diff --git a/main.tf b/main.tf
index 751b376f..f9e921a9 100644
--- a/main.tf
+++ b/main.tf
@@ -393,6 +393,7 @@ module "cloudfront_main" {
   cloudfront_aliases                  = var.cloudfront_aliases
   cloudfront_acm_certificate_arn      = var.cloudfront_acm_certificate_arn
   cloudfront_minimum_protocol_version = var.cloudfront_minimum_protocol_version
+  cloudfront_webacl_id                = var.cloudfront_webacl_id
 
   cloudfront_default_root_object     = local.cloudfront_default_root_object
   cloudfront_origins                 = local.cloudfront_origins
diff --git a/modules/cloudfront-main/main.tf b/modules/cloudfront-main/main.tf
index 6b7a7fee..f67df5b5 100644
--- a/modules/cloudfront-main/main.tf
+++ b/modules/cloudfront-main/main.tf
@@ -5,6 +5,7 @@ resource "aws_cloudfront_distribution" "distribution" {
   price_class         = var.cloudfront_price_class
   aliases             = var.cloudfront_aliases
   default_root_object = var.cloudfront_default_root_object
+  web_acl_id          = var.cloudfront_webacl_id
 
   # Add CloudFront origins
   dynamic "origin" {
diff --git a/modules/cloudfront-main/variables.tf b/modules/cloudfront-main/variables.tf
index fe68f6d9..560604c7 100644
--- a/modules/cloudfront-main/variables.tf
+++ b/modules/cloudfront-main/variables.tf
@@ -45,6 +45,12 @@ variable "cloudfront_custom_error_response" {
   default = null
 }
 
+variable "cloudfront_webacl_id" {
+  description = "An optional webacl2 arn or webacl id to associate with the cloudfront distribution"
+  type        = string
+  default     = null
+}
+
 ##########
 # Labeling
 ##########
diff --git a/variables.tf b/variables.tf
index a53e6588..0b0cf912 100644
--- a/variables.tf
+++ b/variables.tf
@@ -146,6 +146,12 @@ variable "cloudfront_external_arn" {
   default     = null
 }
 
+variable "cloudfront_webacl_id" {
+  description = "An optional webacl2 arn or webacl id to associate with the cloudfront distribution"
+  type        = string
+  default     = null
+}
+
 ##########
 # Labeling
 ##########