Issue with aws_cloudfront_distribution.ordered_cache_behavior.forwarded_values.headers

[cwitte4191]

TLDR

When the headers are not specified (they are documented as optional), it looks like a possible prior value is being retained on update (via terraform apply). I was expecting a deterministic behavior (such as defaulting to an empty list).

Terraform CLI and Terraform AWS Provider Version

terraform -v
Terraform v0.15.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.44.0

Affected Resource(s)

aws_cloudfront_distribution

Terraform Configuration Files

Multiple config files. error happens on apply changes to existing resource.
Both config files attached in zip file below.

Steps to Reproduce

• terraform apply original/cloudfront.tf
• update the tf using target/cloudfront.tf
• re-run terraform apply

I've attached a zip file that includes a reproduce.sh script that will create the resources and demonstrate the issue.

awsCloudfrontHeaderIssue.zip

Expected Behavior

• Both terraform apply steps should succeed
• Terraform should report the removal of the header field in it's change report when the 2nd terraform apply is executed.

Actual Behavior

Terraform will perform the following actions:

  # aws_cloudfront_distribution.s3_distribution will be updated in-place
  ~ resource "aws_cloudfront_distribution" "s3_distribution" {
        id                             = "E3DBL8IXUNXELI"
        tags                           = {
            "Environment" = "defectReport"
        }
        # (19 unchanged attributes hidden)


      ~ ordered_cache_behavior {
          ~ target_origin_id       = "customOrigin" -> "myS3Origin"
            # (11 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }



        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_cloudfront_distribution.s3_distribution: Modifying... [id=E3DBL8IXUNXELI]
╷
│ Error: error updating CloudFront Distribution (E3DBL8IXUNXELI): InvalidHeadersForS3Origin: Your request contains forwarded Header Name * that is not allowed by S3.
│ 	status code: 400, request id: 08909a8d-233d-4358-bcc3-550ddbac0274
│

Important Factoids

• The header name that triggered the error is present in the original tf file, but removed in the target tf file. It looks like that removal was not correctly processed, which triggers the AWS message.

• When run, terraform does not report the removal of the headers in the planned change. For my use case, that impacted the origin change from custom->S3.

• the diff on the *.tf files in the shell script looks like this

diff original/cloudfront.tf target/cloudfront.tf
79c79
<     target_origin_id = local.custom_origin_id
---
>     target_origin_id = local.s3_origin_id
83c83
<       headers      = ["*"]
---
>       //headers      = []  // works when run with empty headers (as opposed to missing/default headers)

[caleb-gosnell]

Can also confirm that removing the headers attribute of an ordered_cache_behavior's forwarded_values has resulted in the previous headers value remaining after an apply.

with

$ terraform -v
Terraform v1.0.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.57.0

and

$ terraform -v
Terraform v1.0.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.42.0

[rjmsilveira]

We can confirm this behavior as well. Adding a behavior and not specifying a header, will make TF ignore whatever it is configured on the behavior it is renaming.

The only way to fix this temporarily is adding headers = [] and that will make TF manage the field and remove all headers the previous behavior might have

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.