Terraform-provider-aws: CloudFront default_cache_behaviour changes with every apply
_This issue was originally opened by @bentterp as hashicorp/terraform#15526. It was migrated here as a result of the provider split. The original body of the issue is below._
Terraform Version
0.9.11
Terraform Configuration Files
resource "aws_cloudfront_distribution" "watermarked" {
price_class = "PriceClass_100"
enabled = true
is_ipv6_enabled = true
comment = "SignedURL WatermarkedFiles"
default_root_object = "index.html"
origin {
domain_name = "${var.watermarked-domain}"
origin_id = "Watermarked"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.dds.cloudfront_access_identity_path}"
}
}
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
trusted_signers = ["${var.account_id}"]
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "Watermarked"
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
}
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.cloudfront_logs.bucket_domain_name}"
prefix = "watermarked"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags {
"CostCenter" = "${var.costcenter}"
"Environment" = "${var.environment}"
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
resource "aws_cloudfront_distribution" "master" {
price_class = "PriceClass_100"
enabled = true
is_ipv6_enabled = true
comment = "SignedURL MasterFiles"
default_root_object = "index.html"
origin {
domain_name = "${var.master-domain}"
origin_id = "Master"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.dds.cloudfront_access_identity_path}"
}
}
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
trusted_signers = ["${var.account_id}"]
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "Master"
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
}
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.cloudfront_logs.bucket_domain_name}"
prefix = "master"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags {
"CostCenter" = "${var.costcenter}"
"Environment" = "${var.environment}"
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
resource "aws_cloudfront_distribution" "hls" {
price_class = "PriceClass_100"
enabled = true
is_ipv6_enabled = true
comment = "SignedURL HLSFiles"
default_root_object = "index.html"
origin {
domain_name = "${var.hls-domain}"
origin_id = "HLS"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.dds.cloudfront_access_identity_path}"
}
}
origin {
domain_name = "${var.hls-segments-domain}"
origin_id = "HLSSegments"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.dds.cloudfront_access_identity_path}"
}
}
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
trusted_signers = ["${var.account_id}"]
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "HLS"
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
}
cache_behavior {
path_pattern = "s/*"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "HLSSegments"
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
}
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.cloudfront_logs.bucket_domain_name}"
prefix = "hls"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags {
"CostCenter" = "${var.costcenter}"
"Environment" = "${var.environment}"
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
resource "aws_cloudfront_origin_access_identity" "dds" {
comment = "content delivery for DDS"
}
resource "aws_s3_bucket" "cloudfront_logs" {
bucket = "test-${var.environment}-cloudfront-logs"
acl = "private"
region = "${var.region}"
lifecycle { prevent_destroy = false }
tags {
"CostCenter" = "${var.costcenter}"
"Environment" = "${var.environment}"
}
}
Debug Output
https://gist.github.com/bentterp/cad2624a66ed8f9ee2b4da2c20ed1984
Expected Behavior
When I change nothing in the configuration, I would expect no changes to be made.
Actual Behavior
All 3 default_cache_behaviours change to something identical, very similar to issue hashicorp/terraform#7930 except I do specify a s3_origin_config stanza with a defined origin_access_identity as per the documentatino
What actually happened?
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
References
- hashicorp/terraform#7930
hashibot
👍4
All 17 comments
Looks like this still happens with 0.11.1
neg3ntropy
on 13 Dec 2017
Yes, I can confirm it's also failing for me, with a very similar configuration.
nicois
on 17 Dec 2017
I'm also having the same issue with very similar configuration, but I'm using 0.11.3
codeinaire
on 20 Mar 2018
Can someone post their plan output please (with any sensitive information redacted)?
