Create an AWS WAF resource in US-East-1

[jarrettj]

Terraform Version & Prov: v1.2.8 AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Bug Description Attempting to create an AWS WAF resource in US-East-1 in a managed account using terraform.

On the initial run, we received the following error:

Error: Error creating WAFv2 WebACL: AccessDeniedException: User: arn:aws:sts::0358*******:assumed-role/AWSAFTAdmin/AWSAFT-Session is not authorized to perform: wafv2:CreateWebACL on resource: arn:aws:wafv2:us-east-1:03581*****88:global/webacl/hris/* because no identity-based policy allows the wafv2:CreateWebACL action

The AWSAFTAdmin role has root access, not sure why it is not allowed to create a WAF. Proceeded to add the AWSWAFFullAccess policy to the AWSAFTAdmin role.

On the next run, the WAF gets created. But we can't use it with CloudFront if it is in eu-west-1, our default region. We then change regions using provider below:

provider "aws" {
  region = "us-east-1"
  alias = "useast1"
}

On the the next run, the WAF gets updated and moved to the US-East-1 region, but of the AFT Management account and not the account being provisioned.

Any ideas on how to terraform a different region when using AFT? This might be an edge case as most resources would live in your default region. Thanks.

Regards, Jarrett