diff --git a/README.md b/README.md
index fabf638..f2a227f 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,7 @@ If you have specified cloudfront_default_certificate, TLSv1 must be specified.
 | cloudfront\_logging\_prefix | Logging prefix | `string` | `""` | no |
 | cloudfront\_origin\_keepalive\_timeout | The amount of time, in seconds, that CloudFront maintains an idle connection with a custom origin server before closing the connection. Valid values are from 1 to 60 seconds. | `number` | `5` | no |
 | cloudfront\_origin\_read\_timeout | The amount of time, in seconds, that CloudFront waits for a response from a custom origin. The value applies both to the time that CloudFront waits for an initial response and the time that CloudFront waits for each subsequent packet. Valid values are from 4 to 60 seconds. | `number` | `30` | no |
+| cloudfront\_web\_acl\_id | Optional web acl (WAF) to attach to CloudFront | `string` | `""` | no |
 | create\_cloudfront\_function | If true, create and publish a CloudFront Function based on provided code | `bool` | `false` | no |
 | dynamic\_custom\_error\_response | One or more custom error response elements (multiples allowed) | <pre>list(object({<br>    error_code         = optional(number)<br>    response_code      = optional(number)<br>    response_page_path = optional(string)<br>  }))</pre> | `[]` | no |
 | dynamic\_custom\_origin\_config | Configuration for the custom origin config to be used in dynamic block | `any` | `[]` | no |
diff --git a/waf.tf b/waf.tf
index 3d74bd5..de83a6e 100644
--- a/waf.tf
+++ b/waf.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_cloudfront" {
-  count       = var.waf_cloudfront_enable ? 1 : 0
+  count = var.waf_cloudfront_enable && var.cloudfront_web_acl_id == null ? 1 : 0
   name        = "waf-cloudfront-${var.name}"
   description = "WAF managed rules for Cloudfront"
   scope       = "CLOUDFRONT"