Error inserting cache behaviour into existing cloudfront distribution: InvalidArgument: The parameter QueryString cannot be false if query strings are set in QueryStringCacheKeys

[ronaldploeger]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.7
provider registry.terraform.io/hashicorp/aws v3.30.0

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_cloudfront_distribution" "test" {
  comment         = "test"
  enabled         = true
  is_ipv6_enabled = true


  origin {
    domain_name = "www.test.com"
    origin_id   = "www"

    custom_origin_config {
      http_port                = 80
      https_port               = 443
      origin_protocol_policy   = "https-only"
      origin_ssl_protocols     = ["TLSv1.2"]
      origin_keepalive_timeout = 60
      origin_read_timeout      = 30
    }
  }

  default_cache_behavior {
    target_origin_id       = "www"
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]
    compress               = true
    viewer_protocol_policy = "redirect-to-https"

    forwarded_values {
      query_string = true
      headers      = ["Origin", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "Accept-Encoding", "Host"]

      cookies {
        forward = "none"
      }
    }
  }

  # ordered_cache_behavior {
  #   path_pattern = "/test1"

  #   target_origin_id       = "www"
  #   allowed_methods        = ["GET", "HEAD", "OPTIONS"]
  #   cached_methods         = ["GET", "HEAD"]
  #   compress               = true
  #   viewer_protocol_policy = "redirect-to-https"

  #   forwarded_values {
  #     query_string            = true
  #     query_string_cache_keys = ["test0"]
  #     headers                 = ["Origin", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "Accept-Encoding"]

  #     cookies {
  #       forward = "none"
  #     }
  #   }
  # }

  ordered_cache_behavior {
    path_pattern = "/test10"

    target_origin_id       = "www"
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]
    compress               = true
    viewer_protocol_policy = "redirect-to-https"

    forwarded_values {
      query_string            = true
      query_string_cache_keys = ["test1"]
      headers                 = ["Origin", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "Accept-Encoding"]

      cookies {
        forward = "none"
      }
    }
  }

  ordered_cache_behavior {
    path_pattern           = "/test20"
    target_origin_id       = "www"
    allowed_methods        = ["HEAD", "DELETE", "POST", "GET", "OPTIONS", "PUT", "PATCH"]
    cached_methods         = ["GET", "HEAD", "OPTIONS"]
    compress               = false
    viewer_protocol_policy = "https-only"
    default_ttl            = 0
    min_ttl                = 0
    max_ttl                = 0

    forwarded_values {
      query_string = false
      headers      = []
      cookies {
        forward = "none"
      }
    }
  }

  ordered_cache_behavior {
    path_pattern = "/test30"

    target_origin_id       = "www"
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]
    compress               = true
    viewer_protocol_policy = "redirect-to-https"

    forwarded_values {
      query_string            = true
      query_string_cache_keys = ["test2"]
      headers                 = ["Origin", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "Accept-Encoding"]

      cookies {
        forward = "none"
      }
    }
  }


  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Debug Output

2021-03-02T13:14:48.549+0100 [INFO]  plugin.terraform-provider-aws_v3.30.0_x5: 2021/03/02 13:14:48 [DEBUG] [aws-sdk-go] DEBUG: Request cloudfront/UpdateDistribution2020_05_31 Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT /2020-05-31/distribution/EV91UAAN6RJSZ/config HTTP/1.1
...

