Origin recreation caused by adding origin shield enabled = false.

[m00nh3ck]

Description

Copied from complete example then just added few bits and remove s3 integration

## Reproduction Code 

module "cloudfront-xx-xx" {
  # Used by ixxx (Images for Websites)
  source = "./../../../modules/terraform-aws-cloudfront-master"  

  providers = {
        aws = aws.aws-global
  }
  
  aliases = ["xxx"]

  comment             = "xxx"
  enabled             = true
  staging             = false # If you want to create a staging distribution, set this to true
  http_version        = "http2and3"
  is_ipv6_enabled     = true
  price_class         = "PriceClass_All"
  retain_on_delete    = false
  wait_for_deployment = false

  # If you want to create a primary distribution with a continuous deployment policy, set this to the ID of the policy.
  # This argument should only be set on a production distribution.
  # ref. `aws_cloudfront_continuous_deployment_policy` resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_continuous_deployment_policy
  continuous_deployment_policy_id = null

  # When you enable additional metrics for a distribution, CloudFront sends up to 8 metrics to CloudWatch in the US East (N. Virginia) Region.
  # This rate is charged only once per month, per metric (up to 8 metrics per distribution).
  create_monitoring_subscription = true
  create_origin_access_identity = false
  create_origin_access_control = false


  origin = {
    xx-xx-co-uk = {      
      origin_path = "" 
      connection_attempts = 3
      connection_timeout = 10
      domain_name = "xx"
      custom_origin_config = {
        http_port                 = 80
        https_port                = 443
        origin_keepalive_timeout  = 5
        origin_read_timeout       = 30
        origin_protocol_policy = "match-viewer"
        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
      }
      
      #if this is here then it cause constant recreation need to comment this out
      origin_shield = {
        enabled              = false
        origin_shield_region = "us-east-1"
      }
    }

  }

  default_cache_behavior = {    
    path_pattern = ""
    target_origin_id       = "xx-xx-xx-xx"
    viewer_protocol_policy = "allow-all"
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]

    use_forwarded_values = false

    cache_policy_id            = "658327ea-f89d-4fab-a63d-7e88639e58f6" # Managed-CachingOptimized
    origin_request_policy_id = "33f36d7e-f396-46d9-90e0-52428a34d9dc" # Policy to forward all parameters in viewer requests

  }

  viewer_certificate = {
    acm_certificate_arn = "xxx"
    ssl_support_method  = "sni-only"
  }

}

Steps to reproduce the behavior:

 resource "aws_cloudfront_distribution" "this" {
        id                             = "xx"
        tags                           = {}
        # (20 unchanged attributes hidden)

      - origin {
          - connection_attempts = 3 -> null
          - connection_timeout  = 10 -> null
          - domain_name         = "xxx" -> null
          - origin_id           = "xxx" -> null

          - custom_origin_config {
              - http_port                = 80 -> null
              - https_port               = 443 -> null
              - origin_keepalive_timeout = 5 -> null
              - origin_protocol_policy   = "match-viewer" -> null
              - origin_read_timeout      = 30 -> null
              - origin_ssl_protocols     = [
                  - "TLSv1",
                  - "TLSv1.1",
                  - "TLSv1.2",
                ] -> null
            }
        }
      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = "xxx"
          + origin_id           = "xx"

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "match-viewer"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1",
                  + "TLSv1.1",
                  + "TLSv1.2",
                ]
            }

          **+ origin_shield {
              + enabled              = false
              + origin_shield_region = "us-east-1"
            }**
        }

        # (3 unchanged blocks hidden)
    }

Expected behavior

Do nothing

Actual behavior

Recreated origin

[antonbabenko]

It is already a known issue in the Terraform AWS provider - hashicorp/terraform-provider-aws#20659

We can't do anything about it in the module.

[m00nh3ck]

Hi Anton,Probably just comments in complete example would do. :)Many thanks Rafal ZdziechOn 3 May 2024, at 11:22, Anton Babenko ***@***.***> wrote: It is already a known issue in the Terraform AWS provider - hashicorp/terraform-provider-aws#20659 We can't do anything about it in the module. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[antonbabenko]

There is no need to keep track of Terraform AWS provider issues in the modules. Also, things change in the provider on its own schedule.

[m00nh3ck]

Thanks AntonI am referring to line 82 in this example. Copying example and setting shield to false cause the issue. Removing block instead of setting to false fixed the problem. So some small comment block would save you answering people like me:)Anyway do what is best for you. Thanks for your repositories. terraform-aws-cloudfront/examples/complete/main.tf at master · terraform-aws-modules/terraform-aws-cloudfrontgithub.comMany thanks Rafal ZdziechOn 3 May 2024, at 13:23, Anton Babenko ***@***.***> wrote: There is no need to keep track of Terraform AWS provider issues in the modules. Also, things change in the provider on its own schedule. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[antonbabenko]

I see what you mean now. You are right. We should comment out that block in the example so that the example looks good and works. Could you do it and open a PR?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.