bflad
on 20 Mar 2018
Terraform Version
0.11.3
Terraform configuration
data "template_file" "static_website_bucket_policy" {
template = "${file("${path.module}/templates/website_bucket_policy.json")}"
vars {
bucket = "${var.website_bucket_name}"
}
}
resource "aws_s3_bucket" "static_website" {
bucket = "${var.website_bucket_name}"
policy = "${data.template_file.static_website_bucket_policy.rendered}"
acl = "public-read"
tags = "${var.tags}"
website {
index_document = "index.html"
error_document = "error.html"
}
}
resource "aws_cloudfront_origin_access_identity" "main" {
comment = "Make sure user only access content from the bucket through CloudFront URLs"
}
resource "aws_cloudfront_distribution" "static_website_cdn" {
enabled = true
price_class = "PriceClass_All"
http_version = "http2"
origin {
origin_id = "origin-bucket-${aws_s3_bucket.static_website.id}"
domain_name = "${aws_s3_bucket.static_website.bucket_domain_name}"
s3_origin_config = {
origin_access_identity = "${aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path}"
}
}
default_root_object = "index.html"
custom_error_response {
error_code = "404"
error_caching_min_ttl = "360"
response_code = "404"
response_page_path = "/404.html"
}
default_cache_behavior {
# blocking update and delete; not needed for static website
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
min_ttl = "${var.min_ttl}"
default_ttl = "${var.default_ttl}"
max_ttl = "${var.max_ttl}"
target_origin_id = "origin-bucket-${aws_s3_bucket.static_website.id}"
// This redirects any HTTP request to HTTPS. Security first!
viewer_protocol_policy = "redirect-to-https"
compress = true
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
restrictions {
"geo_restriction" {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
acm_certificate_arn = "${var.acm_certificate_arn}"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
}
#---------------------------------------------------------
# Route 53 Records
#---------------------------------------------------------
resource "aws_route53_record" "cdn_alias" {
zone_id = "${var.zone_id}"
name = "${var.website_subdomain}"
type = "A"
alias {
name = "${aws_cloudfront_distribution.static_website_cdn.domain_name}"
zone_id = "${aws_cloudfront_distribution.static_website_cdn.hosted_zone_id}"
evaluate_target_health = false
}
}
Apply Output
~ module.website.aws_cloudfront_distribution.static_website_cdn
viewer_certificate.123456.acm_certificate_arn: "arn:aws:acm:us-east-1:certificatenum" => ""
viewer_certificate.123456.cloudfront_default_certificate: "false" => "false"
viewer_certificate.123456.iam_certificate_id: "" => ""
viewer_certificate.123456.minimum_protocol_version: "TLSv1.1_2016" => ""
viewer_certificate.123456.ssl_support_method: "sni-only" => ""
viewer_certificate.654321.acm_certificate_arn: "" => "arn:aws:acm:us-east-1certificatenum"
viewer_certificate.654321.cloudfront_default_certificate: "" => "true"
viewer_certificate.654321.iam_certificate_id: "" => ""
viewer_certificate.654321.minimum_protocol_version: "" => "TLSv1.1_2016"
viewer_certificate.654321.ssl_support_method: "" => "sni-only"
Expected Behaviour
A clean plan. There be no changes at all.
Actual Behaviour
There are changes to the plan.
Steps To Reproduce
terraform planterraform applyterraform plan
Let me know if you require anything else.
codeinaire
on 20 Mar 2018
I removed cloudfront_default_certificate = true from the viewer_certificate block and it is now running as expected. I think I know what the problem was. I had to specify either cloudfront_default_certificate, acm_certificate_arn, or iam_certificate_id. But I was putting in two of these which was causing some issues in the dependency tree?