<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"><DefaultRootObject></DefaultRootObject><IsIPV6Enabled>true</IsIPV6Enabled><ViewerCertificate><CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate><MinimumProtocolVersion>TLSv1</MinimumProtocolVersion></ViewerCertificate><Aliases><Quantity>0</Quantity></Aliases><CallerReference>terraform-20210302120005142300000001</CallerReference><DefaultCacheBehavior><FieldLevelEncryptionId></FieldLevelEncryptionId><ForwardedValues><Cookies><Forward>none</Forward><WhitelistedNames><Quantity>0</Quantity><Items></Items></WhitelistedNames></Cookies><Headers><Items><Name>CloudFront-Is-Tablet-Viewer</Name><Name>Origin</Name><Name>Host</Name><Name>Accept-Encoding</Name><Name>CloudFront-Is-Mobile-Viewer</Name></Items><Quantity>5</Quantity></Headers><QueryString>true</QueryString><QueryStringCacheKeys><Items></Items><Quantity>0</Quantity></QueryStringCacheKeys></ForwardedValues><MinTTL>0</MinTTL><SmoothStreaming>false</SmoothStreaming><AllowedMethods><CachedMethods><Items><Method>GET</Method><Method>HEAD</Method></Items><Quantity>2</Quantity></CachedMethods><Items><Method>GET</Method><Method>HEAD</Method><Method>OPTIONS</Method></Items><Quantity>3</Quantity></AllowedMethods><CachePolicyId></CachePolicyId><DefaultTTL>0</DefaultTTL><LambdaFunctionAssociations><Items></Items><Quantity>0</Quantity></LambdaFunctionAssociations><TargetOriginId>www</TargetOriginId><ViewerProtocolPolicy>redirect-to-https</ViewerProtocolPolicy><Compress>true</Compress><MaxTTL>0</MaxTTL><OriginRequestPolicyId></OriginRequestPolicyId><TrustedSigners><Enabled>false</Enabled><Quantity>0</Quantity></TrustedSigners></DefaultCacheBehavior><Restrictions><GeoRestriction><Items></Items><Quantity>0</Quantity><RestrictionType>none</RestrictionType></GeoRestriction></Restrictions><WebACLId></WebACLId><CacheBehaviors><Items><CacheBehavior><MaxTTL>0</MaxTTL><OriginRequestPolicyId></OriginRequestPolicyId><ForwardedValues><Cookies><Forward>none</Forward><WhitelistedNames><Items></Items><Quantity>0</Quantity></WhitelistedNames></Cookies><Headers><Items><Name>CloudFront-Is-Tablet-Viewer</Name><Name>Origin</Name><Name>Accept-Encoding</Name><Name>CloudFront-Is-Mobile-Viewer</Name></Items><Quantity>4</Quantity></Headers><QueryString>true</QueryString><QueryStringCacheKeys><Items><Name>test0</Name></Items><Quantity>1</Quantity></QueryStringCacheKeys></ForwardedValues><LambdaFunctionAssociations><Items></Items><Quantity>0</Quantity></LambdaFunctionAssociations><PathPattern>/test1</PathPattern><FieldLevelEncryptionId></FieldLevelEncryptionId><MinTTL>0</MinTTL><SmoothStreaming>false</SmoothStreaming><ViewerProtocolPolicy>redirect-to-https</ViewerProtocolPolicy><AllowedMethods><CachedMethods><Items><Method>GET</Method><Method>HEAD</Method></Items><Quantity>2</Quantity></CachedMethods><Items><Method>GET</Method><Method>HEAD</Method><Method>OPTIONS</Method></Items><Quantity>3</Quantity></AllowedMethods><CachePolicyId></CachePolicyId><Compress>true</Compress><DefaultTTL>0</DefaultTTL><TargetOriginId>www</TargetOriginId><TrustedSigners><Enabled>false</Enabled><Quantity>0</Quantity></TrustedSigners></CacheBehavior><CacheBehavior><MinTTL>0</MinTTL><TrustedSigners><Enabled>false</Enabled><Quantity>0</Quantity></TrustedSigners><ViewerProtocolPolicy>redirect-to-https</ViewerProtocolPolicy><MaxTTL>0</MaxTTL><Compress>true</Compress><FieldLevelEncryptionId></FieldLevelEncryptionId><OriginRequestPolicyId></OriginRequestPolicyId><PathPattern>/test10</PathPattern><AllowedMethods><Quantity>3</Quantity><CachedMethods><Items><Method>GET</Method><Method>HEAD</Method></Items><Quantity>2</Quantity></CachedMethods><Items><Method>GET</Method><Method>HEAD</Method><Method>OPTIONS</Method></Items></AllowedMethods><LambdaFunctionAssociations><Items></Items><Quantity>0</Quantity></LambdaFunctionAssociations><SmoothStreaming>false</SmoothStreaming><TargetOriginId>www</TargetOriginId><DefaultTTL>0</DefaultTTL><ForwardedValues><QueryStringCacheKeys><Items><Name>test1</Name></Items><Quantity>1</Quantity></QueryStringCacheKeys><Cookies><Forward>none</Forward><WhitelistedNames><Items></Items><Quantity>0</Quantity></WhitelistedNames></Cookies><Headers><Quantity>4</Quantity><Items