Missing validation that CloudFront SSL method is required

[meustrus]

When creating a aws_cloudfront_distribution resource with a viewer_certificate, the ssl_support_method is required. If it is missing, however, the terraform plan succeeds and the terraform apply fails with an error from AWS.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.13
+ provider.aws v2.35.0

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_cloudfront_distribution" "dist" {
  default_root_object = "index.html"
  enabled             = true
  is_ipv6_enabled     = true
  aliases             = [var.domain_name]
  price_class         = var.price_class
  tags                = var.tags

  origin {
    domain_name = aws_s3_bucket.store.bucket_domain_name
    origin_id   = aws_s3_bucket.store.id
  }

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = aws_s3_bucket.store.id
    viewer_protocol_policy = "allow-all"

    forwarded_values {
      query_string = false
      cookies {
        forward = "all"
      }
    }
  }

  viewer_certificate {
    acm_certificate_arn = var.acm_certificate_arn
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
}

Debug Output

(skipping because this is purely a validation issue, and with the ssl_support_method in place my infrastructure is already stood up; if it turns out to be necessary, I can attempt to create another one to get debug output)

Expected Behavior

terraform plan should fail with a message like so:

Error: "viewer_certificate.0.ssl_support_method": required field is not set

Actual Behavior

terraform plan succeeds, and terraform apply fails with the following message:

Error: error creating CloudFront Distribution: MalformedXML: 1 validation error detected: Value '' at 'distributionConfigWithTags.distributionConfig.viewerCertificate.sSLSupportMethod' failed to satisfy constraint: Member must satisfy enum value set: [sni-only, vip]

Steps to Reproduce

1. terraform plan -out=tfplan
2. terraform apply tfplan

[meustrus]

Not sure what it means, but I received a notification from GitHub about a failed action after creating this issue:

Run failed for master (2070567)

Repository: terraform-providers/terraform-provider-aws
Workflow: Issue triage
Duration: 1 minute
Finished: 2019-11-13 17:09:04 UTC

View results

Jobs:

• 0601744d-6db1-5b7e-561d-e5d62a2f609a failed (3 annotations)

[taragurung]

The error log is quite clear

If you are using the acm_certificate_arn you also need to add the following attribute
ssl_support_method = "sni-only" or "vip"

It is clearly written in the docs:
ssl_support_method: Specifies how you want CloudFront to serve HTTPS requests. One of vip or sni-only. Required if you specify acm_certificate_arn or iam_certificate_id. NOTE: vip causes CloudFront to use a dedicated IP address and may incur extra charges.

Also, it requires the following attribute
minimum_protocol_version = "TLSv1" values varies

Check details here. https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#viewer-certificate-arguments

[meustrus]

@taragurung, I am aware that the error message from terraform apply describes the problem. It isn't exactly "quite clear", however, because it talks about XML and a bunch of element names that should ideally be abstracted away from developers using Terraform.

The opportunity here is to fail faster, giving developers feedback that they've missed a requirement at the terraform plan stage. It's easy to miss required properties in the documentation when you need to read each individual property to see if it's required, and you are unfamiliar with the underlying technology as I was when I encountered this.

All I'm proposing here is that there should be a validation attached to this property, so that a clear error message is presented earlier in the process.

I have confirmed that this behavior still exists in Terraform 0.14.10 with AWS provider 3.36.0.

[lomluca]

I totally agree with @meustrus, this behavior is really annoying. One easy option could be to set sni-only as the default value (the recommended by AWS), it will be used in case of the acm_certificate_arn is specified.

Probably I'm wrong, but I think the validateFunc cannot resolve completely this behaviour: theoretically, we should make this field mandatory only if acm_certificate_arn is specified. To accomplish this, we should organize fields inside blocks differently, isn't it?

[rcsheets]

Reproducible with Terraform v1.2.4 and provider registry.terraform.io/hashicorp/aws v3.75.1.

[TheDen]

Ran into this, where this conditional required arg didn't show up until it errored on apply. The documentation isn't enough IMO, since I imagine most users could overlook the arg since it's not flagged as required, and will assume everything is fine since it's not flagged during a plan.

I Agree with @lomluca that this ought to default to sni-only if acm_certificate_arn or iam_certificate_id arguments are set.