cloudwatch_metrics_enabled = var.CLOUDWATCH_METRICS_ENABLED
metric_name = var.WAF_METRIC_2
sampled_requests_enabled = var.SAMPLE_REQUESTS_ENABLED
}
}
rule {
name = var.WAF_RULE_NAME_3
priority = 3
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = var.WAF_RULE_NAME_3
vendor_name = var.WAF_vendOR
}
}
visibility_config {
cloudwatch_metrics_enabled = var.CLOUDWATCH_METRICS_ENABLED
metric_name = var.WAF_METRIC_3
sampled_requests_enabled = var.SAMPLE_REQUESTS_ENABLED
}
}
rule {
name = var.WAF_RULE_NAME_4
priority = 4
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = var.WAF_RULE_NAME_4
vendor_name = var.WAF_vendOR
}
}
visibility_config {
cloudwatch_metrics_enabled = var.CLOUDWATCH_METRICS_ENABLED
metric_name = var.WAF_METRIC_4
sampled_requests_enabled = var.SAMPLE_REQUESTS_ENABLED
}
}
tags = var.WAF_TAG_LIST
visibility_config {
cloudwatch_metrics_enabled = var.CLOUDWATCH_METRICS_ENABLED
metric_name = var.WAF_METRIC
sampled_requests_enabled = var.SAMPLE_REQUESTS_ENABLED
}
}
但我收到以下错误
更新 CloudFront distribution (E32RNPFGEUHQ6J) 时出错:InvalidWebACLId:请求者无法访问 Web ACL。
这里的 cloudfront
是在 ap-southeast-2
区域中创建的,而 waf
是在 us-east-1
区域中创建的。
有人可以帮我解决这个问题吗?
解决方法
使用 WAFv2 时,您需要在 web_acl_id
中指定 ARN 而不是 ID 到 aws_cloudfront_distribution
。
或此 GitHub 问题 https://github.com/hashicorp/terraform-provider-aws/issues/13902
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。