Cloudfront resource with s3 + custom origins produce error

[edelwud]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

• Terraform v1.0.5
• AWS provider 3.55.0

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

locals {
  domain                 = var.environment == "dev" ? "${var.domain}-${var.environment}" : var.domain
  full_domain            = "${local.domain}.${var.domain_extension}"
  core_origin_id         = "core-alb-${local.domain}"
  static_origin_id       = "frontend-cloudfront-${local.domain}"
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = data.aws_s3_bucket.frontend_bucket_storage.bucket_regional_domain_name
    origin_id   = local.static_origin_id
    origin_path = "/${local.prefix}"

    s3_origin_config {
      origin_access_identity = "origin-access-identity/cloudfront/${var.oai_id}"
    }
  }

  origin {
    domain_name = var.alb_dns
    origin_id   = local.core_origin_id

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.1"]
    }
  }

  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"

  aliases = [local.full_domain]

  default_cache_behavior {
    allowed_methods = [
      "GET",
      "HEAD",
    ]

    cached_methods = [
      "GET",
      "HEAD",
    ]

    target_origin_id = local.static_origin_id

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
  }

  ordered_cache_behavior {
    path_pattern     = "/api/*"
    allowed_methods  = ["GET", "POST", "HEAD", "PUT", "DELETE", "PATCH", "OPTIONS"]
    cached_methods   = ["HEAD", "GET"]
    target_origin_id = local.core_origin_id

    forwarded_values {
      query_string = false
      headers      = ["Origin", "Host"]

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  price_class = var.price_class

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  dynamic "viewer_certificate" {
    for_each = ["acm"]
    content {
      acm_certificate_arn      = var.certificate_arn
      ssl_support_method       = "sni-only"
      minimum_protocol_version = "TLSv1.2_2021"
    }
  }

  custom_error_response {
    error_code            = 403
    response_code         = 200
    error_caching_min_ttl = 0
    response_page_path    = "/"
  }

  wait_for_deployment = true
}

Debug Output

Panic Output

Error: Provider produced inconsistent final plan

When expanding the plan for
module.deploy.aws_cloudfront_distribution.s3_distribution to include new
values learned so far during apply, provider
"registry.terraform.io/hashicorp/aws" produced an invalid new value for
.origin: planned set element
cty.ObjectVal(map[string]cty.Value{"connection_attempts":cty.NumberIntVal(3),
"connection_timeout":cty.NumberIntVal(10),
"custom_header":cty.SetValEmpty(cty.Object(map[string]cty.Type{"name":cty.String,
"value":cty.String})),
"custom_origin_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"http_port":cty.NumberIntVal(80),
"https_port":cty.NumberIntVal(443),
"origin_keepalive_timeout":cty.NumberIntVal(5),
"origin_protocol_policy":cty.StringVal("https-only"),
"origin_read_timeout":cty.NumberIntVal(30),
"origin_ssl_protocols":cty.SetVal([]cty.Value{cty.StringVal("TLSv1")})})}),
"domain_name":cty.StringVal("alb.***.io"),
"origin_id":cty.StringVal("core-alb-demotestclient2"),
"origin_path":cty.NullVal(cty.String),
"origin_shield":cty.ListValEmpty(cty.Object(map[string]cty.Type{"enabled":cty.Bool,
"origin_shield_region":cty.String})),
"s3_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"origin_access_identity":cty.String}))})
does not correlate with any element in actual.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

script returned exit code 1

Expected Behavior

successful deployment

Actual Behavior

the first deployment succeeds, but subsequent deployments fail. If you change one of the custom_origin_config properties, the deployment will succeed, but the next deployments will fail with the same error.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[ajf-firstup]

All three of these look suspiciously similar: this bug, #24359, and #26743.