docs: web acl id can be an ARN for newer WAFs

[oycyc]

As per the AWS provider docs. Updating description here so consumers don't get confused why WAF association fails when providing the ID.

ID or ARN of the AWS WAF web ACL that is associated with the distribution. NOTE: If using the latest version of WAF (WAFv2), be sure to use the ARN. If using WAF Classic, use the ID. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id-3

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The description for the web_acl_id variable in variables.tf was updated to clarify that it accepts both IDs and ARNs, depending on the AWS WAF version used. The update also includes a reference URL to relevant Terraform documentation for further guidance.

Changes

Cohort / File(s)	Change Summary
Variable Description Update variables.tf	Expanded the web_acl_id variable description to specify ID vs. ARN usage for WAF Classic and WAFv2, and added a documentation link.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/web_acl_id

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oycyc]

/terratest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

variables.tf (1)

356-360: Consider adding a validation block to catch obvious mis-inputs early

Terraform will still accept any string here and users won’t discover a bad format until the CloudFront call fails. A lightweight validation guard can fail fast:

 variable "web_acl_id" {
   type        = string
   default     = ""
   description = "ID or ARN of the AWS WAF web ACL that is associated with the distribution. NOTE: If using the latest version of WAF (WAFv2), be sure to use the ARN. If using WAF Classic, use the ID. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id-3"
+
+  validation {
+    # Accept empty string, a WAFv2 ARN, or a 32-char hex ID for WAF Classic
+    condition     = var.web_acl_id == "" ||
+                    can(regex("^arn:aws[\\w-]*:waf.*:.*:.*:webacl/.*", var.web_acl_id)) ||
+                    can(regex("^[a-f0-9]{32}$", var.web_acl_id))
+    error_message = "Provide either a full ARN for WAFv2 or the 32-character ID for WAF Classic."
+  }
 }

This is optional, but it tightens feedback loops and aligns with other validations already present in the module.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 879e6ec and 75b955a.

⛔ Files ignored due to path filters (1)

• README.md is excluded by !README.md

📒 Files selected for processing (1)

• variables.tf (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: jwadolowski
PR: cloudposse/terraform-aws-cloudfront-s3-cdn#340
File: main.tf:570-578
Timestamp: 2025-07-31T11:46:57.218Z
Learning: In terraform-aws-cloudfront-s3-cdn module, custom_origin_config in the custom_origins variable was always a required parameter, not optional. CloudFront origins require either custom_origin_config or s3_origin_config but not both, so null was never a valid value for custom_origin_config in custom origins.

Learnt from: jwadolowski
PR: cloudposse/terraform-aws-cloudfront-s3-cdn#340
File: main.tf:570-578
Timestamp: 2025-07-31T11:46:57.218Z
Learning: In terraform-aws-cloudfront-s3-cdn module, custom_origin_config in the custom_origins variable was always a required parameter, not optional. CloudFront origins require either custom_origin_config or s3_origin_config but not both, so null was never a valid value for custom_origin_config in custom origins.

📚 Learning: in terraform-aws-cloudfront-s3-cdn module, custom_origin_config in the custom_origins variable was a...

Learnt from: jwadolowski
PR: cloudposse/terraform-aws-cloudfront-s3-cdn#340
File: main.tf:570-578
Timestamp: 2025-07-31T11:46:57.218Z
Learning: In terraform-aws-cloudfront-s3-cdn module, custom_origin_config in the custom_origins variable was always a required parameter, not optional. CloudFront origins require either custom_origin_config or s3_origin_config but not both, so null was never a valid value for custom_origin_config in custom origins.

Applied to files:

• variables.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (1)

variables.tf (1)

359-360: Documentation clarification looks good

The note about ARN vs ID removes an often-hit stumbling block for users and the link to the provider docs is a nice touch.

[oycyc]

/terratest