chore(cloudfront): prevent WebACL from being created in regions other than us-east-1 (#32252)

ren-yamanashi · web-flow · commit 64a0e2cf5bb0 · 2024-12-02T19:28:45.000Z
### Reason for this change When attaching a WebACL to CloudFront Distribution, the region must be `us-east-1`, but no validation was done. see: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html > For Region, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL. > > You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, us-east-1, for Global (CloudFront) applications. ### Description of changes Add validation to the `attachWebAclId` method of CloudFront Distribution ### Description of how you validated changes Unit and integ testing ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -336,10 +336,14 @@ export class Distribution extends Resource implements IDistribution {
       });
     }
 
+    if (props.webAclId) {
+      this.validateWebAclId(props.webAclId);
+      this.webAclId = props.webAclId;
+    }
+
     this.certificate = props.certificate;
     this.errorResponses = props.errorResponses ?? [];
     this.publishAdditionalMetrics = props.publishAdditionalMetrics;
-    this.webAclId = props.webAclId;
 
     // Comments have an undocumented limit of 128 characters
     const trimmedComment =
@@ -606,15 +610,27 @@ export class Distribution extends Resource implements IDistribution {
   /**
    * Attach WAF WebACL to this CloudFront distribution
    *
+   * WebACL must be in the us-east-1 region
+   *
    * @param webAclId The WAF WebACL to associate with this distribution
    */
   public attachWebAclId(webAclId: string) {
     if (this.webAclId) {
       throw new Error('A WebACL has already been attached to this distribution');
     }
+    this.validateWebAclId(webAclId);
     this.webAclId = webAclId;
   }
 
+  private validateWebAclId(webAclId: string) {
+    if (webAclId.startsWith('arn:')) {
+      const webAclRegion = Stack.of(this).splitArn(webAclId, ArnFormat.SLASH_RESOURCE_NAME).region;
+      if (!Token.isUnresolved(webAclRegion) && webAclRegion !== 'us-east-1') {
+        throw new Error(`WebACL for CloudFront distributions must be created in the us-east-1 region; received ${webAclRegion}`);
+      }
+    }
+  }
+
   private addOrigin(origin: IOrigin, isFailoverOrigin: boolean = false): string {
     const ORIGIN_ID_MAX_LENGTH = 128;
 
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -1394,4 +1394,30 @@ describe('attachWebAclId', () => {
       distribution.attachWebAclId('473e64fd-f30b-4765-81a0-62ad96dd167b');
     }).toThrow(/A WebACL has already been attached to this distribution/);
   });
+
+  describe('throws if the WebAcl is not in us-east-1 region', () => {
+    test('when try to attach WebACL using `attachWebAclId` method', () => {
+      const origin = defaultOrigin();
+
+      const distribution = new Distribution(stack, 'MyDist', {
+        defaultBehavior: { origin },
+      });
+
+      expect(() => {
+        distribution.attachWebAclId('arn:aws:wafv2:ap-northeast-1:123456789012:global/web-acl/MyWebAcl/473e64fd-f30b-4765-81a0-62ad96dd167a');
+      }).toThrow(/WebACL for CloudFront distributions must be created in the us-east-1 region; received ap-northeast-1/);
+    });
+
+    test('when try to attach WebACL by specifying value for props', () => {
+      const origin = defaultOrigin();
+
+      expect(() => {
+        new Distribution(stack, 'MyDist', {
+          defaultBehavior: { origin },
+          webAclId: 'arn:aws:wafv2:ap-northeast-1:123456789012:global/web-acl/MyWebAcl/473e64fd-f30b-4765-81a0-62ad96dd167a',
+        });
+      }).toThrow(/WebACL for CloudFront distributions must be created in the us-east-1 region; received ap-northeast-1/);
+    });
+  });
+
 });
