-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CloudFront distribution always shows to be updated when origin_shield is added #24323
Comments
Hey @sivanovhm 👋 Thank you for taking the time to raise this. I'm mostly acting in triaging this issue, but I noticed one callout in the
This note was more talking about deletion after creation/modification, but I'm wondering if you may be hitting some eventual consistency issues here. If you wait 15 minutes or so after running an apply, does the same issue persist? |
Hey @justinretzolk, I confirm that even after 15 minutes (waited 60 minutes, just in case), origin shield still shows as enabled on the distribution. Please note that this is only when a If used with "normally", and I believe that these are most likely 2 separate problems, which a caused by the same thing. |
For our case Terraform always resolve
|
I had @tom10271 same issue. In my case it was my ordered_cache_behavior wich was misconfigured:
If using Managed-CachingDisabled, just set default_ttl and max_ttl to 0. |
My finding is if you are using cache policy, you don't need to specific the ttls at all, just delete them |
Any update on that? |
Unless you prefer to control it... The default TTL for Managed-CachingOptimized is 1 day, which might be too short in some cases. |
No genius, the point is if you want to set the TTL, you should set it in Cache policy but not in CloudFront Distribution. |
Why would I create and maintain my own policy if I can just override default values of the AWS managed one? Less resources to maintain, less references to pass between modules, less complexity is definitely worth it. |
The reason is extremely simple, because there is not input field to set TTL at all if you are editing Cache policy for CloudFront Distribution behaviour. This is how AWS works. You would say Terraform allows so which is wrong but AWS simply does not allow user to set TTL in Distribution level but declare the TTL in Cache Policy only. And yes if you are not happy with the default TTL which is 86400 only, you have to create your own Cache policy. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Full aws_cloudfront_distribution configuration
Expected Behavior
performing a
terraform plan
after origin_shield is already added via terraform should not mark aws_cloudfront_distribution for in-place-update. Vice-versa for setting it to false.Actual Behavior
Doing a
terraform plan
after origin_shield is already added via terraform shows aws_cloudfront_distribution to be updated in-place. Vice-versa if it is set to false it still shows it is going to set it to false.Moreover, when we tried to workaround this issue with a dynamic block:
We observed the following:
var.enable_cloudfront_origin_shield = false
,terraform
marks that it is removingorigin_shield
but in fact nothing happens and origin_shield still stays applied (when checked in AWS Console).Steps to Reproduce
to your
aws_cloudfront_distribution
resource for your ALB origin whereenable_cloudfront_origin_shield
is a boolean variable.2.
terraform plan
3.
terraform apply
4.
terraform plan
References
The text was updated successfully, but these errors were encountered: