terraform-provider-awscc
terraform-provider-awscc copied to clipboard
hashicorp
awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
- The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.
Terraform CLI and Terraform AWS Cloud Control Provider Version
awscc v0.52.0
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
S3 Bucket
resource "aws_s3_bucket" "s3_origin" { bucket = "sampleawsccbucket345" }
Block public access to S3 bucket
resource "aws_s3_bucket_public_access_block" "s3_block_public_access" { bucket = aws_s3_bucket.s3_origin.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }
Attach bucket policy with object access to cloudfront origin
resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" { bucket = aws_s3_bucket.s3_origin.id policy = data.aws_iam_policy_document.bucket_policy.json }
Cloudfront origin access identity
resource "awscc_cloudfront_cloudfront_origin_access_identity" "cf_oai" { cloudfront_origin_access_identity_config = { comment = "SampleCloudFrontOAI" } }
IAM policy document to allow S3 bucket read access to cloudfront origin access identity
data "aws_iam_policy_document" "bucket_policy" { statement { principals { type = "CanonicalUser" identifiers = [awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.s3_canonical_user_id] } effect = "Allow" actions = [ "s3:GetObject", ] resources = [ "arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*" ] } }
Cloudfront distribution with S3 origin config using OAI
resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { distribution_config = { enabled = true compress = true default_root_object = "index.html" comment = "Sample Cloudfront Distribution using AWSCC provider" default_cache_behavior = { target_origin_id = aws_s3_bucket.s3_origin.id viewer_protocol_policy = "redirect-to-https" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD", "OPTIONS"] min_ttl = 0 default_ttl = 5 * 60 max_ttl = 60 * 60 } restrictions = { geo_restriction = { restriction_type = "none" } } viewer_certificate = { cloudfront_default_certificate = true minimum_protocol_version = "TLSv1.2_2018" } s3_origin = { dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name } origins = [{ domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name id = "SampleCloudfrontOrigin" s3_origin_config = { origin_access_identity = awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.id } }] } tags = [{ key = "Name" value = "Cloudfront Distribution with S3 Origin" }] }
Debug Output
Terraform resources getting created without errors.
Panic Output
Expected Behavior
Origin access settings on the cloudfront distribution should have used the Origin Access Identity (OAI) option selected with the OAI resource which was created part of the terraform resource configuration
Actual Behavior
Origin access settings on the cloudfront distribution uses the default setting [i.e., expects S3 public access] and did not use the OAI option using the OAI resource which was created.
Steps to Reproduce
-
terraform apply
Important Factoids
References
https://github.com/hashicorp/terraform-provider-awscc/pull/977#discussion_r1222375442
- #0000
After 1st time terraform apply, resources are created successfully but terraform state has missing resource. When trying to perform terraform plan/apply again the 2nd time, it shows changes to the plan and resources when trying to apply the changes getting the below error
Error: AWS SDK Go Service Operation Incomplete │ │ with awscc_cloudfront_distribution.cloudfront_s3_origin, │ on cloudfront-with-s3-origin-oac.tf line 55, in resource "awscc_cloudfront_distribution" "cloudfront_s3_origin": │ 55: resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { │ │ Waiting for Cloud Control API service UpdateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid request provided: IamCertificateId or AcmCertificateArn can be specified only if │ SslSupportMethod must also be specified and vice-versa.. ErrorCode: InvalidRequest
When I use CCAPI to describe the resource, I got different value returned, for example the DefaultCacheBehavior:
note: formatted for readability
"DefaultCacheBehavior": {
. . .
"TargetOriginId": "Default",
"ViewerProtocolPolicy": "allow-all",
. . .
"DefaultTTL": 86400,
. . .
"AllowedMethods": [
"HEAD",
"GET"
],
"CachedMethods": [
"HEAD",
"GET"
],
. . .