codeinaire
on 20 Mar 2018
My situation appers different from @codeinaire's
Config and plan:
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_s3_bucket" "files_bucket" {
bucket = "xxx-${var.environment}-app"
acl = "private"
region = "${data.aws_region.current.name}"
policy = "${data.aws_iam_policy_document.files_policy.json}"
versioning {
enabled = true
}
tags {
Environment = "${var.environment}"
}
cors_rule {
allowed_headers = ["*"]
allowed_methods = ["PUT", "GET"]
allowed_origins = ["*"]
}
lifecycle_rule {
enabled = true
noncurrent_version_expiration {
days = "${var.version_expiration}"
}
expiration {
expired_object_delete_marker = true
}
}
lifecycle_rule {
enabled = true
abort_incomplete_multipart_upload_days = "${var.multipart_upload_expiration}"
}
}
resource "aws_cloudfront_origin_access_identity" "cloudfront_identity" {
comment = "xxx cloudfront identity"
}
data "aws_iam_policy_document" "files_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::xxx-${var.environment}-app/*"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.cloudfront_identity.iam_arn}"]
}
}
}
resource "aws_cloudfront_distribution" "files_distribution" {
enabled = true
is_ipv6_enabled = true
comment = "xxx files distribution"
price_class = "PriceClass_100"
origin {
domain_name = "${aws_s3_bucket.files_bucket.bucket_domain_name}"
origin_id = "s3_files_bucket"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.cloudfront_identity.cloudfront_access_identity_path}"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "s3_files_bucket"
compress = true
trusted_signers = ["${data.aws_caller_identity.current.account_id}"]
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 30
max_ttl = 86400
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags {
Environment = "${var.environment}"
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
Terraform will perform the following actions:
~ module.xxx_files.aws_cloudfront_distribution.files_distribution
default_cache_behavior.2621983866.allowed_methods.#: "0" => "3"
default_cache_behavior.2621983866.allowed_methods.0: "" => "GET"
default_cache_behavior.2621983866.allowed_methods.1: "" => "HEAD"
default_cache_behavior.2621983866.allowed_methods.2: "" => "OPTIONS"
default_cache_behavior.2621983866.cached_methods.#: "0" => "2"
default_cache_behavior.2621983866.cached_methods.0: "" => "GET"
default_cache_behavior.2621983866.cached_methods.1: "" => "HEAD"
default_cache_behavior.2621983866.compress: "" => "true"
default_cache_behavior.2621983866.default_ttl: "" => "30"
default_cache_behavior.2621983866.forwarded_values.#: "0" => "1"
default_cache_behavior.2621983866.forwarded_values.2555876073.cookies.#: "0" => "1"
default_cache_behavior.2621983866.forwarded_values.2555876073.cookies.2625240281.forward: "" => "none"
default_cache_behavior.2621983866.forwarded_values.2555876073.cookies.2625240281.whitelisted_names.#: "0" => "0"
default_cache_behavior.2621983866.forwarded_values.2555876073.headers.#: "0" => "0"
default_cache_behavior.2621983866.forwarded_values.2555876073.query_string: "" => "true"
default_cache_behavior.2621983866.forwarded_values.2555876073.query_string_cache_keys.#: "0" => "0"
default_cache_behavior.2621983866.lambda_function_association.#: "0" => "0"
default_cache_behavior.2621983866.max_ttl: "" => "86400"
default_cache_behavior.2621983866.min_ttl: "" => "0"
default_cache_behavior.2621983866.smooth_streaming: "" => ""
default_cache_behavior.2621983866.target_origin_id: "" => "s3_files_bucket"
default_cache_behavior.2621983866.trusted_signers.#: "0" => "1"
default_cache_behavior.2621983866.trusted_signers.0: "" => "731459125315"
default_cache_behavior.2621983866.viewer_protocol_policy: "" => "https-only"
default_cache_behavior.4147833275.allowed_methods.#: "3" => "0"
default_cache_behavior.4147833275.allowed_methods.0: "HEAD" => ""
default_cache_behavior.4147833275.allowed_methods.1: "GET" => ""
default_cache_behavior.4147833275.allowed_methods.2: "OPTIONS" => ""
default_cache_behavior.4147833275.cached_methods.#: "2" => "0"
default_cache_behavior.4147833275.cached_methods.0: "HEAD" => ""
default_cache_behavior.4147833275.cached_methods.1: "GET" => ""
default_cache_behavior.4147833275.compress: "true" => "false"
default_cache_behavior.4147833275.default_ttl: "30" => "0"
default_cache_behavior.4147833275.forwarded_values.#: "1" => "0"
default_cache_behavior.4147833275.forwarded_values.2555876073.cookies.#: "1" => "0"
default_cache_behavior.4147833275.forwarded_values.2555876073.cookies.2625240281.forward: "none" => ""
default_cache_behavior.4147833275.forwarded_values.2555876073.cookies.2625240281.whitelisted_names.#: "0" => "0"
default_cache_behavior.4147833275.forwarded_values.2555876073.headers.#: "0" => "0"
default_cache_behavior.4147833275.forwarded_values.2555876073.query_string: "true" => "false"
default_cache_behavior.4147833275.forwarded_values.2555876073.query_string_cache_keys.#: "0" => "0"
default_cache_behavior.4147833275.lambda_function_association.#: "0" => "0"
default_cache_behavior.4147833275.max_ttl: "86400" => "0"
default_cache_behavior.4147833275.min_ttl: "0" => "0"
default_cache_behavior.4147833275.smooth_streaming: "false" => "false"
default_cache_behavior.4147833275.target_origin_id: "s3_files_bucket" => ""
default_cache_behavior.4147833275.trusted_signers.#: "1" => "0"
default_cache_behavior.4147833275.trusted_signers.0: "self" => ""
default_cache_behavior.4147833275.viewer_protocol_policy: "https-only" => ""
Thanks for the verbose report, @soulrebel! Looks like the source of your difference is (the middle number being just a hash value of everything under it):
default_cache_behavior.2621983866.trusted_signers.0: "" => "731459125315"
...
default_cache_behavior.4147833275.trusted_signers.0: "self" => ""
It looks like Amazon might be changing the account number into self behind the scenes. Does it go away if you use trusted_signers = ["self"]?
bflad
on 7 Apr 2018
👍4
❤1
@bflad it does indeed go away thanks.
(I haven't tried creating from scratch with this configuration, yet)
neg3ntropy
on 11 Apr 2018
I think I have an additional case.
The config statement in default_cache_behavior.forwarded_values.headers is causing the execution planner to respond with four elements rather than three as configured. This is reproducing the aws_cloudfront_distribution replay error as described previously. The 'Origin' header is being listed twice.
headers = ["Access-Control-Request-Headers", "Access-Control-Request-Method", "Origin"]
```default_cache_behavior.3168003594.forwarded_values.3697477913.headers.0: "" => "Origin"
default_cache_behavior.3168003594.forwarded_values.3697477913.headers.1: "" => "Access-Control-Request-Headers"
default_cache_behavior.3168003594.forwarded_values.3697477913.headers.2: "" => "Access-Control-Request-Method"
default_cache_behavior.3168003594.forwarded_values.3697477913.headers.3: "" => "Origin"
miahorg
on 3 May 2018
Is this causing the issues in #3842 and/or #4338? Having similar errors myself. Thanks.
rneu31
on 2 Jul 2018
I have a similar issue that appears to be caused by lambda association.
default_cache_behavior.1616697633.lambda_function_association.125172901.event_type: "origin-response" => ""
default_cache_behavior.1616697633.lambda_function_association.125172901.lambda_arn: "arn:aws:lambda:us-east-1:115767377948:function:ui-security-headers:2" => ""
....
default_cache_behavior.~65099260.lambda_function_association.~4218736594.event_type: "" => "origin-response"
default_cache_behavior.~65099260.lambda_function_association.~4218736594.lambda_arn: "" => "${aws_lambda_function.source.arn}:${aws_lambda_function.source.version}"
This seems to occur when I have a data archive feed into the lambda that "depends_on" a null resource. Removing the "depends_on" and using a trigger in the null resource seems to get me around this, however, I'm not sure if it will pick up changes.
