Terraform-provider-aws: Missing validation that CloudFront SSL method is required

Created on 13 Nov 2019  路  2Comments  路  Source: hashicorp/terraform-provider-aws

When creating a aws_cloudfront_distribution resource with a viewer_certificate, the ssl_support_method is required. If it is missing, however, the terraform plan succeeds and the terraform apply fails with an error from AWS.

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.13
+ provider.aws v2.35.0

Affected Resource(s)

  • aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_cloudfront_distribution" "dist" {
  default_root_object = "index.html"
  enabled             = true
  is_ipv6_enabled     = true
  aliases             = [var.domain_name]
  price_class         = var.price_class
  tags                = var.tags

  origin {
    domain_name = aws_s3_bucket.store.bucket_domain_name
    origin_id   = aws_s3_bucket.store.id
  }

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = aws_s3_bucket.store.id
    viewer_protocol_policy = "allow-all"

    forwarded_values {
      query_string = false
      cookies {
        forward = "all"
      }
    }
  }

  viewer_certificate {
    acm_certificate_arn = var.acm_certificate_arn
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
}

Debug Output

(skipping because this is purely a validation issue, and with the ssl_support_method in place my infrastructure is already stood up; if it turns out to be necessary, I can attempt to create another one to get debug output)

Expected Behavior

terraform plan should fail with a message like so:

Error: "viewer_certificate.0.ssl_support_method": required field is not set

Actual Behavior

terraform plan succeeds, and terraform apply fails with the following message:

Error: error creating CloudFront Distribution: MalformedXML: 1 validation error detected: Value '' at 'distributionConfigWithTags.distributionConfig.viewerCertificate.sSLSupportMethod' failed to satisfy constraint: Member must satisfy enum value set: [sni-only, vip]

Steps to Reproduce

  1. terraform plan -out=tfplan
  2. terraform apply tfplan
needs-triage serviccloudfront
Source
picture meustrus
👍18

All 2 comments

Not sure what it means, but I received a notification from GitHub about a failed action after creating this issue:

Run failed for master (2070567)

Repository: terraform-providers/terraform-provider-aws
Workflow: Issue triage
Duration: 1 minute
Finished: 2019-11-13 17:09:04 UTC

View results

Jobs:

meustrus picture meustrus on 14 Nov 2019

The error log is quite clear

If you are using the acm_certificate_arn you also need to add the following attribute
ssl_support_method = "sni-only" or "vip"

It is clearly written in the docs:
_ssl_support_method: Specifies how you want CloudFront to serve HTTPS requests. One of vip or sni-only. Required if you specify acm_certificate_arn or iam_certificate_id. NOTE: vip causes CloudFront to use a dedicated IP address and may incur extra charges._

Also, it requires the following attribute
minimum_protocol_version = "TLSv1" values varies

Check details here. https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#viewer-certificate-arguments

taragurung picture taragurung on 6 May 2020
😕2 👎2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
gothrek22 picture gothrek22  路  3Comments
joelittlejohn picture joelittlejohn  路  3Comments
ccslamstack picture ccslamstack  路  3Comments
ghost picture ghost  路  3Comments