search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 57 forks source link

Issue creating AWS::CloudFront::ResponseHeadersPolicy #1156

Open LarsFronius opened 2 years ago

LarsFronius commented 2 years ago

Name of the resource

Other

Resource Name

AWS::CloudFront::ResponseHeadersPolicy

Issue Description

Hi, I am seeing Internal error reported from downstream service during operation 'AWS::CloudFront::ResponseHeadersPolicy'. or Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: f28bc45a-39b5-aabf-e46a-2c8e5e464249, HandlerErrorCode: InvalidRequest), depending on the provided configuration.

The issue sounds very familiar to the ones at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/571

Whether I provide a pretty complete response header policy or a completely empty one as can be seen here, either result in CREATE_FAILED errors.

 "ResponseHeaders84BC52D6": {
   "Type": "AWS::CloudFront::ResponseHeadersPolicy",
   "Properties": {
    "ResponseHeadersPolicyConfig": {
     "Name": "testHeaders"
    }
   },
   "Metadata": {
    "aws:cdk:path": "test/gateway-setup/ResponseHeaders/Resource"
   }
  },

I am in eu-central-1 and the IAM role used for deployment has AdministratorAccess (set up via CDK pipelines) in case that makes any difference. Any other resources deploy without errors (e.g. the Distribution itself).

Expected Behavior

I expect for a ResponseHeadersPolicy to be created when I provide a name for it.

Observed Behavior

It errors with an internal error that doesn't give a hint about what I did wrong.

Test Cases

Create a cloudformation stack in eu-central-1 like

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "ResponseHeaders": {
            "Type": "AWS::CloudFront::ResponseHeadersPolicy",
            "Properties": {
                "ResponseHeadersPolicyConfig": {
                    "Name": "testHeaders"
                }
            }
        }
    }
}

Other Details

No response

jplock commented 2 years ago

Have you tried creating the policy in us-east-1?

LeandroSoares commented 2 years ago

I have the same issue creating in sa-east-1:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: 9788bcb9-0cc9-57a4-d152-442549949243, HandlerErrorCode: InvalidRequest)

LeandroSoares commented 2 years ago

I have the same issue creating in sa-east-1:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeadersPolicy" (RequestToken: 9788bcb9-0cc9-57a4-d152-442549949243, HandlerErrorCode: InvalidRequest)

I found the cause of my error:

"CustomHeadersConfig": { "Items": [ { "Header": "Cross-Origin Resource Policy", << was without '-' "Override": true, "Value": "same-origin" } ] }

blimmer commented 2 years ago

You might also be running into this CDK issue where the auto-generated name is too long: https://github.com/aws/aws-cdk/issues/21524, especially if you're using CDK pipelines. The CloudFormation error isn't very useful. In the UI, it tells you the name is too long.

scottiemc7 commented 2 years ago

I ran into this when the policy name contained invalid characters. This restriction is not mentioned in the documentation for the Name parameter, but if you try to create a policy in the console you can see:

The parameter [NAME] contains characters other than alphanumericals, dashes, and underscores. 🙄

rehanvdm commented 1 year ago

I solved it by looking at CloudTrail, it shows the actual API error message which is much more useful.

cchanche commented 1 year ago

For my part, I was specifying a wrong value for CorsConfig.AccessControlAllowMethods : 

AccessControlAllowMethods:
  Items:
    - *

should have been :

AccessControlAllowMethods:
  Items:
    - ALL

CloudTrail logs were not showing any further details, and I ended up A/B testing my desired config from a demo cloudformation template.

I guess the actual issue is simply there is no verbosity no matter the encountered errors.

yibb-y commented 1 year ago

For AWS CDK it is:

 corsBehavior: 
  {
    accessControlAllowMethods: ['ALL'],
  },

instead of

 corsBehavior: 
  {
    accessControlAllowMethods: ['*'],
  },
JonWallsten commented 1 year ago

Thank you, @yibb-y and @cchanche! Even the documentation is wrong:

A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header. You can specify ['*'] to allow all origins.

image

ShivamJoker commented 10 months ago

Cloudtrail shows you the error message which you need to fix this issue:

"errorMessage": "1 validation error detected: Value '[null]' at 
'responseHeadersPolicyConfig.corsConfig.accessControlAllowMethods.items' failed to satisfy constraint:
Member must satisfy constraint: [Member must satisfy enum value set: [HEAD, POST, ALL, PATCH, DELETE, PUT, GET, OPTIONS]]",

As suggested above use [ALL] pretty confusing but yeah.

AllanOricil commented 7 months ago

ALL can't be used for accessControlAllowOrigins, only for accessControlAllowHeaders and accessControlAllowMethods, as an additional information in case someone tries it

image