aws_cloudfront_distribution shows changes to origin block on every plan

[fields]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.10

• provider.archive v1.3.0
• provider.aws v2.32.0

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_cloudfront_distribution" "assets_distribution" {
  origin {
    domain_name = "${var.bucket_domain_name}"
    origin_path = "${var.bucket_path}"
    origin_id = "${var.domain_names[0]}-origin"
    s3_origin_config {
      origin_access_identity = "${var.origin_access_identity}"
    }
  }
...

Expected Behavior

After apply, there should not be a change on subsequent plans.

Actual Behavior

On every subsequent run, the plan shows:

      + origin {
          + domain_name = "XXXXX.s3.amazonaws.com"
          + origin_id   = "YYYYY-origin"

          + s3_origin_config {}
        }
      - origin {
          - domain_name = "XXXXX.s3.amazonaws.com" -> null
          - origin_id   = "YYYYY-origin" -> null
        }

It appears that the s3 origin access identity is still set correctly, even though it is not listed in the plan.

Steps to Reproduce

1. terraform plan
2. terraform apply

[nicwise]

I'm getting this too. It's actually making the change, too, it's not just a NO-OP

We recently went from 0.11 to 0.12, and thats when it started happening. Highly frustrating.

[nicwise]

Confirmed this happens with 0.12.13 and 2.33.0. Tried ordering the origins the same as they are in the console - nope.

[borfig]

I have managed to reproduce it consistently with an empty origin_access_identity for an S3 origin:

resource "aws_cloudfront_distribution" "this" {
  comment         = "terraform-provider-aws-issue-10526"
  is_ipv6_enabled = true
  default_cache_behavior {
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods  = ["GET", "HEAD", "OPTIONS"]
    forwarded_values {
      cookies {
        forward = "none"
      }
      headers = [
        "Access-Control-Request-Headers",
        "Access-Control-Request-Method",
        "Origin"
      ]
      query_string = true
    }
    target_origin_id = "origin"
    // require presigned URLS
    trusted_signers        = ["self"]
    viewer_protocol_policy = "redirect-to-https"
  }
  default_root_object = "index.html"
  enabled             = true
  origin {
    domain_name = "mylovelybucket.s3.amazonaws.com"
    origin_id   = "origin"
    s3_origin_config {
      origin_access_identity = ""
    }
  }
  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
  viewer_certificate {
    cloudfront_default_certificate = true
    minimum_protocol_version       = "TLSv1"
    ssl_support_method             = "sni-only"
  }
}

In our project, we have multiple distributions and only one of them has an S3 origin without an access identity. Only this distribution shows up in plan even if we don't touch it.

[justinretzolk]

Hey y'all 👋 Thank you for taking the time to file this issue! Given that there's been a number of AWS provider releases since you initially filed it, can anyone confirm whether you're still experiencing this behavior?

[chadmyers]

Hi I'm on provider 4.0.0 and it's still happening to me. I just ran into this problem today (14-Feb-2022) and looked it up and found this github issue.

I copied the - and + blocks from the plan output and diff'd them and they're identical.

For some context in my situation, I have an existing manually-created CF distribution from years ago and I've imported it into Terraform and I'm trying to get a clean plan to make sure my terraform files match current reality in my AWS account.

UPDATE: I went ahead and applied the changes terraform thought needed applying and it was successful. I did another plan and it shows that "Objects have changed outside of terraform" (which isn't true, I ran plan immediately after the apply was finished), but at the bottom it says that no changes are required and "Your infrastructure matches the configuration".

[justinretzolk]

Hi all 👋 Thank you for the additional context here. I've marked this as a bug so that we can look into it as soon as possible.

[tmccombs]

It is still happening for me on 4.47.0.

My guess is there is probably some non-determinism in the OriginHash function. Or maybe there is an attribute that has a default value stored in the state, but not in the configuration?

[pineros]

Currently having this issue. Began when I updated terraform scripts from v0.12.23 to Terraform v1.6.2 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.22.0
• provider registry.terraform.io/hashicorp/github v5.40.0

Edit: Importing didn't help either

Edit edit: Fixed. Was an issue with origin shield. In the previous terraform version, I had to add origin shield through the AWS console since it wasn't a feature in the cloudfront distribution resource. I added the feature to the resource and that fixed the issue.

[evheniyt]

have the same issue when trying to import existing cloudfront configuration. After the import and running terraform plan it is trying to recreate all origins, despite not showing any real changes between the current state and terraform

Terraform v1.6.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.31.0

[dtiziani]

I'm getting the same here, after importing a resource created from cloudformation, the distribution is being imported, but it's trying to replace the origin, here's the output (the 2 values are exact the same, I just censored but they are a exact match):

using:

• hashicorp/aws - v5.29.0
• terraform - v1.6.2

[chadmyers]

I'm trying to add two new origins to an existing distribution and Terraform wants to remove all the existing origins and re-add them all in the same order.

I don't seem to be able to get it to just add the new origins. Has anyone found any tricks?

If this helps: Both the existing origins and the new origins are pointed at an ALB, nothing to do with S3.

[schtibe]

I'm experiencing the same behavior here. Currently on Terraform v.1.85 and AWS v5.54.1.

[rafhofbi]

Have same issue, Terraform 1.5.7 , AWS 5.18.1

[yanamazing]

Same issue, Terraform v1.9.5 - AWS v5.65.0