Recent aws_cloudfront_distribution change breaks a usage pattern #7773
Comments
bflad
added
the
service/cloudfront
|
Hi @lievertz 👋 Thanks for writing in. Yesterday we released version 2.0.0 of the Terraform AWS Provider, which includes this resource schema change. Originally the code intended to include this The inclusion of the fix was actually stemming from the upcoming Terraform 0.12 ability to also support # variables.tf
variable "acm_certificate_arn" {
description = "Existing ACM Certificate ARN"
default = null
type = string
}
# main.tf
resource "aws_cloudfront_distribution" "default" {
# ... other configuration ...
viewer_certificate {
acm_certificate_arn = var.acm_certificate_arn
ssl_support_method = "sni-only"
minimum_protocol_version = var.viewer_minimum_protocol_version
cloudfront_default_certificate = var.acm_certificate_arn ? null : true
}However, given the Terraform 0.12 release timing and longer tail for general Terraform 0.12 adoption, I believe we would be amenable to temporarily remove the "fixed" I'll mark this issue for our current release milestone (releasing next week) and ensure it is triaged. If you need to pin to the last 1.X Terraform AWS Provider release, a configuration like this can do that in the meantime: provider "aws" {
# ... other configuration ...
version = "~> 1.60"
} |
|
Hi @bflad Thanks for the response! Yeah... we appear to have stumbled kind of wholesale into 2.0 unawares, so thank you for for the context... sorry I missed that searching for a more specific issue -- I kind of missed the larger boat there! Thank you for looking at that hold-off for implementing that validation as it will be nice to approach the later fix with a direct replacement. Much appreciated! |
…figuration block argument `ConflictsWith` usage and fix various related issues with deployment timing References: * #7773 * #3077 * #1074 * #260 Here we remove the problematic `viewer_certificate` argument `ConflictsWith` schema configuration as it interferes with Terraform Module usage until Terraform 0.12 is more prevalent. More details: #7773 (comment) When writing acceptance testing to cover setting both the `viewer_certificate` configuration block `acm_certificate_arn` and `cloudfront_default_certificate` arguments being defined, the below error was consistently happening when the test configuration included `enabled = false`: ``` --- FAIL: TestAccAWSCloudFrontDistribution_ViewerCertificate_AcmCertificateArn (1935.57s) testing.go:599: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: Error applying: 1 error occurred: * aws_cloudfront_distribution.test (destroy): 1 error occurred: * aws_cloudfront_distribution.test: CloudFront Distribution E3GDAPNU6UPO0O cannot be deleted: PreconditionFailed: The request failed because it didn't meet the preconditions in one or more request-header fields. status code: 412, request id: 4e73a086-3c33-11e9-832f-7732257f45e8 ``` While debugging this the following further issues were encountered: * The resource did not wait for deployment to complete on creation and updates so in the acceptance testing the deletion function was always handling `InProgress` operations. * Disabled distributions would always update the distribution on deletion to disable them without checking if it was necessary, causing unnecessary delays. * The `PreconditionFailed` error seemed to be related to some eventual consistency issue within CloudFront right after disabling the distribution, which was always done. Retrying was a sufficient workaround for the error. * The deletion process did not ignore `NoSuchDistribution` errors such as the below: ``` --- FAIL: TestAccAWSCloudFrontDistribution_ViewerCertificate_AcmCertificateArn (1835.97s) testing.go:599: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: Error applying: 1 error occurred: * aws_cloudfront_distribution.test (destroy): 1 error occurred: * aws_cloudfront_distribution.test: CloudFront Distribution E2HQM77NFHV9T cannot be deleted: NoSuchDistribution: The specified distribution does not exist. ``` This changeset bundles all these fixes together as they are related. Previous output for `ConflictsWith` acceptance testing: ``` --- FAIL: TestAccAWSCloudFrontDistribution_ViewerCertificate_AcmCertificateArn_ConflictsWithCloudFrontDefaultCertificate (1.64s) testing.go:538: Step 0 error: config is invalid: 2 problems: - aws_cloudfront_distribution.test: "viewer_certificate.0.acm_certificate_arn": conflicts with viewer_certificate.0.cloudfront_default_certificate - aws_cloudfront_distribution.test: "viewer_certificate.0.cloudfront_default_certificate": conflicts with viewer_certificate.0.acm_certificate_arn ``` Output from acceptance testing: ``` --- PASS: TestAccAWSCloudFrontDistribution_Origin_EmptyDomainName (2.15s) --- PASS: TestAccAWSCloudFrontDistribution_Origin_EmptyOriginID (2.19s) --- PASS: TestAccAWSCloudFrontDistribution_ViewerCertificate_AcmCertificateArn_ConflictsWithCloudFrontDefaultCertificate (1915.48s) --- PASS: TestAccAWSCloudFrontDistribution_ViewerCertificate_AcmCertificateArn (1958.08s) --- PASS: TestAccAWSCloudFrontDistribution_noCustomErrorResponseConfig (2121.58s) --- PASS: TestAccAWSCloudFrontDistribution_HTTP11Config (2123.60s) --- PASS: TestAccAWSCloudFrontDistribution_orderedCacheBehavior (2126.73s) --- PASS: TestAccAWSCloudFrontDistribution_noOptionalItemsConfig (2126.82s) --- PASS: TestAccAWSCloudFrontDistribution_IsIPV6EnabledConfig (2176.09s) --- PASS: TestAccAWSCloudFrontDistribution_customOrigin (2178.92s) --- PASS: TestAccAWSCloudFrontDistribution_S3Origin (2178.98s) --- PASS: TestAccAWSCloudFrontDistribution_multiOrigin (2179.08s) --- PASS: TestAccAWSCloudFrontDistribution_S3OriginWithTags (3251.14s) ```
|
The fix for this has been merged and will release with version 2.1.0 of the Terraform AWS Provider, likely middle of this week. 👍 |
|
Does anyone have a workaround for this until 2.1.0 is available? I am kinda blocked by this |
|
This has been released in version 2.1.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
awesome. Problem solved! Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Community Note
Terraform Version
TERRAFORM_VERSION=0.11.11
Affected Resource(s)
Terraform Configuration Files
Relevant bit:
Also see similar example: https://github.com/cloudposse/terraform-aws-cloudfront-cdn/blob/master/main.tf
Debug Output
This is a pretty straightforward situation, so omitting this step.
Panic Output
N/A
Expected Behavior
Provider users were previously specifying the acm_certificate_arn and the cloudfront_default_certificate where the default option would use a ternary to only show true if acm_certificate_arn was blank.
Actual Behavior
Now you guys are explicitly enforcing only using one of those options.
Steps to Reproduce
Use both acm_certificate_arn as well as cloudfront_default_certificate in viewer_certificate. Use normally.
Important Factoids
References
Mostly I just wanted to file this to make sure you guys were aware that this was going to break some, perhaps a non-trivial number, of users... technically it matches the documentation (i.e., https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#viewer-certificate-arguments), so feel free to close as FAD... but... thought you might want a heads up... and I think the nature of this commit could potentially have introduced other issues as well... so again, just a heads up in case any of this is surprising or undesirable.
The text was updated successfully, but these errors were encountered: