Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure when changing geo_restriction type in Cloudfront distribution to "none" #20807

Open
olevold opened this issue Sep 6, 2021 · 7 comments
Open

Failure when changing geo_restriction type in Cloudfront distribution to "none" #20807

olevold opened this issue Sep 6, 2021 · 7 comments
Labels
bug Addresses a defect in current functionality. service/cloudfront Issues and PRs that pertain to the cloudfront service.

Comments

@olevold
Copy link

olevold commented Sep 6, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform v1.0.0
hashicorp/aws v3.57.0

Affected Resource(s)

  • Cloudfront

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_s3_bucket" "b" {
  bucket = "mybucket"
  acl    = "private"

  tags = {
    Name = "My bucket"
  }
}

locals {
  s3_origin_id = "myS3Origin"
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = aws_s3_bucket.b.bucket_regional_domain_name
    origin_id   = local.s3_origin_id

    s3_origin_config {
      origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
    }
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "Some comment"
  default_root_object = "index.html"

  logging_config {
    include_cookies = false
    bucket          = "mylogs.s3.amazonaws.com"
    prefix          = "myprefix"
  }

  aliases = ["mysite.example.com", "yoursite.example.com"]

  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

  # Cache behavior with precedence 0
  ordered_cache_behavior {
    path_pattern     = "/content/immutable/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD", "OPTIONS"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false
      headers      = ["Origin"]

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  # Cache behavior with precedence 1
  ordered_cache_behavior {
    path_pattern     = "/content/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  price_class = "PriceClass_200"

  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }

  tags = {
    Environment = "production"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

then change restrictions block to:

restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

Debug Output

Panic Output

Expected Behavior

An AWS Cloudfront distribution should have its geo restrictions changed from a whitelist to "None" upon changing the Terraform script

Actual Behavior

Terraform output InvalidGeoRestrictionParameter: Your request contains invalid Restriction parameters.

Steps to Reproduce

  1. Create the distribution from example at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution
  2. Update restrictions block as listed above

Important Factoids

References

  • #0000
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/cloudfront Issues and PRs that pertain to the cloudfront service. service/s3 Issues and PRs that pertain to the s3 service. labels Sep 6, 2021
@ewbankkit ewbankkit added bug Addresses a defect in current functionality. and removed service/s3 Issues and PRs that pertain to the s3 service. needs-triage Waiting for first response or review from a maintainer. labels Sep 8, 2021
@nick
Copy link

nick commented Oct 25, 2021

@olevold did you find a workaround?

@radsec
Copy link

radsec commented Nov 1, 2021

Also experiencing the same bug here. Only way to get this to build is to add some level of geo restrictions.

@radsec
Copy link

radsec commented Nov 1, 2021

Workaround

I was able to resolve the issue by using these settings.

Working settings but please see reproduction steps and details:

restrictions {
    geo_restriction {
      restriction_type = "none"
      locations = []
    }
  }

Details and Reproduction Steps

Terraform CLI and Terraform AWS Provider Version
Terraform v1.0.9 on darwin_amd64
hashicorp/aws v3.57.0

Affected Resource(s)

Cloudfront

Reproduction steps:

  1. set the following and applied:
restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations = ["US"]
    }
  }
  1. Set the following restrictions then applied, these match the above:
restrictions {
    geo_restriction {
      restriction_type = "none"
      locations = []
    }
  }

@ghost
Copy link

ghost commented Aug 19, 2022

I got the same error. and I also got a request body that terraform CLI sent with TF_LOG=DEBUG.

