Adding a New CloudFront Origin Causes All Other Origins to be Redeployed

[StevenMilne-Sonocent]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version 0.12.16

AWS Provider Version 2.49

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_cloudfront_distribution" "test_cdn" {
  enabled         = true
  is_ipv6_enabled = true
  comment         = "Testing CDN"
  price_class     = "PriceClass_All"

  aliases = [
    "test.sonocent.com"
  ]

  origin {
    domain_name = "proxy.sonocent.com"
    origin_id   = "proxy"

    custom_origin_config {
      http_port              = "80"
      https_port             = "443"
      origin_protocol_policy = "http-only"
      origin_ssl_protocols   = ["TLSv1"]
    }
  }

  default_cache_behavior {
    target_origin_id       = var.origin_id
    viewer_protocol_policy = "redirect-to-https"
    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods         = ["GET", "HEAD"]
    compress               = true

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = var.ssl_certificate_arn
    minimum_protocol_version = "TLSv1.1_2016"
    ssl_support_method       = "sni-only"
  }

Debug Output

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.cdn.aws_cloudfront_distribution.test_cdn will be updated in-place
  ~ resource "aws_cloudfront_distribution" "test_cdn" {
        active_trusted_signers         = {
            "enabled" = "false"
            "items.#" = "0"
        }
        aliases                        = [
            "test.sonocent.com",
        ]
        arn                            = "arn:aws:cloudfront::772790879611:distribution/E1523S6S47Y9NO"
        caller_reference               = "terraform-20200217103008732300000001"
        comment                        = "Testing CDN"
        domain_name                    = "d1m3880wlv3lzh.cloudfront.net"
        enabled                        = true
        etag                           = "E3V3LJCCW2EYRI"
        hosted_zone_id                 = "Z2FDTNDATAQYW2"
        http_version                   = "http2"
        id                             = "E1523S6S47Y9NO"
        in_progress_validation_batches = 0
        is_ipv6_enabled                = true
        last_modified_time             = "2020-02-17 10:30:09.219 +0000 UTC"
        price_class                    = "PriceClass_All"
        retain_on_delete               = false
        status                         = "Deployed"
        tags                           = {}
        wait_for_deployment            = true

        default_cache_behavior {
            allowed_methods        = [
                "DELETE",
                "GET",
                "HEAD",
                "OPTIONS",
                "PATCH",
                "POST",
                "PUT",
            ]
            cached_methods         = [
                "GET",
                "HEAD",
            ]
            compress               = true
            default_ttl            = 86400
            max_ttl                = 31536000
            min_ttl                = 0
            smooth_streaming       = false
            target_origin_id       = "ReverseProxy"
            trusted_signers        = []
            viewer_protocol_policy = "redirect-to-https"

            forwarded_values {
                headers                 = []
                query_string            = false
                query_string_cache_keys = []

                cookies {
                    forward           = "none"
                    whitelisted_names = []
                }
            }
        }

      - origin {
          - domain_name = "proxy.sonocent.com" -> null
          - origin_id   = "ReverseProxy" -> null

          - custom_origin_config {
              - http_port                = 80 -> null
              - https_port               = 443 -> null
              - origin_keepalive_timeout = 5 -> null
              - origin_protocol_policy   = "http-only" -> null
              - origin_read_timeout      = 30 -> null
              - origin_ssl_protocols     = [
                  - "TLSv1",
                ] -> null
            }
        }
      + origin {
          + domain_name = "proxy.sonocent.com"
          + origin_id   = "ReverseProxy"

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "http-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1",
                ]
            }
        }
      + origin {
          + domain_name = "audiomotetaker.sonocent.com.s3.amazonaws.com"
          + origin_id   = "S3-audionotetaker.sonocent.com"
        }

        restrictions {
            geo_restriction {
                locations        = []
                restriction_type = "none"
            }
        }

        viewer_certificate {
            acm_certificate_arn            = "arn:aws:acm:us-east-1:772790879611:certificate/f5439525-a282-4e11-b46c-2bed74a0059f"
            cloudfront_default_certificate = false
            minimum_protocol_version       = "TLSv1.1_2016"
            ssl_support_method             = "sni-only"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Resource targeting is in effect

You are creating a plan with the -target option, which means that the result
of this plan may not represent all of the changes requested by the current
configuration.