><Name>CloudFront-Is-Tablet-Viewer</Name><Name>Origin</Name><Name>Accept-Encoding</Name><Name>CloudFront-Is-Mobile-Viewer</Name></Items></Headers><QueryString>true</QueryString></ForwardedValues><CachePolicyId></CachePolicyId></CacheBehavior><CacheBehavior><CachePolicyId></CachePolicyId><Compress>false</Compress><DefaultTTL>0</DefaultTTL><MinTTL>0</MinTTL><SmoothStreaming>false</SmoothStreaming><TrustedSigners><Enabled>false</Enabled><Quantity>0</Quantity></TrustedSigners><ViewerProtocolPolicy>https-only</ViewerProtocolPolicy><FieldLevelEncryptionId></FieldLevelEncryptionId><LambdaFunctionAssociations><Items></Items><Quantity>0</Quantity></LambdaFunctionAssociations><OriginRequestPolicyId></OriginRequestPolicyId><PathPattern>/test20</PathPattern><AllowedMethods><CachedMethods><Items><Method>GET</Method><Method>HEAD</Method><Method>OPTIONS</Method></Items><Quantity>3</Quantity></CachedMethods><Items><Method>POST</Method><Method>GET</Method><Method>HEAD</Method><Method>PATCH</Method><Method>DELETE</Method><Method>OPTIONS</Method><Method>PUT</Method></Items><Quantity>7</Quantity></AllowedMethods><ForwardedValues><QueryString>false</QueryString><QueryStringCacheKeys><Items><Name>test2</Name></Items><Quantity>1</Quantity></QueryStringCacheKeys><Cookies><Forward>none</Forward><WhitelistedNames><Items></Items><Quantity>0</Quantity></WhitelistedNames></Cookies><Headers><Items></Items><Quantity>0</Quantity></Headers></ForwardedValues><MaxTTL>0</MaxTTL><TargetOriginId>www</TargetOriginId></CacheBehavior><CacheBehavior><MaxTTL>0</MaxTTL><MinTTL>0</MinTTL><TargetOriginId>www</TargetOriginId><ViewerProtocolPolicy>redirect-to-https</ViewerProtocolPolicy><AllowedMethods><Quantity>3</Quantity><CachedMethods><Items><Method>GET</Method><Method>HEAD</Method></Items><Quantity>2</Quantity></CachedMethods><Items><Method>GET</Method><Method>HEAD</Method><Method>OPTIONS</Method></Items></AllowedMethods><FieldLevelEncryptionId></FieldLevelEncryptionId><OriginRequestPolicyId></OriginRequestPolicyId><SmoothStreaming>false</SmoothStreaming><Compress>true</Compress><DefaultTTL>0</DefaultTTL><ForwardedValues><Cookies><Forward>none</Forward><WhitelistedNames><Items></Items><Quantity>0</Quantity></WhitelistedNames></Cookies><Headers><Items><Name>CloudFront-Is-Tablet-Viewer</Name><Name>Origin</Name><Name>Accept-Encoding</Name><Name>CloudFront-Is-Mobile-Viewer</Name></Items><Quantity>4</Quantity></Headers><QueryString>true</QueryString><QueryStringCacheKeys><Items><Name>test2</Name></Items><Quantity>1</Quantity></QueryStringCacheKeys></ForwardedValues><LambdaFunctionAssociations><Items></Items><Quantity>0</Quantity></LambdaFunctionAssociations><PathPattern>/test30</PathPattern><CachePolicyId></CachePolicyId><TrustedSigners><Enabled>false</Enabled><Quantity>0</Quantity></TrustedSigners></CacheBehavior></Items><Quantity>4</Quantity></CacheBehaviors><CustomErrorResponses><Items></Items><Quantity>0</Quantity></CustomErrorResponses><Enabled>true</Enabled><HttpVersion>http2</HttpVersion><Logging><Enabled>false</Enabled><IncludeCookies>false</IncludeCookies><Prefix></Prefix><Bucket></Bucket></Logging><Comment>test</Comment><Origins><Items><Origin><CustomHeaders><Items></Items><Quantity>0</Quantity></CustomHeaders><CustomOriginConfig><HTTPSPort>443</HTTPSPort><OriginKeepaliveTimeout>60</OriginKeepaliveTimeout><OriginProtocolPolicy>https-only</OriginProtocolPolicy><OriginReadTimeout>30</OriginReadTimeout><OriginSslProtocols><Items><SslProtocol>TLSv1.2</SslProtocol></Items><Quantity>1</Quantity></OriginSslProtocols><HTTPPort>80</HTTPPort></CustomOriginConfig><DomainName>www.test.com</DomainName><Id>www</Id><OriginPath></OriginPath></Origin></Items><Quantity>1</Quantity></Origins><PriceClass>PriceClass_All</PriceClass></DistributionConfig>
-----------------------------------------------------: timestamp=2021-03-02T13:14:48.549+0100
2021-03-02T13:14:49.211+0100 [INFO]  plugin.terraform-provider-aws_v3.30.0_x5: 2021/03/02 13:14:49 [DEBUG] [aws-sdk-go] DEBUG: Response cloudfront/UpdateDistribution2020_05_31 Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 340
Content-Type: text/xml
Date: Tue, 02 Mar 2021 12:14:48 GMT
X-Amzn-Requestid: 3286c380-b272-4d0f-9722-0e3afb838f3b


