Terraform-provider-aws: Cloudfront Distribution changes ForwardedValues Headers for Behaviours
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.11
Affected Resource(s)
- aws_cloudfront_distribution
AWS Provider version: 2.1.0
Terraform Configuration Files
resource "aws_cloudfront_distribution" "self" {
enabled = true
is_ipv6_enabled = true
comment = "public assets"
price_class = "PriceClass_100"
aliases = ["${aws_acm_certificate.cdn_cert.domain_name}"]
# ...
ordered_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.s3_origin_id}"
viewer_protocol_policy = "allow-all"
compress = true
default_ttl = 86400
min_ttl = 3600
max_ttl = 2592000
path_pattern = "/foo/*"
forwarded_values {
query_string = false
headers = [
"Origin",
"Access-Control-Request-Headers",
"Access-Control-Request-Method",
]
cookies {
forward = "none"
}
}
}
# ...
}
Expected Behavior
A clean diff, since the code wasn't changed.
Actual Behavior
There's always a diff for the forwarwarded values headers:
Steps to Reproduce
terraform planterraform applyterraform plan
skorfmann
All 10 comments
Tried a downgrade of the AWS provider to 2.0.0
apply output (apparently no actual change to the distribution, way to quick for that)
ordered_cache_behavior.0.forwarded_values.0.headers.0: "Access-Control-Request-Headers" => "Origin"
ordered_cache_behavior.0.forwarded_values.0.headers.1: "Access-Control-Request-Method" => "Access-Control-Request-Headers"
ordered_cache_behavior.0.forwarded_values.0.headers.2: "Origin" => "Access-Control-Request-Method"
state afterwards
"ordered_cache_behavior.0.forwarded_values.0.headers.0": "Access-Control-Request-Headers",
"ordered_cache_behavior.0.forwarded_values.0.headers.1": "Access-Control-Request-Method",
"ordered_cache_behavior.0.forwarded_values.0.headers.2": "Origin",
Hence, there's also a diff for each plan, but at least the apply doesn't do a full cloudfront distribution deployment now.
skorfmann
on 8 Mar 2019
Some information that might be helpful.
This appears to be an issue with ordering of the item lists not matching up with what was specified, and we're seeing it with both the cookie list and header forward values.
If we have four values applied to cookie name whitelist, e.g. whitelisted_names = ["wp-*", "wordpress*", "MSISAuth*", "PHPSESSID"] then every time it runs, it tries to set them to whitelisted_names = ["MSISAuth*", "PHPSESSID", "wordpress*", "wp-*"]. If we adjust the source to match what it tries to set each time, it has no trouble with them because now they'll match what the provider is trying to do.
Terraform.tfstate prior to the change shows:
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.#": "4",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.0": "wp-*",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.1": "wordpress*",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.2": "MSISAuth*",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.3": "PHPSESSID",
After re-ordering them in our .tf file and applying, shows:
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.#": "4",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.0": "MSISAuth*",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.1": "PHPSESSID",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.2": "wordpress*",
"default_cache_behavior.0.forwarded_values.0.cookies.0.whitelisted_names.3": "wp-*",
and from that point on it will run without trying to make any changes. But if we adjust our order in our .tf file, it will continue to try to put them back to the order with MSISAuth first.
jrmuir
on 15 Mar 2019
I this an AWS provider issue or a terraform issue?
yardensachs
on 1 Apr 2019
@yardensachs this is an issue in the Terraform AWS Provider where the resource is expecting explicit ordering while the API does not. We are planning on addressing this once #8116 is merged.
bflad
on 1 Apr 2019
Pull request submitted: #8150
bflad
on 2 Apr 2019
The fix to ignore ordering for headers and cookies whitelisted_names has been merged and will release with version 2.5.0 of the Terraform AWS Provider, likely later today.
bflad
on 4 Apr 2019
Thanks for your work on this @bflad!
nathanielks
on 4 Apr 2019
Thanks @bflad!
yardensachs
on 5 Apr 2019
This has been released in version 2.5.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 5 Apr 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
carmas
·
3Comments
Most helpful comment
Pull request submitted: #8150