The -target option is not for routine use, and is provided only for
exceptional situations such as recovering from errors or mistakes, or when
Terraform specifically suggests to use it as part of an error message.

Panic Output

N/A

Expected Behavior

The CloudFront distribution should update in place and not cause changes to other resources which have not changed. A single origin should be added and no other origins should be modified.

Actual Behavior

All existing origins on the CloudFront distribution are flagged to be destroyed and re-built with the exact same values. Terraform says that the origins will be recreated but in reality no downtime is observed. This even persists if you apply changes manually and then terraform state rm and terraform import, Terraform still wants to apply changes to the origins.

Steps to Reproduce

The issue is caused by adding an origin to a pre-existing CloudFront distribution. Through the AWS console this does not affect any other origins (the distribution as a whole needs to redeploy though). However through Terraform all of the existing origins need to be destroyed. Follow these steps using the configuration above to replicate;

1. terraform apply with the above configuration
2. Add the new origin with the configuration listed below
3. terraform apply the new configuration

This is the extra origin to be added to the initial configuration above to trigger the issue;

origin {
  domain_name = "audiomotetaker.sonocent.com.s3.amazonaws.com"
  origin_id   = "S3-audionotetaker.sonocent.com"
}

Important Factoids

N/A

References

• #0000

[wamonite]

Diffing the output of my plan showed that for each existing origin, "origin_path": "" != "origin_path": null. Adding origin_path = "" to each existing origin meant they would no longer be modified.

[StevenMilne-Sonocent]

Diffing the output of my plan showed that for each existing origin, "origin_path": "" != "origin_path": null. Adding origin_path = "" to each existing origin meant they would no longer be modified.

That worked perfectly! Thank you! 😁 It's a shame it doesn't show that field being changed in the diff but perhaps I should have specified that field instead of leaving it to be defaulted.

[james-gonzalez]

We are still seeing this issue with Terraform 0.12.20 (I know that's obvious as this issue is still open) just wanted to point it out :) AWS provider: 0.2.48

[jwwerpy]

We are seeing this issue with Terraform v0.12.21 provider.aws v2.54.0. And we're seeing it show changes for origins no matter what, redeploying on every apply.

We have done a Plan, Apply, Plan and the following plan still shows resources for the origins changing even though the Apply successfully applied the origin changes.

[zopz]

I'm seeing this with Terraform v0.12.9, provider.aws v2.70.0 - we imported cloudfront formations and recreated the resources exactly, but trying to plan them with the exact same configurations results in destroying and recreating the formations. We've done the same with multiple other formations, but only the one with two origins forces delete and recreate.

[zopz]

^disregard, one of the origins had a header typo. Bless up @wamonite 🙏

[bmiro]

We are in the same situation as @jwwerpy. The changes are made every time, not only when the new origin is added.

Every apply recreates the origins.

Tested with terrafrom 0.11, 0.12, 0.13 and 0.14 with providers 2.16, 2.70 and 3.22.

[rom1gal]

Diffing the output of my plan showed that for each existing origin, "origin_path": "" != "origin_path": null. Adding origin_path = "" to each existing origin meant they would no longer be modified.

You rock 🚀

[imaginarynik]

hey @wamonite thank you so much for this interesting observation! I opened a PR for the terraform cloudfront module based on your suggestion (cited you there) to have the default value as ""..and it was approved :)

[wamonite]

@imaginarynik nice one!

[sbkpilot1]

@wamonite Thank you! That fixed the problem :)

[justinretzolk]

👋 It looks like this was fixed in AWS Provider version 4.8.0 via #20709. Given that's the case, we'll close this issue. If you experience this issue in provider versions after 4.8.0, please open a new issue so that we can investigate the regression.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.