pulumi-aws-native icon indicating copy to clipboard operation
pulumi-aws-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

CloudFront distribution ViewerCertificate default values

Open Freakazoid182 opened this issue 2 years ago • 0 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

When updating an existing CloudFront distribution I run into this error:

error: operation UPDATE failed with "InvalidRequest": Invalid request provided: Exactly one of [AcmCertificateArn, CloudFrontDefaultCertificate, IamCertificateId] needs to be specified

This is because in the Pulumi state cloudFrontDefaultCertificate is set to false, while it should actually be set to null (or omitted).

"viewerCertificate": 
{
  "acmCertificateArn": "arn:aws:acm:us-east-1:{my-account-id}:certificate/{cert-guid}",
  "cloudFrontDefaultCertificate": false,
  "minimumProtocolVersion": "TLSv1.2_2021",
  "sslSupportMethod": "sni-only"
},

In my definition (C#) I've set set property to null.

ViewerCertificate = new DistributionViewerCertificateArgs
{
    CloudFrontDefaultCertificate = null,
    AcmCertificateArn = distribution.SslCertificateArn,
    SslSupportMethod = "sni-only",
    MinimumProtocolVersion = "TLSv1.2_2021"
},

Whenever I deploy the definition above, there's no issue. But once I've refreshed the CloudFront distribution, it updates the cloudFrontDefaultCertificate property in the Pulumi state to false. I suspect this is because the AWS API returns this value?

I would expect that if I deploy it after that again, it would want to to change CloudFrontDefaultCertificate from false to null again, but this doesn't happen. It doesn't see any change.

I'm using library version v0.14.0

Steps to reproduce

  1. Deploy a CloudFront distribution with a AcmCertificateArn set and CloudFrontDefaultCertificate set to null
  2. Refresh the CloudFront distribution
  3. Note that CloudFrontDefaultCertificate is set to null
  4. Deploy the CloudFront distribution again (any arbitrary change) and note the error mentioned above

Expected: The CloudFrontDefaultCertificate will not be refreshed to false on pulumi refresh Actual: It sets the CloudFrontDefaultCertificate to false, making it impossible to update the distribution (with manually updating the state)

Freakazoid182 avatar Mar 28 '22 10:03 Freakazoid182