"MinTTL": 0,
"MaxTTL": 31536000
},
as oppose to the HCL configuration:
default_cache_behavior = {
target_origin_id = aws_s3_bucket.s3_origin.id
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
min_ttl = 0
default_ttl = 5 * 60
max_ttl = 60 * 60
}
and Terraform state
"default_cache_behavior": {
"allowed_methods": [
"GET",
"HEAD",
"OPTIONS"
],
"cache_policy_id": null,
"cached_methods": [
"GET",
"HEAD",
"OPTIONS"
],
. . .
"default_ttl": 300,
. . .
"max_ttl": 3600,
"min_ttl": 0,
. . .
"target_origin_id": "terraform-20230720041249283400000001",
. . .
"viewer_protocol_policy": "redirect-to-https"
},
Even forgoing CC this looks strange.
resource "awscc_cloudfront_distribution" "this" {
distribution_config = {
enabled = false
default_cache_behavior = {
target_origin_id = "example.com"
viewer_protocol_policy = "redirect-to-https"
forwarded_values = {
query_string = false
}
}
viewer_certificate = {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1.2_2018"
}
origins = [{
domain_name = "example.com"
id = "example.com"
custom_origin_config = {
origin_protocol_policy = "https-only"
}
}]
}
}
corresponds to a CreateDistribution call with the intended minimumProtocolVersion
{
"distributionConfigWithTags": {
"tags": {
"items": []
},
"distributionConfig": {
"defaultRootObject": "",
"aliases": {
"quantity": 0,
"items": []
},
"cacheBehaviors": {
"quantity": 0,
"items": []
},
"httpVersion": "http1.1",
"originGroups": {
"quantity": 0,
"items": []
},
"viewerCertificate": {
"minimumProtocolVersion": "TLSv1.2_2018",
"cloudFrontDefaultCertificate": true
},
"webACLId": "",
"customErrorResponses": {
"quantity": 0,
"items": []
},
"logging": {
"includeCookies": false,
"prefix": "",
"enabled": false,
"bucket": ""
},
"priceClass": "PriceClass_All",
"restrictions": {
"geoRestriction": {
"restrictionType": "none",
"quantity": 0,
"items": []
}
},
"callerReference": "4bf32458-5628-475b-af4f-64ce48358cf1",
"enabled": false,
"defaultCacheBehavior": {
"targetOriginId": "example.com",
"minTTL": 0,
"compress": false,
"maxTTL": 31536000,
"functionAssociations": {
"quantity": 0,
"items": []
},
"trustedKeyGroups": {
"quantity": 0,
"items": [],
"enabled": false
},
"smoothStreaming": false,
"fieldLevelEncryptionId": "",
"defaultTTL": 86400,
"lambdaFunctionAssociations": {
"quantity": 0,
"items": []
},
"viewerProtocolPolicy": "redirect-to-https",
"forwardedValues": {
"cookies": {
"forward": "none",
"whitelistedNames": {
"items": [],
"quantity": 0
}
},
"queryStringCacheKeys": {
"quantity": 0,
"items": []
},
"queryString": false,
"headers": {
"quantity": 0,
"items": []
}
},
"trustedSigners": {
"items": [],
"enabled": false,
"quantity": 0
},
"allowedMethods": {
"quantity": 2,
"items": [
"GET",
"HEAD"
],
"cachedMethods": {
"quantity": 2,
"items": [
"GET",
"HEAD"
]
}
}
},
"origins": {
"quantity": 1,
"items": [
{
"originPath": "",
"customOriginConfig": {
"originReadTimeout": 30,
"hTTPSPort": 443,
"originProtocolPolicy": "https-only",
"originKeepaliveTimeout": 5,
"hTTPPort": 80,
"originSslProtocols": {
"quantity": 2,
"items": [
"TLSv1",
"SSLv3"
]
}
},
"id": "example.com",
"domainName": "example.com",
"customHeaders": {
"quantity": 0,
"items": []
}
}
]
},
"comment": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
}
}
yet describing the resulting distribution it uses TLSv1/sslv3.
aws cloudfront get-distribution-config --id ... --region us-east-1 --query "DistributionConfig.ViewerCertificate" ~/src/terraform-provider-awscc/test main+ (v)
{
"CloudFrontDefaultCertificate": true,
"SSLSupportMethod": "vip",
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
}
