Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied #983

Open
pkrishjobs opened this issue Jun 9, 2023 · 3 comments
Open

awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied #983

pkrishjobs opened this issue Jun 9, 2023 · 3 comments
Labels
bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.

Comments

@pkrishjobs
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

awscc v0.52.0

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

S3 Bucket

resource "aws_s3_bucket" "s3_origin" {
bucket = "sampleawsccbucket345"
}

Block public access to S3 bucket

resource "aws_s3_bucket_public_access_block" "s3_block_public_access" {
bucket = aws_s3_bucket.s3_origin.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

Attach bucket policy with object access to cloudfront origin

resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
bucket = aws_s3_bucket.s3_origin.id
policy = data.aws_iam_policy_document.bucket_policy.json
}

Cloudfront origin access identity

resource "awscc_cloudfront_cloudfront_origin_access_identity" "cf_oai" {
cloudfront_origin_access_identity_config = {
comment = "SampleCloudFrontOAI"
}
}

IAM policy document to allow S3 bucket read access to cloudfront origin access identity

data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "CanonicalUser"
identifiers = [awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.s3_canonical_user_id]
}
effect = "Allow"
actions = [
"s3:GetObject",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*"
]
}
}

Cloudfront distribution with S3 origin config using OAI

resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" {
distribution_config = {
enabled = true
compress = true
default_root_object = "index.html"
comment = "Sample Cloudfront Distribution using AWSCC provider"
default_cache_behavior = {
target_origin_id = aws_s3_bucket.s3_origin.id
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
min_ttl = 0
default_ttl = 5 * 60
max_ttl = 60 * 60
}
restrictions = {
geo_restriction = {
restriction_type = "none"
}
}
viewer_certificate = {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1.2_2018"
}
s3_origin = {
dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name
}
origins = [{
domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name
id = "SampleCloudfrontOrigin"
s3_origin_config = {
origin_access_identity = awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.id
}
}]
}
tags = [{
key = "Name"
value = "Cloudfront Distribution with S3 Origin"
}]
}

Debug Output

Terraform resources getting created without errors.

Panic Output

Expected Behavior

Origin access settings on the cloudfront distribution should have used the Origin Access Identity (OAI) option selected with the OAI resource which was created part of the terraform resource configuration

Actual Behavior

Origin access settings on the cloudfront distribution uses the default setting [i.e., expects S3 public access] and did not use the OAI option using the OAI resource which was created.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

#977 (comment)

  • #0000
@pkrishjobs pkrishjobs changed the title awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not being set for S3 origin config even when supplied. Only default public setting is set after resource provisioning. awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied Jun 9, 2023
@pkrishjobs pkrishjobs mentioned this issue Jun 9, 2023
Open
@pkrishjobs
Copy link
Contributor Author

After 1st time terraform apply, resources are created successfully but terraform state has missing resource. When trying to perform terraform plan/apply again the 2nd time, it shows changes to the plan and resources when trying to apply the changes getting the below error

Error: AWS SDK Go Service Operation Incomplete

│ with awscc_cloudfront_distribution.cloudfront_s3_origin,
│ on cloudfront-with-s3-origin-oac.tf line 55, in resource "awscc_cloudfront_distribution" "cloudfront_s3_origin":
│ 55: resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" {

│ Waiting for Cloud Control API service UpdateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid request provided: IamCertificateId or AcmCertificateArn can be specified only if
│ SslSupportMethod must also be specified and vice-versa.. ErrorCode: InvalidRequest

pkrishjobs added a commit to pkrishjobs/terraform-provider-awscc that referenced this issue Jun 15, 2023
@pkrishjobs
docs: removed note for workaround in doc.Issue hashicorp#983 to be re…
31ca02f 
…solved upstream
@wellsiau-aws
Copy link
Collaborator

When I use CCAPI to describe the resource, I got different value returned, for example the DefaultCacheBehavior:

note: formatted for readability

"DefaultCacheBehavior": {
  . . .
  "TargetOriginId": "Default",
  "ViewerProtocolPolicy": "allow-all",
  . . .
  "DefaultTTL": 86400,
   . . .
  "AllowedMethods": [
    "HEAD",
    "GET"
  ],
  "CachedMethods": [
    "HEAD",
    "GET"
  ],
  . . .
  "MinTTL": 0,
  "MaxTTL": 31536000
},

as oppose to the HCL configuration:

    default_cache_behavior = {
      target_origin_id       = aws_s3_bucket.s3_origin.id
      viewer_protocol_policy = "redirect-to-https"
      allowed_methods        = ["GET", "HEAD", "OPTIONS"]
      cached_methods         = ["GET", "HEAD", "OPTIONS"]
      min_ttl                = 0
      default_ttl            = 5 * 60
      max_ttl                = 60 * 60
    }

and Terraform state

"default_cache_behavior": {
  "allowed_methods": [
    "GET",
    "HEAD",
    "OPTIONS"
  ],
  "cache_policy_id": null,
  "cached_methods": [
    "GET",
    "HEAD",
    "OPTIONS"
  ],
  . . .
  "default_ttl": 300,
  . . .
  "max_ttl": 3600,
  "min_ttl": 0,
  . . . 
  "target_origin_id": "terraform-20230720041249283400000001",
  . . .
  "viewer_protocol_policy": "redirect-to-https"
},

