Terraform: Applying a change to trusted_signers in default_cache_behavior in aws_cloudfront_distribution plans OK but produces error on apply

Created on 19 Jan 2017 · 4Comments · Source: hashicorp/terraform

Terraform Version

Terraform 0.8.4

Affected Resource(s)

Please list the resources as a list, for example:

aws_cloudfront_distribution

Terraform Configuration Files

Here's what they look like in the state which causes the error:

resource "aws_cloudfront_origin_access_identity" "ORIGIN_BUKKIT-identity" {
  comment = "ORIGIN BUKKIT identity"
}

resource "aws_cloudfront_distribution"  "ORIGIN_BUKKIT_DISTRIBUTION" {
  enabled = true
  is_ipv6_enabled = true
  http_version = "http2"
  price_class = "PriceClass_All"
  comment = "MAH BUKKIT"

  origin {
    domain_name = "${aws_s3_bucket.ORIGIN_BUKKIT.bucket}.s3.amazonaws.com"
    origin_id = "S3-${aws_s3_bucket.ORIGIN_BUKKIT.bucket}"
    origin_path = "/assets"
    s3_origin_config {
      origin_access_identity = "${aws_cloudfront_origin_access_identity.ORIGIN_BUKKIT-identity.cloudfront_access_identity_path}"
    }
  }

  default_cache_behavior {
    allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods = ["GET", "HEAD" ]
    target_origin_id = "S3-${aws_s3_bucket.ORIGIN_BUKKIT.bucket}"
    trusted_signers = ["<account number>"]
    viewer_protocol_policy = "redirect-to-https"
    compress = false
    min_ttl = 0
    default_ttl = 3600
    max_ttl = 86400
    forwarded_values {
      query_string = true
      cookies {
        forward = "none"
      }
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  tags {
    Environment = "production"
  }

  logging_config {
    include_cookies = false
    bucket = "${aws_s3_bucket.LOG_BUKKIT.bucket}.s3.amazonaws.com"
    prefix = "cloudfront/ORIGIN_BUKKIT"
  }
}

Note: prior to this, when we created the distribution, I had the following resource also there:

data "aws_caller_identity" "current_aws_account" {}

...and the trusted_signers field looked like:

trusted_signers = ["${data.aws_caller_identity.current_aws_account.account_id}"]

...that worked to create the distribution, BUT whenever we ran a refresh, we'd get a diff in the state that looked like:

diff --git a/terraform/terraform.tfstate b/terraform/terraform.tfstate
index 98c6108..a160cee 100644
--- a/terraform/terraform.tfstate
+++ b/terraform/terraform.tfstate
@@ -1,7 +1,7 @@
 {
     "version": 3,
     "terraform_version": "0.8.4",
-    "serial": 389,
+    "serial": 390,
     "lineage": "c3158160-c23e-4283-88bf-f65e4107caca",
     "modules": [
         {
@@ -25114,10 +25114,10 @@
                     "type": "aws_caller_identity",
                     "depends_on": [],
                     "primary": {
-                        "id": "2017-01-19 19:46:22.518710886 +0000 UTC",
+                        "id": "2017-01-19 19:53:03.227587972 +0000 UTC",
                         "attributes": {
                             "account_id": "<account number>",
-                            "id": "2017-01-19 19:46:22.518710886 +0000 UTC"
+                            "id": "2017-01-19 19:53:03.227587972 +0000 UTC"
                         },
                         "meta": {},
                         "tainted": false

...so this change was being made to see if we could stop that happening. I reasoned that using a hardcoded account ID and getting rid of that aws_caller_identity resource should stop it updating its timestamp in every run.

Debug Output

We had to back out to get back to clean state, I can't run it with debug on :-( :-(

Panic Output

No panic.

Expected Behavior

This distribution was created with the AWS account in trusted_signers being provided by a data aws_caller_identity resource. However, that caused its own problems, because that resource's timestamp changed in every run, causing diffs in our state for every run. So I removed that data resource and hardcoded the AWS Account ID as a string containing the numerical account ID in the trusted_signers list.

Running terraform plan produced an expected change output, with it destroying the default_cache_behavior subresource and building a new one with the correct account number.

I expected executing that plan would update the distribution as it stated would happen.

Here is the plan output:

Path: ./plan

~ aws_cloudfront_distribution.percolate-asset-usw1
    default_cache_behavior.371026481.allowed_methods.#:                                                  "0" => "7"
    default_cache_behavior.371026481.allowed_methods.0:                                                  "" => "DELETE"
    default_cache_behavior.371026481.allowed_methods.1:                                                  "" => "GET"
    default_cache_behavior.371026481.allowed_methods.2:                                                  "" => "HEAD"
    default_cache_behavior.371026481.allowed_methods.3:                                                  "" => "OPTIONS"
    default_cache_behavior.371026481.allowed_methods.4:                                                  "" => "PATCH"
    default_cache_behavior.371026481.allowed_methods.5:                                                  "" => "POST"
    default_cache_behavior.371026481.allowed_methods.6:                                                  "" => "PUT"
    default_cache_behavior.371026481.cached_methods.#:                                                   "0" => "2"
    default_cache_behavior.371026481.cached_methods.0:                                                   "" => "GET"
    default_cache_behavior.371026481.cached_methods.1:                                                   "" => "HEAD"
    default_cache_behavior.371026481.compress:                                                           "" => "false"
    default_cache_behavior.371026481.default_ttl:                                                        "" => "3600"
    default_cache_behavior.371026481.forwarded_values.#:                                                 "0" => "1"
    default_cache_behavior.371026481.forwarded_values.2555876073.cookies.#:                              "0" => "1"
    default_cache_behavior.371026481.forwarded_values.2555876073.cookies.2625240281.forward:             "" => "none"
    default_cache_behavior.371026481.forwarded_values.2555876073.cookies.2625240281.whitelisted_names.#: "0" => "0"
    default_cache_behavior.371026481.forwarded_values.2555876073.headers.#:                              "0" => "0"
    default_cache_behavior.371026481.forwarded_values.2555876073.query_string:                           "" => "true"
    default_cache_behavior.371026481.forwarded_values.2555876073.query_string_cache_keys.#:              "0" => "0"
    default_cache_behavior.371026481.max_ttl:                                                            "" => "86400"
    default_cache_behavior.371026481.min_ttl:                                                            "" => "0"
    default_cache_behavior.371026481.smooth_streaming:                                                   "" => ""
    default_cache_behavior.371026481.target_origin_id:                                                   "" => "S3-ORIGIN_BUKKIT"
    default_cache_behavior.371026481.trusted_signers.#:                                                  "0" => "1"
    default_cache_behavior.371026481.trusted_signers.0:                                                  "" => "<account number>"
    default_cache_behavior.371026481.viewer_protocol_policy:                                             "" => "redirect-to-https"
    default_cache_behavior.503536106.allowed_methods.#:                                                  "7" => "0"
    default_cache_behavior.503536106.allowed_methods.0:                                                  "HEAD" => ""
    default_cache_behavior.503536106.allowed_methods.1:                                                  "DELETE" => ""
    default_cache_behavior.503536106.allowed_methods.2:                                                  "POST" => ""
    default_cache_behavior.503536106.allowed_methods.3:                                                  "GET" => ""
    default_cache_behavior.503536106.allowed_methods.4:                                                  "OPTIONS" => ""
    default_cache_behavior.503536106.allowed_methods.5:                                                  "PUT" => ""
    default_cache_behavior.503536106.allowed_methods.6:                                                  "PATCH" => ""
    default_cache_behavior.503536106.cached_methods.#:                                                   "2" => "0"
    default_cache_behavior.503536106.cached_methods.0:                                                   "HEAD" => ""
    default_cache_behavior.503536106.cached_methods.1:                                                   "GET" => ""
    default_cache_behavior.503536106.compress:                                                           "false" => "false"
    default_cache_behavior.503536106.default_ttl:                                                        "3600" => "0"
    default_cache_behavior.503536106.forwarded_values.#:                                                 "1" => "0"
    default_cache_behavior.503536106.forwarded_values.2555876073.cookies.#:                              "1" => "0"
    default_cache_behavior.503536106.forwarded_values.2555876073.cookies.2625240281.forward:             "none" => ""
    default_cache_behavior.503536106.forwarded_values.2555876073.cookies.2625240281.whitelisted_names.#: "0" => "0"
    default_cache_behavior.503536106.forwarded_values.2555876073.headers.#:                              "0" => "0"
    default_cache_behavior.503536106.forwarded_values.2555876073.query_string:                           "true" => "false"
    default_cache_behavior.503536106.forwarded_values.2555876073.query_string_cache_keys.#:              "0" => "0"
    default_cache_behavior.503536106.max_ttl:                                                            "86400" => "0"
    default_cache_behavior.503536106.min_ttl:                                                            "0" => "0"
    default_cache_behavior.503536106.smooth_streaming:                                                   "false" => "false"
    default_cache_behavior.503536106.target_origin_id:                                                   "S3-ORIGIN_BUKKIT" => ""
    default_cache_behavior.503536106.trusted_signers.#:                                                  "1" => "0"
    default_cache_behavior.503536106.trusted_signers.0:                                                  "self" => ""
    default_cache_behavior.503536106.viewer_protocol_policy:                                             "redirect-to-https" => ""

Plan: 0 to add, 1 to change, 0 to destroy.

Actual Behavior

Got an error which makes no sense:

Error applying plan:

1 error(s) occurred:

* aws_cloudfront_distribution.ORIGIN_BUKKIT_DISTRIBUTION: InvalidArgument: The parameter Lambda function associations is required.
    status code: 400, request id: f0bc07f8-de85-11e6-b1f8-138f26fea4d2

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

ADDITIONAL INFO/HYPOTHESIS: is this blowing up because I'm not using 'self' as the trusted_signer account, but using my own account number? i.e. is that verboten on AWS, to specify your own account via number in the cloudfront distro? I note that 'self' is the value in the original distribution.

Steps to Reproduce

Create a cloudfront distribution using an aws_caller_identity data resource as the single element in the trusted_signer array parameter in the default_cache_behavior
Modify the source tf files to remove that aws_caller_identity data resource and replace the reference to it in the default_cache_behavior trusted_signers field with a 1-member array holding a straight string containing a numeric AWS account number (the correct one for your account)
Run terraform plan -out=./plan, note that output seems sane with no errors
Run terraform apply ./plan - boom

Important Factoids

We are running in EC2 classic. We have a VPC as well. This is our first TF-managed cloudfront distribution.

References

None

bug provideaws

Source

jbz

👍1

Most helpful comment

Should be fixed with https://github.com/hashicorp/terraform/pull/11291 where we introduce the Lambda Function Associations

catsby on 19 Jan 2017

❤1 👍1

All 4 comments

Should be fixed with https://github.com/hashicorp/terraform/pull/11291 where we introduce the Lambda Function Associations

catsby on 19 Jan 2017

❤1 👍1

Can you please confirm this is fixed? #11291 fixed the issue that was producing the error you were seeing

catsby on 23 Jan 2017

Confirm fixed! Sorry, was waiting for 0.8.5 release to test.

jbz on 27 Jan 2017

🎉1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.