cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Issue creating AWS::CloudFront::ResponseHeadersPolicy

Open LarsFronius opened this issue 2 years ago • 11 comments

Name of the resource

Other

Resource Name

AWS::CloudFront::ResponseHeadersPolicy

Issue Description

Hi, I am seeing Internal error reported from downstream service during operation 'AWS::CloudFront::ResponseHeadersPolicy'. or Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: f28bc45a-39b5-aabf-e46a-2c8e5e464249, HandlerErrorCode: InvalidRequest), depending on the provided configuration.

The issue sounds very familiar to the ones at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/571

Whether I provide a pretty complete response header policy or a completely empty one as can be seen here, either result in CREATE_FAILED errors.

 "ResponseHeaders84BC52D6": {
   "Type": "AWS::CloudFront::ResponseHeadersPolicy",
   "Properties": {
    "ResponseHeadersPolicyConfig": {
     "Name": "testHeaders"
    }
   },
   "Metadata": {
    "aws:cdk:path": "test/gateway-setup/ResponseHeaders/Resource"
   }
  },

I am in eu-central-1 and the IAM role used for deployment has AdministratorAccess (set up via CDK pipelines) in case that makes any difference. Any other resources deploy without errors (e.g. the Distribution itself).

Expected Behavior

I expect for a ResponseHeadersPolicy to be created when I provide a name for it.

Observed Behavior

It errors with an internal error that doesn't give a hint about what I did wrong.

Test Cases

Create a cloudformation stack in eu-central-1 like

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ResponseHeaders": {
			"Type": "AWS::CloudFront::ResponseHeadersPolicy",
			"Properties": {
				"ResponseHeadersPolicyConfig": {
					"Name": "testHeaders"
				}
			}
		}
	}
}

Other Details

No response

LarsFronius avatar Apr 29 '22 11:04 LarsFronius

Have you tried creating the policy in us-east-1?

jplock avatar Apr 29 '22 12:04 jplock

I have the same issue creating in sa-east-1:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: 9788bcb9-0cc9-57a4-d152-442549949243, HandlerErrorCode: InvalidRequest)

LeandroSoares avatar Jul 25 '22 19:07 LeandroSoares

I have the same issue creating in sa-east-1:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: 9788bcb9-0cc9-57a4-d152-442549949243, HandlerErrorCode: InvalidRequest)

I found the cause of my error:

"CustomHeadersConfig": { "Items": [ { "Header": "Cross-Origin Resource Policy", << was without '-' "Override": true, "Value": "same-origin" } ] }

LeandroSoares avatar Jul 25 '22 20:07 LeandroSoares

You might also be running into this CDK issue where the auto-generated name is too long: https://github.com/aws/aws-cdk/issues/21524, especially if you're using CDK pipelines. The CloudFormation error isn't very useful. In the UI, it tells you the name is too long.

blimmer avatar Aug 09 '22 19:08 blimmer

I ran into this when the policy name contained invalid characters. This restriction is not mentioned in the documentation for the Name parameter, but if you try to create a policy in the console you can see:

The parameter [NAME] contains characters other than alphanumericals, dashes, and underscores. 🙄

scottiemc7 avatar Aug 19 '22 18:08 scottiemc7

I solved it by looking at CloudTrail, it shows the actual API error message which is much more useful.

rehanvdm avatar Mar 29 '23 12:03 rehanvdm

For my part, I was specifying a wrong value for CorsConfig.AccessControlAllowMethods :

AccessControlAllowMethods:
  Items:
    - *

should have been :

AccessControlAllowMethods:
  Items:
    - ALL

CloudTrail logs were not showing any further details, and I ended up A/B testing my desired config from a demo cloudformation template.

I guess the actual issue is simply there is no verbosity no matter the encountered errors.

cchanche avatar Mar 30 '23 13:03 cchanche

For AWS CDK it is:

 corsBehavior: 
  {
    accessControlAllowMethods: ['ALL'],
  },

instead of

 corsBehavior: 
  {
    accessControlAllowMethods: ['*'],
  },

yibb-y avatar Jul 13 '23 09:07 yibb-y

Thank you, @yibb-y and @cchanche! Even the documentation is wrong:

A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header. You can specify ['*'] to allow all origins.

image

JonWallsten avatar Oct 20 '23 11:10 JonWallsten

Cloudtrail shows you the error message which you need to fix this issue:

"errorMessage": "1 validation error detected: Value '[null]' at 
'responseHeadersPolicyConfig.corsConfig.accessControlAllowMethods.items' failed to satisfy constraint:
Member must satisfy constraint: [Member must satisfy enum value set: [HEAD, POST, ALL, PATCH, DELETE, PUT, GET, OPTIONS]]",

As suggested above use [ALL] pretty confusing but yeah.

ShivamJoker avatar Jan 28 '24 08:01 ShivamJoker