@wellsiau-aws wellsiau-aws added bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency. and removed needs-triage labels Sep 7, 2023
@kadrach
Copy link
Contributor

kadrach commented Sep 15, 2023

Even forgoing CC this looks strange.

resource "awscc_cloudfront_distribution" "this" {
  distribution_config = {
    enabled = false

    default_cache_behavior = {
      target_origin_id       = "example.com"
      viewer_protocol_policy = "redirect-to-https"

      forwarded_values = {
        query_string = false
      }
    }
    viewer_certificate = {
      cloudfront_default_certificate = true
      minimum_protocol_version       = "TLSv1.2_2018"
    }

    origins = [{
      domain_name = "example.com"
      id          = "example.com"
      custom_origin_config = {
        origin_protocol_policy = "https-only"
      }
    }]
  }
}

corresponds to a CreateDistribution call with the intended minimumProtocolVersion

{
  "distributionConfigWithTags": {
    "tags": {
      "items": []
    },
    "distributionConfig": {
      "defaultRootObject": "",
      "aliases": {
        "quantity": 0,
        "items": []
      },
      "cacheBehaviors": {
        "quantity": 0,
        "items": []
      },
      "httpVersion": "http1.1",
      "originGroups": {
        "quantity": 0,
        "items": []
      },
      "viewerCertificate": {
        "minimumProtocolVersion": "TLSv1.2_2018",
        "cloudFrontDefaultCertificate": true
      },
      "webACLId": "",
      "customErrorResponses": {
        "quantity": 0,
        "items": []
      },
      "logging": {
        "includeCookies": false,
        "prefix": "",
        "enabled": false,
        "bucket": ""
      },
      "priceClass": "PriceClass_All",
      "restrictions": {
        "geoRestriction": {
          "restrictionType": "none",
          "quantity": 0,
          "items": []
        }
      },
      "callerReference": "4bf32458-5628-475b-af4f-64ce48358cf1",
      "enabled": false,
      "defaultCacheBehavior": {
        "targetOriginId": "example.com",
        "minTTL": 0,
        "compress": false,
        "maxTTL": 31536000,
        "functionAssociations": {
          "quantity": 0,
          "items": []
        },
        "trustedKeyGroups": {
          "quantity": 0,
          "items": [],
          "enabled": false
        },
        "smoothStreaming": false,
        "fieldLevelEncryptionId": "",
        "defaultTTL": 86400,
        "lambdaFunctionAssociations": {
          "quantity": 0,
          "items": []
        },
        "viewerProtocolPolicy": "redirect-to-https",
        "forwardedValues": {
          "cookies": {
            "forward": "none",
            "whitelistedNames": {
              "items": [],
              "quantity": 0
            }
          },
          "queryStringCacheKeys": {
            "quantity": 0,
            "items": []
          },
          "queryString": false,
          "headers": {
            "quantity": 0,
            "items": []
          }
        },
        "trustedSigners": {
          "items": [],
          "enabled": false,
          "quantity": 0
        },
        "allowedMethods": {
          "quantity": 2,
          "items": [
            "GET",
            "HEAD"
          ],
          "cachedMethods": {
            "quantity": 2,
            "items": [
              "GET",
              "HEAD"
            ]
          }
        }
      },
      "origins": {
        "quantity": 1,
        "items": [
          {
            "originPath": "",
            "customOriginConfig": {
              "originReadTimeout": 30,
              "hTTPSPort": 443,
              "originProtocolPolicy": "https-only",
              "originKeepaliveTimeout": 5,
              "hTTPPort": 80,
              "originSslProtocols": {
                "quantity": 2,
                "items": [
                  "TLSv1",
                  "SSLv3"
                ]
              }
            },
            "id": "example.com",
            "domainName": "example.com",
            "customHeaders": {
              "quantity": 0,
              "items": []
            }
          }
        ]
      },
      "comment": "HIDDEN_DUE_TO_SECURITY_REASONS"
    }
  }
}

yet describing the resulting distribution it uses TLSv1/sslv3.

aws cloudfront get-distribution-config --id ... --region us-east-1 --query "DistributionConfig.ViewerCertificate"                                        ~/src/terraform-provider-awscc/test main+ (v)
{
    "CloudFrontDefaultCertificate": true,
    "SSLSupportMethod": "vip",
    "MinimumProtocolVersion": "TLSv1",
    "CertificateSource": "cloudfront"
}

@wellsiau-aws wellsiau-aws mentioned this issue Feb 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kadrach @pkrishjobs @wellsiau-aws