-----------------------------------------------------: timestamp=2021-03-02T13:14:49.211+0100
2021-03-02T13:14:49.211+0100 [INFO]  plugin.terraform-provider-aws_v3.30.0_x5: 2021/03/02 13:14:49 [DEBUG] [aws-sdk-go] <?xml version="1.0"?>
<ErrorResponse xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"><Error><Type>Sender</Type><Code>InvalidArgument</Code><Message>The parameter QueryString cannot be false if query strings are set in QueryStringCacheKeys.</Message></Error><RequestId>3286c380-b272-4d0f-9722-0e3afb838f3b</RequestId></ErrorResponse>: timestamp=2021-03-02T13:14:49.211+0100
2021-03-02T13:14:49.211+0100 [INFO]  plugin.terraform-provider-aws_v3.30.0_x5: 2021/03/02 13:14:49 [DEBUG] [aws-sdk-go] DEBUG: Validate Response cloudfront/UpdateDistribution2020_05_31 failed, attempt 0/25, error InvalidArgument: The parameter QueryString cannot be false if query strings are set in QueryStringCacheKeys.
        status code: 400, request id: 3286c380-b272-4d0f-9722-0e3afb838f3b: timestamp=2021-03-02T13:14:49.211+0100
2021/03/02 13:14:49 [DEBUG] aws_cloudfront_distribution.test: apply errored, but we're indicating that via the Error pointer rather than returning it: error updating CloudFront Distribution (EV91UAAN6RJSZ): InvalidArgument: The parameter QueryString cannot be false if query strings are set in QueryStringCacheKeys.
        status code: 400, request id: 3286c380-b272-4d0f-9722-0e3afb838f3b

