fix(cloudfront): fix validation for unresolved webAclId tokens (#34102)

pahud · web-flow · commit f2c5f26e134e · 2025-04-11T21:02:03.000Z
### Issue # (if applicable) Closes #34099. ### Reason for this change Fixes a bug where CloudFront `Distribution` validation would throw a `TypeError` when `webAclId` was a CloudFormation token or intrinsic, instead of a plain string. This prevented users from passing unresolved tokens or references as `webAclId`. ### Description of changes - Updated `validateWebAclId()` to **skip validation** if `webAclId` is **not a string** or is an **unresolved token**. - This prevents `.startsWith()` from being called on non-string values, avoiding runtime errors. - Added unit tests to cover unresolved tokens and non-string values. - Removed the integration test that attempted to deploy dummy WebACL ARNs, which caused CloudFront deployment failures due to invalid account ownership. This change enables users to safely pass CloudFormation references or tokens as `webAclId` without causing synthesis errors. ### Describe any new or updated permissions being added None. ### Description of how you validated changes - Added and updated unit tests for `validateWebAclId()` to cover tokens and non-string values. - Removed the failing integration test that was not suitable for automated deployment. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -663,6 +663,10 @@ export class Distribution extends Resource implements IDistribution {
   }
 
   private validateWebAclId(webAclId: string) {
+    if (Token.isUnresolved(webAclId)) {
+      // Cannot validate unresolved tokens or non-string values at synth-time.
+      return;
+    }
     if (webAclId.startsWith('arn:')) {
       const webAclRegion = Stack.of(this).splitArn(webAclId, ArnFormat.SLASH_RESOURCE_NAME).region;
       if (!Token.isUnresolved(webAclRegion) && webAclRegion !== 'us-east-1') {
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -6,7 +6,7 @@ import * as iam from '../../aws-iam';
 import * as kinesis from '../../aws-kinesis';
 import * as lambda from '../../aws-lambda';
 import * as s3 from '../../aws-s3';
-import { App, Aws, Duration, Stack } from '../../core';
+import { App, Aws, Duration, Stack, Token } from '../../core';
 import {
   AllowedMethods,
   CfnDistribution,
@@ -1432,6 +1432,18 @@ describe('attachWebAclId', () => {
         });
       }).toThrow(/WebACL for CloudFront distributions must be created in the us-east-1 region; received ap-northeast-1/);
     });
+
+    test('does not validate unresolved token webAclId', () => {
+      const origin = defaultOrigin();
+
+      const distribution = new Distribution(stack, 'MyDist', {
+        defaultBehavior: { origin },
+        webAclId: Token.asString({ Ref: 'SomeWebAcl' }), // unresolved token
+      });
+
+      // Should synthesize without error
+      Template.fromStack(stack);
+    });
   });
 });
 