gcallaghan
on 4 Jul 2018
We also have an issue in combination with Lambda@Edge (lambda_function_association) and CloudFront that only occurs after some time (information with *HIDDEN* are manually made obliterated):
Terraform Version: 0.11.7
Resource ID: aws_cloudfront_distribution.web
Mismatch reason: attribute mismatch: default_cache_behavior.682996828.allowed_methods.#
Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"default_cache_behavior.~4244408021.forwarded_values.1746354661.cookies.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.3":*terraform.ResourceAttrDiff{Old:"", New:"*HIDDEN*", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.compress":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.query_string":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.trusted_signers.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.cached_methods.1":*terraform.ResourceAttrDiff{Old:"", New:"HEAD", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.3":*terraform.ResourceAttrDiff{Old:"*HIDDEN*", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.query_string_cache_keys.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.field_level_encryption_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.cached_methods.1":*terraform.ResourceAttrDiff{Old:"GET", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.2":*terraform.ResourceAttrDiff{Old:"", New:"*HIDDEN*", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.viewer_protocol_policy":*terraform.ResourceAttrDiff{Old:"https-only", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.0":*terraform.ResourceAttrDiff{Old:"*HIDDEN*", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.lambda_function_association.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.cookies.2625240281.whitelisted_names.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.default_ttl":*terraform.ResourceAttrDiff{Old:"86400", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.cached_methods.0":*terraform.ResourceAttrDiff{Old:"HEAD", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.lambda_function_association.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.#":*terraform.ResourceAttrDiff{Old:"5", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.0":*terraform.ResourceAttrDiff{Old:"", New:"*HIDDEN*", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.allowed_methods.1":*terraform.ResourceAttrDiff{Old:"GET", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.default_ttl":*terraform.ResourceAttrDiff{Old:"", New:"86400", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.smooth_streaming":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.smooth_streaming":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.lambda_function_association.1338064337.lambda_arn":*terraform.ResourceAttrDiff{Old:"arn:aws:lambda:us-east-1:050570262223:function:*HIDDEN*:19", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.field_level_encryption_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.query_string":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.query_string_cache_keys.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.min_ttl":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.allowed_methods.0":*terraform.ResourceAttrDiff{Old:"", New:"GET", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.4":*terraform.ResourceAttrDiff{Old:"", New:"*HIDDEN*", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.viewer_protocol_policy":*terraform.ResourceAttrDiff{Old:"", New:"https-only", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.#":*terraform.ResourceAttrDiff{Old:"0", New:"5", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.min_ttl":*terraform.ResourceAttrDiff{Old:"", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.cookies.2625240281.forward":*terraform.ResourceAttrDiff{Old:"", New:"none", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.1":*terraform.ResourceAttrDiff{Old:"*HIDDEN*", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.headers.1":*terraform.ResourceAttrDiff{Old:"", New:"*HIDDEN*", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.allowed_methods.0":*terraform.ResourceAttrDiff{Old:"HEAD", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.compress":*terraform.ResourceAttrDiff{Old:"true", New:"false", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.cached_methods.#":*terraform.ResourceAttrDiff{Old:"0", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.cookies.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.allowed_methods.#":*terraform.ResourceAttrDiff{Old:"0", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.4":*terraform.ResourceAttrDiff{Old:"*HIDDEN*", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.cookies.2625240281.forward":*terraform.ResourceAttrDiff{Old:"none", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.forwarded_values.1746354661.cookies.2625240281.whitelisted_names.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.allowed_methods.#":*terraform.ResourceAttrDiff{Old:"2", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.trusted_signers.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.max_ttl":*terraform.ResourceAttrDiff{Old:"", New:"31536000", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.lambda_function_association.1338064337.event_type":*terraform.ResourceAttrDiff{Old:"viewer-request", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.target_origin_id":*terraform.ResourceAttrDiff{Old:"cookie-banner.develop.assets.cloud.otto.de", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.allowed_methods.1":*terraform.ResourceAttrDiff{Old:"", New:"HEAD", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.lambda_function_association.~2692208168.event_type":*terraform.ResourceAttrDiff{Old:"", New:"viewer-request", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.target_origin_id":*terraform.ResourceAttrDiff{Old:"", New:"cookie-banner.develop.assets.cloud.otto.de", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.lambda_function_association.~2692208168.lambda_arn":*terraform.ResourceAttrDiff{Old:"", New:"${var.lambda_arn}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.max_ttl":*terraform.ResourceAttrDiff{Old:"31536000", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.~4244408021.cached_methods.0":*terraform.ResourceAttrDiff{Old:"", New:"GET", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.cached_methods.#":*terraform.ResourceAttrDiff{Old:"2", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cache_behavior.682996828.forwarded_values.1746354661.headers.2":*terraform.ResourceAttrDiff{Old:"*HIDDEN*", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff(nil), Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
Our static stack (CloudFront, S3 and Route53 entry) is used as a module and we pass the lambda arn/version (lambda@edge) + event type for the lambda_function_association as a variable to it. The lambda itself depends on a archive_file data which also depends on another null_resource.
