I am trying to create a global

waf

rule in

aws

.

function wafRuleToAllowIpAddress(ipCIDRBlock: string, name: string) {
  const aws_waf_ipset_ipset = new aws.waf.IpSet("ipset", {
    ipSetDescriptors: [
      {
        type: "IPV4",
        value: ipCIDRBlock
      }
    ],
    name: "tfIPSet"
  });
  const aws_waf_rule_wafrule = new aws.waf.Rule(
    "wafrule",
    {
      metricName: "tfWAFRule",
      name: "tfWAFRule",
      predicates: [
        {
          dataId: aws_waf_ipset_ipset.id,
          negated: false,
          type: "IPMatch"
        }
      ]
    },
    { dependsOn: [aws_waf_ipset_ipset] }
  );

  return aws_waf_rule_wafrule;
}

This is to apply to the

Cloudfront

. But the issue is it is creating it in a region and the

cloudfront

is global.

Honestly I'm not an expert on WAF. It's possible that you need to stand up the WAF resources in the

us-east-1

region? (You could create a

new aws.Provider({ region: "us-east-1"})

to do this). Also notable that there are separate

aws.waf

and

aws.wafregional

resources. I would have thought the former was what you wanted here - but there may be subtle requirements of one or the other related to CloudFront? Also possible there's just some other IAM issue here? If you have a reduced repro I could try to take a look myself - though can't promise any particularly deep insights 🙂.

@white-balloon-205 Thanks, will put out sample code so that it will help you