[Bug]: CloudFront distribution with an invalid OAC waits for deployment without creating the distribution

[sashee]

Terraform Core Version

1.1.8

AWS Provider Version

4.31.0

Affected Resource(s)

• aws_cloudfront_distribution
• aws_cloudfront_origin_access_control

Expected Behavior

When the origin_access_control_origin_type does not match the origin type, Terraform should report an error.

Actual Behavior

terraform apply says Still creating... but the Console shows no Distribution is being deployed.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudfront_origin_access_control" "oac" {
  name                              = "example_oac"
  description                       = ""
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

resource "aws_cloudfront_distribution" "distribution" {
  origin {
    domain_name              = "example.com"
    origin_id                = "example"
    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
                custom_origin_config {
                        http_port              = 80
                        https_port             = 443
                        origin_protocol_policy = "https-only"
                        origin_ssl_protocols   = ["TLSv1.2"]
                }
  }

  enabled = true

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "example"

    default_ttl = 0
    min_ttl     = 0
    max_ttl     = 0

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
    viewer_protocol_policy = "redirect-to-https"
    compress               = true
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
  http_version    = "http2and3"
  price_class     = "PriceClass_100"
  is_ipv6_enabled = true
}

Steps to Reproduce

• terraform init
• terraform apply

Debug Output

debug.log

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[irfan-ssh]

Thanks dear i am finding the solution from last week, finally today you solve my problem

[irfan-ssh]

how can i make a public and private key for cloud front to restrict viewer policy

[madpipeline]

I just ran into this issue... somewhat. I have the configuration you give in your example. I'm greeted with this error upon terraform apply:

Error: updating CloudFront Distribution (XXXXXXX): IllegalOriginAccessConfiguration: Illegal configuration: The origin type and OAC origin type differ.

I think this bug is fixed.

[ketanskanade]

Error: updating CloudFront Distribution (XXXXXXXXXX): IllegalOriginAccessConfiguration: Illegal configuration: The origin type and OAC origin type differ.
│ status code: 400, request id: xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
│
│ with aws_cloudfront_distribution.s3_distribution,
│ on cloudfront.tf line 9, in resource "aws_cloudfront_distribution" "s3_distribution":
│ 9: resource "aws_cloudfront_distribution" "s3_distribution"

[ketanskanade]

Can someone please help for above error am getting while using custom_origin_config

[madpipeline]

You can't use custom_origin_config with an S3 bucket with OAC. You need to use:

origin {
    domain_name              = aws_s3_bucket.main.bucket_domain_name
    origin_id                = aws_s3_bucket.main.id
    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
  }

See this for more info: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

[ketanskanade]

After removing custom_origin_config block it's giving me below error :

Error: updating CloudFront Distribution (XXXXXXX): InvalidArgument: The parameter Origin DomainName does not refer to a valid S3 bucket.
│       status code: 400, request id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
│ 
│   with aws_cloudfront_distribution.s3_distribution,
│   on cloudfront.tf line 9, in resource "aws_cloudfront_distribution" "s3_distribution":
│    9: resource "aws_cloudfront_distribution" "s3_distribution"

[ketanskanade]

I want to set below origin block for my cloudfront distribution as I want to use website_endpoint as a domain name for cloudfront distribution.

origin {
    domain_name             = aws_s3_bucket_website_configuration.xxxxxx_xxxxx_bucket_website_configuration.website_endpoint
    origin_access_control_id = aws_cloudfront_origin_access_control.xxxxx_xxxx_cloudfront_origin_access_control.id
    origin_id                = local.s3_origin_id
  }

[madpipeline]

This thread is not the right place to debug this. Let's please keep the discussion on topic.

For your issue, see the link I gave you. You don't use the S3 website links in CloudFront when using OAC.

[ketanskanade]

If S3 website link is not allowed in OAC then what needs to be done to use S3 website link in cloudfront distribution ?

[chrispsheehan]

👋 for anyone seeing this... here's an mvp cloudfront/s3 OAC working example 👉 https://gist.github.com/chrispsheehan/ed9de23b4b36ca890082ae56e6ab7455

I found some conflation between the (legacy) OAI and (currently recommended) OAC approaches gave me errors

[tsnobip]

so there's no way to deploy an S3 static website behind Cloudfront with terraform?