[Bug]: cloudfront: IllegalUpdate You cannot update Origin or CallerReference

[cgrenzel]

Terraform Core Version

1.5.6

AWS Provider Version

5.15.0

Affected Resource(s)

Resources:

• aws_cloudfront_continuous_deployment_policy
• aws_cloudfront_distribution

When deployed by terraform in 2 steps:

1. Deploy one aws_cloudfront_distribution with staging set to false; one aws_cloudfront_distribution with staging true; one aws_cloudfront_continuous_deployment_policy referencing the staging distribution in the staging_distribution_dns_names.
2. After the creation of those 3 resources, set the continuous_deployment_policy_id on the main distribution.

Trying to apply changes using terraform to the staging distribution will fail with the message "An error occurred (IllegalUpdate) when calling the UpdateDistribution operation: You cannot update Origin or CallerReference."
The same change works on the main distribution.
Also the same change works for the staging distribution if done outside terraform (CLI, Console).

The change mentioned is a different path_pattern of an ordered_cache_behaviour already deployed.

Expected Behavior

The update to be successful for both CloudFront Distributions.

Actual Behavior

The update fails for the Staging Distribution only.

Relevant Error/Panic Output Snippet

"An error occurred (IllegalUpdate) when calling the UpdateDistribution operation: You cannot update Origin or CallerReference."

Terraform Configuration Files

Steps to Reproduce

Resources:

• aws_cloudfront_continuous_deployment_policy
• aws_cloudfront_distribution

Deployed by terraform in 2 steps:

1. Deploy one aws_cloudfront_distribution with staging set to false; one aws_cloudfront_distribution with staging true; one aws_cloudfront_continuous_deployment_policy referencing the staging distribution in the staging_distribution_dns_names.
2. After the creation of those 3 resources, set the continuous_deployment_policy_id on the main distribution.

Do any changes on the staging Distribution.

Debug Output

No response

Panic Output

No response

Important Factoids

Through AWS CloudTrail investigation was noticed that the request from Terraform that fails is UpdateDistribution [1].
The request doesn't include the variable continuousDeploymentPolicyId.
This variable is not present on the Terraform State for the staging CloudFront Distribution resource.

After hardcoding the Policy ID on the staging distribution and applying, this variable is set on the Terraform State and updates work.

Referencing aws_cloudfront_continuous_deployment_policy on code throws circular reference error, so hardcoding was the way to test it.

Also the example from the documentation on the aws_cloudfront_continuous_deployment_policy resource doesn't set continuous_deployment_policy_id on the staging Distribution. [2].

References

[1] https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html
[2] https://registry.terraform.io/providers/hashicorp/aws/5.15.0/docs/resources/cloudfront_continuous_deployment_policy

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @cgrenzel 👋 Thank you for taking the time to raise this! Can you supply a sample Terraform configuration that can be used to reproduce this, and debug logs (redacted as needed)?

[uduncanu]

Hello! I'm having the same issue here, and I've attached a sample Terraform configuration:
cloudfront_test_github_33338.txt

Steps to use that:

1. terraform apply
2. Uncomment the line near the top of the file setting continuous_deployment_policy_id. This can't be set when creating the distribution, so we need it to already exist.
3. apply again
4. Change the origin (set in the origin_domain_name variable at the top of the file)
5. apply again. This gives the error "IllegalUpdate: You cannot update Origin or CallerReference." Changing the variable also changes it for the primary distribution, which is successful.

Also attached is what I think is the relevant part of terraform's log: terraform-33338.log

Thanks!

[YakDriver]

Hello! I'm having the same issue here, and I've attached a sample Terraform configuration

@uduncanu Super helpful! Thank you

[github-actions]

This functionality has been released in v5.19.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.