terraform-provider-aws: Unable to remove forwarded_values on aws_cloudfront_distribution and instead use cache policy
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v0.13.2
+ provider registry.terraform.io/hashicorp/aws v3.28.0
I’ve also tested with TF v0.12.20
Affected Resource(s)
aws_cloudfront_distribution
Terraform Configuration Files
config 1:
provider "aws" {
region = "eu-west-2"
version = "~> 3.28"
}
resource "aws_s3_bucket" "website_bucket" {
bucket = "billy-test-bucket"
acl = "public-read"
}
resource "aws_cloudfront_distribution" "web_distribution" {
origin {
domain_name = aws_s3_bucket.website_bucket.bucket_regional_domain_name
origin_id = "s3_origin"
}
enabled = true
default_root_object = "index.html"
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "s3_origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
config 2:
provider "aws" {
region = "eu-west-2"
version = "~> 3.28"
}
resource "aws_s3_bucket" "website_bucket" {
bucket = "billy-test-bucket"
acl = "public-read"
}
resource "aws_cloudfront_cache_policy" "default_cache_policy" {
name = "default-cache-policy"
min_ttl = 0
parameters_in_cache_key_and_forwarded_to_origin {
cookies_config {
cookie_behavior = "none"
}
headers_config {
header_behavior = "none"
}
query_strings_config {
query_string_behavior = "none"
}
enable_accept_encoding_brotli = true
enable_accept_encoding_gzip = true
}
}
resource "aws_cloudfront_distribution" "web_distribution" {
origin {
domain_name = aws_s3_bucket.website_bucket.bucket_regional_domain_name
origin_id = "s3_origin"
}
enabled = true
default_root_object = "index.html"
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "s3_origin"
cache_policy_id = aws_cloudfront_cache_policy.default_cache_policy.id
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
Expected Behavior
If you apply the first config and then apply the second, it should remove the forwarded_values from the distribution’s default_cache_behavior and apply the new cache_policy_id successfully
Actual Behavior
I can see from the plan step that it does not try to remove the forwarded_values:
~ default_cache_behavior {
allowed_methods = [
"GET",
"HEAD",
]
+ cache_policy_id = "b1b409d5-0104-4175-b4e3-c321e694c749"
cached_methods = [
"GET",
"HEAD",
]
compress = false
default_ttl = 0
max_ttl = 0
min_ttl = 0
smooth_streaming = false
target_origin_id = "s3_origin"
trusted_signers = []
viewer_protocol_policy = "redirect-to-https"
forwarded_values {
headers = []
query_string = false
query_string_cache_keys = []
cookies {
forward = "none"
whitelisted_names = []
}
}
}
and so it errors with:
Error: error updating CloudFront Distribution (EL8S34HS6LFV0): InvalidArgument: The parameter ForwardedValues cannot be used when a cache policy is associated to the cache behavior.
status code: 400, request id: b2b4e098-b5fa-4185-85dd-c7bf442ee9bc
Steps to Reproduce
terraform applywith config 1 aboveterraform applywith config 2 above
References
- CF cache policies were introduced last week: https://github.com/hashicorp/terraform-provider-aws/pull/17336
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 57
- Comments: 21 (3 by maintainers)
I had this issue as well. Was able to work around it for now by making the change in the AWS console and then applying with terraform to match.
@billy-reilly I took a look, and the simplest solution seems to be to just make
forwarded_valuesnotComputed. I did some testing with that change and everything looks good, so I got a PR open to make the change.This has been released in version 3.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
@billy-reilly The reason the
forwarded_valuesare conflicting is because they are set asComputed. That makes it so that whenforwarded_valuesis removed in the 2nd config, the existing values are still used. I don’t remember right off whyComputedwas needed in that case.One way to work around this for now, should be to set
forwarded_valuesto an empty block. That way it will be set in the config to be empty rather than being left out and filled in with the values from the state.Same issue here, any news?
Is there any update on it yet?