Skip to content

Cloudfront resource with s3 + custom origins produce error #20659

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Cloudfront resource with s3 + custom origins produce error#20659
Labels
bugAddresses a defect in current functionality.service/cloudfrontIssues and PRs that pertain to the cloudfront service.staleOld or inactive issues managed by automation, if no further action taken these will get closed.
@edelwud

Description

@edelwud
edelwud
opened on Aug 23, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

  • Terraform v1.0.5
  • AWS provider 3.55.0

Affected Resource(s)

  • aws_cloudfront_distribution

Terraform Configuration Files

locals {
  domain                 = var.environment == "dev" ? "${var.domain}-${var.environment}" : var.domain
  full_domain            = "${local.domain}.${var.domain_extension}"
  core_origin_id         = "core-alb-${local.domain}"
  static_origin_id       = "frontend-cloudfront-${local.domain}"
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = data.aws_s3_bucket.frontend_bucket_storage.bucket_regional_domain_name
    origin_id   = local.static_origin_id
    origin_path = "/${local.prefix}"

    s3_origin_config {
      origin_access_identity = "origin-access-identity/cloudfront/${var.oai_id}"
    }
  }

  origin {
    domain_name = var.alb_dns
    origin_id   = local.core_origin_id

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.1"]
    }
  }

  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"

  aliases = [local.full_domain]

  default_cache_behavior {
    allowed_methods = [
      "GET",
      "HEAD",
    ]

    cached_methods = [
      "GET",
      "HEAD",
    ]

    target_origin_id = local.static_origin_id

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
  }

  ordered_cache_behavior {
    path_pattern     = "/api/*"
    allowed_methods  = ["GET", "POST", "HEAD", "PUT", "DELETE", "PATCH", "OPTIONS"]
    cached_methods   = ["HEAD", "GET"]
    target_origin_id = local.core_origin_id

    forwarded_values {
      query_string = false
      headers      = ["Origin", "Host"]

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  price_class = var.price_class

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  dynamic "viewer_certificate" {
    for_each = ["acm"]
    content {
      acm_certificate_arn      = var.certificate_arn
      ssl_support_method       = "sni-only"
      minimum_protocol_version = "TLSv1.2_2021"
    }
  }

  custom_error_response {
    error_code            = 403
    response_code         = 200
    error_caching_min_ttl = 0
    response_page_path    = "/"
  }

  wait_for_deployment = true
}

Debug Output

Panic Output

Error: Provider produced inconsistent final plan

When expanding the plan for
module.deploy.aws_cloudfront_distribution.s3_distribution to include new
values learned so far during apply, provider
"registry.terraform.io/hashicorp/aws" produced an invalid new value for
.origin: planned set element
cty.ObjectVal(map[string]cty.Value{"connection_attempts":cty.NumberIntVal(3),
"connection_timeout":cty.NumberIntVal(10),
"custom_header":cty.SetValEmpty(cty.Object(map[string]cty.Type{"name":cty.String,
"value":cty.String})),
"custom_origin_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"http_port":cty.NumberIntVal(80),
"https_port":cty.NumberIntVal(443),
"origin_keepalive_timeout":cty.NumberIntVal(5),
"origin_protocol_policy":cty.StringVal("https-only"),
"origin_read_timeout":cty.NumberIntVal(30),
"origin_ssl_protocols":cty.SetVal([]cty.Value{cty.StringVal("TLSv1")})})}),
"domain_name":cty.StringVal("alb.***.io"),
"origin_id":cty.StringVal("core-alb-demotestclient2"),
"origin_path":cty.NullVal(cty.String),
"origin_shield":cty.ListValEmpty(cty.Object(map[string]cty.Type{"enabled":cty.Bool,
"origin_shield_region":cty.String})),
"s3_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"origin_access_identity":cty.String}))})
does not correlate with any element in actual.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

script returned exit code 1

Expected Behavior

successful deployment

Actual Behavior

the first deployment succeeds, but subsequent deployments fail. If you change one of the custom_origin_config properties, the deployment will succeed, but the next deployments will fail with the same error.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000

Metadata

Assignees

No one assigned

    Labels

    bugAddresses a defect in current functionality.service/cloudfrontIssues and PRs that pertain to the cloudfront service.staleOld or inactive issues managed by automation, if no further action taken these will get closed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions