us-east-1 limitation

aws · Nov 19, 2024 · 6fe8d5e · 6fe8d5e
1 parent 7358a3c
commit 6fe8d5e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/...s-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.cloudfront-waf-protection.ts b/...s-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.cloudfront-waf-protection.ts
@@ -4,7 +4,9 @@ import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import { TestOrigin } from './test-origin';
 
 const app = new App();
-const stack = new Stack(app, 'cloudfront-waf-protection');
+const stack = new Stack(app, 'cloudfront-waf-protection', {
+  env: { region: 'us-east-1' },
+});
 
 new cloudfront.Distribution(stack, 'Distro', {
   defaultBehavior: { origin: new TestOrigin('www.example.com') },

diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md
@@ -1204,7 +1204,9 @@ new cloudfront.Distribution(this, 'MyCfWebDistribution', {
 });
 ```
 
-Note: cannot be used if webAclId already specified
+Note: 
+- Can only be used in US East (N. Virginia) Region (us-east-1) as WebACL for CloudFront must stay in `us-east-1` region.
+- Cannot be used if webAclId already specified.
 
 See:
 

diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -227,7 +227,10 @@ export interface DistributionProps {
 
   /**
    * Enable or disable WAF one-click security protections.
-   * Cannot be used with webAclId
+   *
+   * Can only be used in US East (N. Virginia) Region (us-east-1).
+   *
+   * Cannot be used with webAclId.
    *
    * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html
    *
@@ -352,6 +355,10 @@ export class Distribution extends Resource implements IDistribution {
     }
 
     if (props.enableWafCoreProtections) {
+      const regionIsUsEast1 = !Token.isUnresolved(this.env.region) && this.env.region === 'us-east-1';
+      if (!regionIsUsEast1) {
+        throw new Error(`To enable WAF core protection, the stack must be in the us-east-1 region but you are in ${this.env.region}.`);
+      }
       this.addWafCoreProtection();
     }
 

diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -1339,6 +1339,9 @@ describe('WAF protection', () => {
   test('default one-click security rendered correctly', () => {
     const origin = defaultOrigin();
     const nameMatcher = Match.stringLikeRegexp('CreatedByCloudFront-');
+    stack = new Stack(app, 'UsEast1Stack', {
+      env: { account: '1234', region: 'us-east-1' },
+    });
 
     new Distribution(stack, 'MyDist', {
       defaultBehavior: { origin },
@@ -1426,4 +1429,15 @@ describe('WAF protection', () => {
       });
     }).toThrow(/Cannot specify both webAclId and enableWafCoreProtections/);
   });
+
+  test('throws error if used outside us-east-1', () => {
+    const origin = defaultOrigin();
+
+    expect(() => {
+      new Distribution(stack, 'MyDist', {
+        defaultBehavior: { origin },
+        enableWafCoreProtections: true,
+      });
+    }).toThrow(/To enable WAF core protection, the stack must be in the us-east-1 region but you are in/);
+  });
 });
-Original file line number
+Diff line change
@@ Expand Up @@
     });
     ```
-    Note: cannot be used if webAclId already specified
+    Note:
+    - Can only be used in US East (N. Virginia) Region (us-east-1) as WebACL for CloudFront must stay in `us-east-1` region.
+    - Cannot be used if webAclId already specified.
     See:
@@ Expand Down @@