amazon-web-services geolocation aws-cloudformation web-application-firewall amazon-waf

Create a geomatching AWS WAF condition/rule and connect it to an existing CloudFront distribution using CloudFormation

In short, what I am attempting to accomplish is the following:

I want to create a WAF condition/rule combination to block traffic not in a whitelist of countries.
I want to use CloudFormation so this can be version controlled and easily deployed to different environments.
I want to associate it with an existing CloudFront distributions (this is what differs between environments). Ideally without rebuilding the CloudFront distribution.

This seems straightforward enough to set up in the web console but it seems like the CloudFormation API is more limited?

I am able to get a "WAFRegional" GeoMatchSet, Rule, and WebACL deploying fine. Then when trying to associate it with an existing CloudFront distribution it seems like what I want to use are not the "WAFRegional" types but just the "WAF" types. But there is no GeoMatchSet API for "WAF"?

AWSTemplateFormatVersion: 2010-09-09
Resources:
  # Match Sets
  GeoMatchSetWhitelist:
    Type: "AWS::WAFRegional::GeoMatchSet"
    Properties:
      Name: "GeoMatchSet for whitelist countries"
      GeoMatchConstraints:
        -
          Type: "Country"
          Value: "CA"
        -
          Type: "Country"
          Value: "US"
  ByteMatchSetLoginURIs:
    Type: "AWS::WAFRegional::ByteMatchSet"
    Properties:
      Name: "ByteMatchSet for Login URIs"
      ByteMatchTuples:
        -
          FieldToMatch:
            Type: "URI"
          TargetString: "/my/uri"
          TextTransformation: "NONE"
          PositionalConstraint: "EXACTLY"

  # Rules
  WhitelistRule:
    Type: "AWS::WAFRegional::Rule"
    Properties:
      Name: "WhitelistRule"
      MetricName: "WhitelistRule"
      Predicates:
        -
          DataId:
            Ref: "GeoMatchSetWhitelist"
          # True here means match everying NOT in this match set
          Negated: true
          Type: "GeoMatch"
        -
          DataId:
            Ref: "ByteMatchSetLoginURIs"
          Negated: false
          Type: "ByteMatch"

  # Web Access Control Lists
  WebACL:
    Type: "AWS::WAFRegional::WebACL"
    Properties:
      Name: "WhitelistWebACL"
      DefaultAction:
        Type: "ALLOW"
      MetricName: "WebACL"
      Rules:
        -
          Action:
            Type: "BLOCK"
          Priority: 2
          RuleId:
            Ref: "WhitelistRule"

  # Web ACL Association
  WebACLAssociation:
    Type: "AWS::WAF::WebACLAssociation"
    Properties:
      ResourceArn:
        Ref: "arn:aws:cloudfront::999999999999:distribution/AAAAAAAAAAAA"
      WebACLId:
        Ref: "WebACL"

Running the code above gives me the error An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: Unresolved resource dependencies [arn:aws:cloudfront::999999999999:distribution/AAAAAAAAAAAA] in the Resources block of the template.

In the end, is it possible to build this using CloudFormation with a GeoMatchSet, ByteMatchSet, and an existing CloudFront distribution?

Solution

Last time I checked, CloudFormation support for GeoMatchSet does exist for regional but not for global (CloudFront). Unfortunately, CloudFormation is known for hodge-podge of feature support although it is getting better slowly...