<?xml version="1.0"?>
<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/">
  <Comment>Some comment</Comment>
  <DefaultRootObject>index.html</DefaultRootObject>
  <Enabled>true</Enabled>
  <Origins>
    <Items>
      <Origin>
        <ConnectionAttempts>3</ConnectionAttempts>
        <ConnectionTimeout>10</ConnectionTimeout>
        <CustomHeaders>
          <Items/>
          <Quantity>0</Quantity>
        </CustomHeaders>
        <DomainName>example.s3.ap-northeast-1.amazonaws.com</DomainName>
        <Id>myS3Origin</Id>
        <OriginPath>/html</OriginPath>
        <S3OriginConfig>
          <OriginAccessIdentity>origin-access-identity/cloudfront/EXAMPLE</OriginAccessIdentity>
        </S3OriginConfig>
      </Origin>
    </Items>
    <Quantity>1</Quantity>
  </Origins>
  <Aliases>
    <Quantity>0</Quantity>
  </Aliases>
  <IsIPV6Enabled>true</IsIPV6Enabled>
  <PriceClass>PriceClass_200</PriceClass>
  <Restrictions>
    <GeoRestriction>
      <Items>
        <Location>JP</Location>
      </Items>
      <Quantity>1</Quantity>
      <RestrictionType>none</RestrictionType>
    </GeoRestriction>
  </Restrictions>
  <CacheBehaviors>
    <Quantity>0</Quantity>
  </CacheBehaviors>
  <CallerReference>terraform-000000000000000000</CallerReference>
  <ViewerCertificate>
    <MinimumProtocolVersion>TLSv1</MinimumProtocolVersion>
    <CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate>
  </ViewerCertificate>
  <WebACLId/>
  <CustomErrorResponses>
    <Items/>
    <Quantity>0</Quantity>
  </CustomErrorResponses>
  <DefaultCacheBehavior>
    <AllowedMethods>
      <Quantity>7</Quantity>
      <CachedMethods>
        <Items>
          <Method>GET</Method>
          <Method>HEAD</Method>
        </Items>
        <Quantity>2</Quantity>
      </CachedMethods>
      <Items>
        <Method>POST</Method>
        <Method>GET</Method>
        <Method>HEAD</Method>
        <Method>PATCH</Method>
        <Method>DELETE</Method>
        <Method>OPTIONS</Method>
        <Method>PUT</Method>
      </Items>
    </AllowedMethods>
    <FunctionAssociations>
      <Items/>
      <Quantity>0</Quantity>
    </FunctionAssociations>
    <LambdaFunctionAssociations>
      <Items/>
      <Quantity>0</Quantity>
    </LambdaFunctionAssociations>
    <CachePolicyId>4135ea2d-6df8-44a3-9df3-4b5a84be39ad</CachePolicyId>
    <Compress>false</Compress>
    <FieldLevelEncryptionId/>
    <OriginRequestPolicyId/>
    <ResponseHeadersPolicyId/>
    <SmoothStreaming>false</SmoothStreaming>
    <TargetOriginId>myS3Origin</TargetOriginId>
    <TrustedKeyGroups>
      <Enabled>false</Enabled>
      <Quantity>0</Quantity>
    </TrustedKeyGroups>
    <TrustedSigners>
      <Enabled>false</Enabled>
      <Quantity>0</Quantity>
    </TrustedSigners>
    <ViewerProtocolPolicy>allow-all</ViewerProtocolPolicy>
  </DefaultCacheBehavior>
  <HttpVersion>http2</HttpVersion>
  <Logging>
    <Bucket/>
    <Enabled>false</Enabled>
    <IncludeCookies>false</IncludeCookies>
    <Prefix/>
  </Logging>
</DistributionConfig>

I think it looks wrong.

<Restrictions>
  <GeoRestriction>
    <Items>
      <Location>JP</Location>
    </Items>
    <Quantity>1</Quantity>
    <RestrictionType>none</RestrictionType>
  </GeoRestriction>
</Restrictions>

@asrindayananda
Copy link

For info

I couldn't just change restriction_type to whitelist or blacklist and remove the location. Location still was set in AWS Cloudfront console

I had to put my original location back, run apply

Then set as below and run apply

restrictions {
    geo_restriction {
      restriction_type = "none"
      locations        = [] 
    }
  }

@tyree731 tyree731 mentioned this issue Sep 22, 2023
Open
@github-actions GitHub Actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 20, 2024
@theherk
Copy link
Contributor

theherk commented Sep 20, 2024

Not a great feature of github actions. Just because nobody has worked on a thing doesn't mean it is fixed. It is perfectly sensible to prioritize issues to the end of the list, but closing them out of hand is just silly. I suppose this comment will keep it alive.

@github-actions github-actions bot removed the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/cloudfront Issues and PRs that pertain to the cloudfront service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@nick @ewbankkit @theherk @asrindayananda @olevold @radsec