chore(cloudfront): prevent WebACL from being created in regions other than us-east-1

[ren-yamanashi]

Reason for this change

When attaching a WebACL to CloudFront Distribution, the region must be us-east-1, but no validation was done.

see: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html

For Region, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL.

You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, us-east-1, for Global (CloudFront) applications.

Description of changes

Add validation to the attachWebAclId method of CloudFront Distribution

Description of how you validated changes

Unit and integ testing

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[ren-yamanashi]

If a Web ACL created using AWS WAF Classic is specified, this validation will not be performed because the ACL ID received is not arn.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.50%. Comparing base (f091714) to head (c94ec02).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #32252      +/-   ##
==========================================
+ Coverage   78.48%   78.50%   +0.01%     
==========================================
  Files         106      106              
  Lines        7201     7201              
  Branches     1321     1321              
==========================================
+ Hits         5652     5653       +1     
+ Misses       1362     1361       -1     
  Partials      187      187              

Flag	Coverage Δ
suite.unit	78.50% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	78.50% <ø> (+0.01%)	⬆️

[ren-yamanashi]

Exemption Request

Because this MR does not have any modifications that would change the existing snapshot test,

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mazyu36]

Thank you for the contribution.
Just one question.

[mazyu36]

Isn't this validation also necessary in the place where the webacl props is being passed?

aws-cdk/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts

Line 342 in 28698b8

this.webAclId = props.webAclId;

[ren-yamanashi]

@mazyu36

Thank you very much. As you pointed out, validation was needed, so we have modified it!

(I have modified the policy to provide a validation method in the private method.)

4a02e21

[mazyu36]

Thanks! LGTM

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[ren-yamanashi]

@mazyu36 @gracelu0

I updated the branch because CI failed.(The cause is unknown...)

Could you please approve it again?

The modifications are as follows.
Merge branch 'main' into this branch

[mazyu36]

Thank you. Please wait as approval from a maintainer is needed (I'm just a community reviewer, not a maintainer).​​​​​​​​​​​​​​​​

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c94ec02
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.