A workaround for us is to change the lambda function content. Then the archive hash changes definitely and terraform applies the updated default_cache_behavior correctly.
@gcallaghan sounds really similar to your description.
moehlone
on 26 Jul 2018
In the original issue, the problem was that empty values for:
s3_origin_config { origin_access_identity = "" }
Were causing constant changes to be reported, because origin.<number>.s3_origin_config.# was zero on every subsequent run, and then an empty one would be added, and then on the next run, it'd be zero again.
This is because of the semantics of this value from AWS:
If you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.
To delete the origin access identity from an existing distribution, update the distribution configuration and include an empty OriginAccessIdentity element.
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_S3OriginConfig.html
We're asking Terraform to delete it, by providing an empty string for the value. Then the various CloudFront API calls report nothing is present, again.
I'm still seeing this in the newest versionprovider.aws v1.41.0.
martinb3
on 8 Nov 2018
👍1
Hi folks 馃憢 Sorry for the trouble with the aws_cloudfront_distribution resource. Since its original implementation, there were many configuration blocks that did not benefit from certain difference simplifications and arguments that were incorrectly using ordered lists instead of sets. Usually these type of implementation details surface in unexpected ways during Terraform runs as diffs didn't match during apply error in Terraform 0.11 and prior. (Aside: in Terraform 0.12 and later, these types of errors will include much better diagnostic information rather than dumping the raw differences.)
The configuration block simplifications and fixes were applied to the resource logic in version 2.0.0 of the Terraform AWS Provider, which will be releasing very shortly. Existing configurations should mostly work as they did previously, but aws_cloudfront_distribution resource updates and recreations should perform more reliably now without these errors. Since there were a large amount of varying diffs didn't match during apply reports, we are opting to close all these issues which appear to fall under this category.
We encourage everyone to file a new GitHub issue once upgraded to version 2.0.0 of the Terraform AWS Provider, should there be any further problems, so we can appropriately triage them. Thanks for your understanding and hope the upgrade is helpful. 馃槃
bflad
on 27 Feb 2019
👍1
@bflad Thank you so much for this PR 馃帀we still have an issue with
lambda_function_association https://github.com/terraform-providers/terraform-provider-aws/issues/7780 but it is much better right now.
vhiairrassary
on 1 Mar 2019
Looking again at the original issue description and debug logs, it appears the original issue should be resolved with version 2.0.0 of the Terraform AWS Provider since it should properly allow allowed_methods and cached_methods to be defined in any order in the Terraform configuration.
Since this issue has become a bit of a catch-all for various potential issues with default_cache_behavior handling, I'm going to close and lock it to encourage new reports. Please do create additional GitHub issues should anything else require further triage on the newer version. 馃憤
FYI we also have some additional fixes occurring in version 2.1.0 of the Terraform AWS Provider with the aws_cloudfront_distribution resource.
bflad
on 4 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
modax
路
3Comments
dvishniakov
路
3Comments
EmmN
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
Most helpful comment
Thanks for the verbose report, @soulrebel! Looks like the source of your difference is (the middle number being just a hash value of everything under it):
It looks like Amazon might be changing the account number into
selfbehind the scenes. Does it go away if you usetrusted_signers = ["self"]?