aws_cloudfront_distribution: Support `origin.s3_origin_config.origin_read_timeout` argument (but blocked by an unexpected behavior in Terraform Plugin SDK)

[tabito-hara]

Description

Response timeout in CloudFront for S3 origins (OriginReadTime) was introduced in the following AWS SDK for Go v2 update:

aws/aws-sdk-go-v2@b21029e#diff-3196ecfdd68168a2a0be95f08f93c0b98ef7da856211cfa22aa391274d354e69

To implement the OriginReadTime configuration in the AWS Provider as origin.s3_origin_config.origin_read_timeout, a DiffSuppressFunc (specifically, SuppressMissingOptionalConfigurationBlock) is required for the s3_origin_config block. This is because, even if s3_origin_config is not specified in the configuration, the AWS API still returns the default s3_origin_config.origin_read_timeout within the block.

This situation exactly matches the intended use case of SuppressMissingOptionalConfigurationBlock:

terraform-provider-aws/internal/verify/diff.go

Lines 12 to 18 in d74e0fd

	// SuppressMissingOptionalConfigurationBlock handles configuration block attributes in the following scenario:
	// - The resource schema includes an optional configuration block with defaults
	// - The API response includes those defaults to refresh into the Terraform state
	// - The operator's configuration omits the optional configuration block
	func SuppressMissingOptionalConfigurationBlock(k, old, new string, d *schema.ResourceData) bool {
	return old == "1" && new == "0"
	}

However, when DiffSuppressFunc is applied to an element inside a TypeSet block, the Terraform Plugin SDK creates an unexpected additional element in the TypeSet. In this case, an extra origin is added to the plan:

      + origin {
          + connection_attempts         = 3
          + connection_timeout          = 10
          + domain_name                 = "tf-test.origin-bucket.s3.ap-northeast-1.amazonaws.com"
          + origin_id                   = "myS3Origin"
            # (2 unchanged attributes hidden)
        }
      + origin {
        }

This unexpected behavior has been reported in the terraform-plugin-sdk GitHub repository:

• Set ends up with additional empty elements terraform-plugin-sdk#652
• Apply results in an incorrect Update for TypeSet with an unexpected empty element terraform-plugin-sdk#895

A PR to resolve this issue was submitted more than three years ago, but remains open:
hashicorp/terraform-plugin-sdk#1042

Therefore, in order to implement origin.s3_origin_config.origin_read_timeout, I believe this Plugin SDK issue must either be resolved or worked around.

Important Facts and References

Relations

Relates #44116
Relates #44163

Would you like to implement a relevant change?

After the issue in the Plugin SDK is resolved, I will resume implementation for origin.s3_origin_config.origin_read_timeout.

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.