在地形中获取错误作为"The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT"

我试图使用下面的地形脚本创建waf-web acl，其中我的一个aws帐户(abc(的区域在.aws/config文件中为ap-southeast-1，但应用后出现以下错误。而如果我的另一个aw帐户(xyz(配置文件区域在.aws/config文件中为us-east-1，则相同的脚本成功创建了waf-web acl。

resource "aws_wafv2_web_acl" "waf_acl" {
name        = local.waf_name
description = "waf setup infront of cloudfront"
scope       = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name     = "AWS-AWSManagedRulesAmazonIpReputationList"
priority = 0
override_action {
none {}
}
statement {
managed_rule_group_statement {
name        = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
sampled_requests_enabled   = true
}
}
rule {
name     = "AWS-AWSManagedRulesAnonymousIpList"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name        = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name                = "AWS-AWSManagedRulesAnonymousIpList"
sampled_requests_enabled   = true
}
}
rule {
name     = "AWS-AWSManagedRulesCommonRuleSet"
priority = 2
override_action {
none {}
}
statement {
managed_rule_group_statement {
name        = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled   = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name                = local.waf_name
sampled_requests_enabled   = true
}
}

错误如下

│ Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "b83b40074r-b3a55-49e76-b2353-e16f32830518632"
│   },
│   Field: "SCOPE_VALUE",
│   Message_: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT",
│   Parameter: "CLOUDFRONT",
│   Reason: "The scope is not valid."
│ }
│ 
│   with aws_wafv2_web_acl.waf_acl,
│   on main.tf line 122, in resource "aws_wafv2_web_acl" "waf_acl":
│  122: resource "aws_wafv2_web_acl" "waf_acl" {

请注意：相同的脚本在us-east-1区域中运行得非常好，范围为"；CLOUDFRONT"；。任何帮助都是非常可观的。

提前谢谢。

您已经回答了您的问题。应在us-east-1区域创建CLOUDFRONT作用域。

AWS WAF可在全球范围内用于CloudFront发行版，但您必须使用美国东部地区(N.Virginia(创建您的web ACL和web ACL中使用的任何资源，如规则组、IP集和正则表达式模式集。一些接口提供了一个区域选择；Global(CloudFront("；。选择这一点与选择美国东部地区(北弗吉尼亚州(或"；us-east-1"；。

然而，可以在地形中使用多区域部署

provider "aws" {
region = "ap-southeast-1"
}
# Additional provider configuration for us-east-1 region; resources can
# reference this as `aws.east`.
provider "aws" {
alias  = "east"
region = "us-east-1"
}
resource "aws_wafv2_web_acl" "waf_acl" {
provider = aws.east
# ...
}

分辨率：-如果您没有使用provider.tf，请添加资源供应商.tf

provider "aws" {
region = "us-east-1"
alias  = "useast1"
}

并将该值作为waf资源

.
.
scope       = "CLOUDFRONT"
provider    = aws.useast1
.
.

将解决问题。感谢

相关内容

最新更新

热门标签：