Pra*_*ash 8 amazon-web-services amazon-cloudfront terraform web-application-firewall terraform-provider-aws
我尝试使用下面的 terraform 脚本创建 waf web acl,并将我的 aws 帐户之一 (abc) 的区域作为 .aws/config 文件中的 ap-southeast-1,但应用后出现以下错误。而如果我的另一个 aws 帐户 (xyz) 配置文件区域是 .aws/config 文件中的 us-east-1,则同一脚本会成功创建 waf web acl。
\nresource "aws_wafv2_web_acl" "waf_acl" {\n name = local.waf_name\n description = "waf setup infront of cloudfront"\n scope = "CLOUDFRONT"\n\n default_action {\n allow {}\n }\n\n rule {\n name = "AWS-AWSManagedRulesAmazonIpReputationList"\n priority = 0\n\n override_action {\n none {}\n }\n\n statement {\n managed_rule_group_statement {\n name = "AWSManagedRulesAmazonIpReputationList"\n vendor_name = "AWS"\n }\n }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"\n sampled_requests_enabled = true\n }\n }\n\n rule {\n name = "AWS-AWSManagedRulesAnonymousIpList"\n priority = 1\n\n override_action {\n none {}\n }\n\n statement {\n managed_rule_group_statement {\n name = "AWSManagedRulesAnonymousIpList"\n vendor_name = "AWS"\n }\n }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = "AWS-AWSManagedRulesAnonymousIpList"\n sampled_requests_enabled = true\n }\n }\n\n rule {\n name = "AWS-AWSManagedRulesCommonRuleSet"\n priority = 2\n\n override_action {\n none {}\n }\n\n statement {\n managed_rule_group_statement {\n name = "AWSManagedRulesCommonRuleSet"\n vendor_name = "AWS"\n }\n }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = "AWS-AWSManagedRulesCommonRuleSet"\n sampled_requests_enabled = true\n }\n }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = local.waf_name\n sampled_requests_enabled = true\n }\n}\n错误如下
\n\xe2\x94\x82 Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT\n\xe2\x94\x82 {\n\xe2\x94\x82 RespMetadata: {\n\xe2\x94\x82 StatusCode: 400,\n\xe2\x94\x82 RequestID: "b83b40074r-b3a55-49e76-b2353-e16f32830518632"\n\xe2\x94\x82 },\n\xe2\x94\x82 Field: "SCOPE_VALUE",\n\xe2\x94\x82 Message_: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT",\n\xe2\x94\x82 Parameter: "CLOUDFRONT",\n\xe2\x94\x82 Reason: "The scope is not valid."\n\xe2\x94\x82 }\n\xe2\x94\x82 \n\xe2\x94\x82 with aws_wafv2_web_acl.waf_acl,\n\xe2\x94\x82 on main.tf line 122, in resource "aws_wafv2_web_acl" "waf_acl":\n\xe2\x94\x82 122: resource "aws_wafv2_web_acl" "waf_acl" {\n请注意:- 相同的脚本在 us-east-1 区域中工作得非常好,范围为“CLOUDFRONT”。\n任何帮助将非常可观。
\n提前致谢。
\nrzl*_*vmp 18
你已经回答了你的问题。CLOUDFRONT范围应在us-east-1Region处创建。
AWS WAF 在全球范围内可用于 CloudFront 发行版,但您必须使用美国东部区域(弗吉尼亚北部)来创建 Web ACL 以及 Web ACL 中使用的任何资源,例如规则组、IP 集和正则表达式模式集。某些界面提供“全球 (CloudFront)”区域选择。选择此选项与选择美国东部地区(弗吉尼亚北部)或“us-east-1”相同。
但是,可以在 terraform 中使用多区域部署
provider "aws" {
region = "ap-southeast-1"
}
# Additional provider configuration for us-east-1 region; resources can
# reference this as `aws.east`.
provider "aws" {
alias = "east"
region = "us-east-1"
}
resource "aws_wafv2_web_acl" "waf_acl" {
provider = aws.east
# ...
}
| 归档时间: |
|
| 查看次数: |
6786 次 |
| 最近记录: |