cloudfront Invalidation paths options

[ofirshtrull]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I am using the aws_cloudfront_distribution module and suddenly i need to use Invalidations and from i see The module doesn't support this function the option

New or Affected Resource(s)

• aws_cloudfront_distribution

References

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html

• #0000

[jmgreg31]

Any updates on adding this feature?

[Nowaker]

Very weird not to have a way to create invalidations with Terraform.

[Nowaker]

@ofirshtrull Why close? Please reopen.

[Nowaker]

If you're not interested in notifications, you can unsubscribe from notifications somewhere on the right...

[ofirshtrull]

@Nowaker becuse i opened this ticket when i didn't have much knowledge about invalidaitions

invalidaitions are meant to clean ceach after deploy so that the edge servers will force to use the new files if they have the same files

And I hope you don't run terraform on each app deployment...

[Nowaker]

@ofirshtrull It's totally okay to use Terraform for such one-time things. There's AWS resources that are somewhat similar to that in concept, for example TLS certificate validations.

Please reopen as clearly there's other people interested in it (see the upvotes).

[vasylenko]

IMO, it's okay to have such a resource in Terraform. Because from the AWS point of view, the Invalidation is not just a record in the log. It is a kind of resource: it has some attributes (path) and can be copied.
And as @Nowaker mentioned, it is similar to the ACM validation: this resource cannot exist without its "parent", and defacto represents some operation that happened in the past, yet a critical operation.

I assume that as a resource, CloudFront Invalidation can play very well with the new lifecycle argument available in Terraform 1.2 — replace_triggered_by

[KyMidd]

I have a hacky solution here to use a null-resource to use the AWS CLI to invalidate the cloudfront cache based on an S3 object ID update. You could set a lot of different triggers that'd cause this null-resource/cache invalidation to trigger, it doesn't have to be an S3 object updating.

• Article
• article with paywall bypass

# Upload sample web site for testing to bucket
resource "aws_s3_object" "website" {
  bucket       = aws_s3_bucket.aws_s3_bucket.id
  key          = "index.html"
  acl          = "private"
  source       = "./website/index.html"
  etag         = filemd5("./website/index.html")
  content_type = "text/html"
}

# Invalidate the CF cache when S3 website home page is updated
resource "null_resource" "invalidate_cf_cache" {
  provisioner "local-exec" {
    command = "aws cloudfront create-invalidation --distribution-id ${var.cf_id} --paths '/*'"
  }
  triggers = {
    website_version_changed = aws_s3_object.website.version_id
  }
}

It's not a perfect solution, but is terraform native (except for needing AWS CLI to wrap) and pretty clear to read.

[jmgreg31]

invalidaitions are meant to clean ceach after deploy so that the edge servers will force to use the new files if they have the same files
And I hope you don't run terraform on each app deployment...

I think this is a bad generalization or missing context. Like the example above, if you are managing application content files in s3, you would absolutely run terraform on each app deploy.

Additionally, if nothing is changing, terraform should recognize no divergence in state and move on. I think this is maybe where the challenge has been with an invalidation resource. I agree it can be considered a resource, but being immutable makes it more challenging to know when it should and shouldn’t be invoked.

@vasylenko and @KyMidd bring up some awesome ideas of how to solve this natively. If you can create a lifecycle hook to provision on resources changes (thinking specifically of file hash changes in s3), that seems like a really viable solution. It would be great to see something similar to this.

For us, we abstract our terraform anyways, so ended up leveraging boto3 to do the invalidation when/if needed. I mention this to say we were also able to then use the boto3 waiter class to ensure the invalidation was complete before moving on, which is something I think could be baked into a native terraform invalidation resource 👍

[iwarapter]

I added #37561 to support this - please contact your account managers to help get this prioritised :)