Relevent part in request:

<QueryString>false</QueryString><QueryStringCacheKeys><Items><Name>test2</Name></Items><Quantity>1</Quantity></QueryStringCacheKeys>

Expected Behavior

A new cache behaviour should have been added to an existing cloud front distribution.

Actual Behavior

Adding a new "ordered_cache_behavior" above existing cache behaviours leads to error:

Error: error updating CloudFront Distribution (EV91UAAN6RJSZ): InvalidArgument: The parameter QueryString cannot be false if query strings are set in QueryStringCacheKeys.
status code: 400, request id: ddbd3535-af79-40be-8536-e390e1c4d536

When I look at the terraform state of the cloudfront_distribution resource after the failed apply I can see that:
a) the new cache behaviour "/test1" appears
b) the state for the cache behaviour "/test20" is incorrect: "query_string" is set to false but there is also a non empty "query_string_cache_keys" (which it somehow "inherited" from the next cache behaviour "/test30")

    ordered_cache_behavior {
        ...
        path_pattern           = "/test20"
        ...
        forwarded_values {
            headers                 = []
            query_string            = false
            query_string_cache_keys = [
                "test2",
            ]
        ...
        }
    }

Steps to Reproduce

1. terraform apply
2. terraform state show aws_cloudfront_distribution.test
3. Un-comment ordered_cache_behavior "/test1"
4. terraform apply --> which will fail
5. terraform state show aws_cloudfront_distribution.test

[ronaldploeger]

It still works with hashicorp/aws provider version 3.27.0. and fails starting with 3.28.0.

[ronaldploeger]

It seems to be a general problem that existing ordered_cache_behaviors (for Cloudfront Distributions set up with Terraform before 3.28.0) might get attributes screwed up when another ordered_cache_behavior is inserted before it and the applied with aws provider 3.28.0 or greater.

We had the problem that an ordered_cache_behavior suddenly had a max_ttl of 0, which was not configured on this ordered_cache_behavior but on one above it, leading to not caching responses for this ordered_cache_behavior any more.

[mrwacky42]

We seem to have experienced this issue, or something related with v3.37.0:

A new ordered_cache_behavior was inserted that sets forwarded_values { headers = ["Host"] } , and somehow this propagated to the behavior after it.
So then the pre-existing behavior broke because it very much did not want the Host header forwarded.

[lich1710]

Hi @ronaldploeger, do you have any idea how to fix this?

[inigo]

We hit the same problem when adding a new ordered cache behaviour in the middle of other ordered behaviours, one of which had query_string = true set and query_string_cache_keys non-empty.

The workaround was to explicitly add:

query_string_cache_keys = []

to all the ordered cache behaviours where query_string = false

[akselinurmio]

We're experiencing this issue too. Documentation clearly states:

query_string_cache_keys (Optional) - When specified, along with a value of true for query_string, all query strings are forwarded, however only the query string keys listed in this argument are cached. When omitted with a value of true for query_string, all query string keys are cached.

One of our ordered_cache_behaviors looks like this in configuration (does not have any query string cache keys set):

ordered_cache_behavior {
  target_origin_id       = "origin-id"
  viewer_protocol_policy = "redirect-to-https"
  allowed_methods        = ["GET", "HEAD"]
  cached_methods         = ["GET", "HEAD"]
  path_pattern           = "/path"

  forwarded_values {
    headers      = ["Host"]
    query_string = true

    cookies {
      forward = "whitelist"

      whitelisted_names = [
        "yleconsent",
      ]
    }
  }

  min_ttl     = 0
  default_ttl = 60
  max_ttl     = 31536000
  compress    = true
}

In state however, there are query string cache keys:

ordered_cache_behavior {
  allowed_methods = [
    "GET",
    "HEAD",
  ]
  cached_methods = [
    "GET",
    "HEAD",
  ]
  compress               = true
  default_ttl            = 60
  max_ttl                = 31536000
  min_ttl                = 0
  path_pattern           = "/path"
  smooth_streaming       = false
  target_origin_id       = "origin-id"
  trusted_key_groups     = []
  trusted_signers        = []
  viewer_protocol_policy = "redirect-to-https"

  forwarded_values {
    headers      = []
    query_string = true
    query_string_cache_keys = [
      "_c",
      "play",
      "t",
    ]

    cookies {
      forward           = "none"
      whitelisted_names = []
    }
  }
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!