search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

Terraform Cloudfront Cache behaviour issue #17737

Closed rijomroy closed 3 years ago

rijomroy commented 3 years ago

I'm created an terraform for AWS cloudfront All the function are working except cache behaviour I cant set the cache behaviour as to Use Origin Cache Headers

I have read some document and its saying if we remove the min_ttl, max_ttl and default_ttl from the configuration part it will be worked. But it is not working

Is there a way to to use the Use Origin Cache Headers in terraform?

gdavison commented 3 years ago

Hi @rijomroy. AWS has some good documentation for managing the caching of content with CloudFront which might help with the configuration you need.

If the problem is that Terraform is not setting the values you expect on your CloudFront distribution, can you please include the Terraform configuration for the resources as well as showing the values that are actually set?

If you're looking for help with configuring CloudFront in general, I'd suggest trying either AWS support forums or the AWS Provider forums

rijomroy commented 3 years ago

provider.cf.txt main.cf.txt variables.cf.txt

Hi @rijomroy. AWS has some good documentation for managing the caching of content with CloudFront which might help with the configuration you need.

If the problem is that Terraform is not setting the values you expect on your CloudFront distribution, can you please include the Terraform configuration for the resources as well as showing the values that are actually set?

If you're looking for help with configuring CloudFront in general, I'd suggest trying either AWS support forums or the AWS Provider forums

main.cf.txt variables.cf.txt provider.cf.txt

This is my configuration. I dont see any issue in the conf apart from this cache behaviour

gdavison commented 3 years ago

Hi @rijomroy. If you use the AWS Console to view your CloudFront distribution, does is show values that you don't expect?

If the values in the console are the same as what you set in Terraform, then it isn't a bug in Terraform. I suggest that you check out the AWS documentation for CloudFront or AWS Support Forums. They will be able to help you figure out how to correctly configure your CloudFront distribution.

Having said that, I did notice that one of your forwarded header fields is orgins, and I believe the expected HTTP header is Origin. So that may be the problem. If that doesn't fix it, please check the AWS documentation or support forums.

I'm going to close this issue. If Terraform isn't setting the correct values in your AWS resources, please create a new issue and include either a screenshot of the Console or the output of the AWS CLI command aws cloudfront get-distribution-config. It would also be useful to run Terraform with debug logging, as documented at https://www.terraform.io/docs/internals/debugging.html. Create a GitHub Gist with the log and include the link in the issue.

RichardBradley commented 3 years ago

I think I am seeing the same problem. I am using terraform 0.13.6 and AWS provider v3.31.0

I have a aws_cloudfront_distribution with no min_ttl, max_ttl and default_ttl set.

As per #1994 and elsewhere, I was expecting the origin to be set with "Use Origin Cache Headers" However, when I view the distribution in the console, the Object Caching is set to "customise" with min_ttl, max_ttl and default_ttl all set to zero.

If Terraform isn't setting the correct values in your AWS resources, please create a new issue and include either a screenshot of the Console or the output of the AWS CLI command aws cloudfront get-distribution-config.

I'm going to do a bit more investigation before I raise a new issue. Here is the output of aws cloudfront get-distribution-config (problem marked "# HERE"):

$ aws cloudfront get-distribution-config --id xxx
{
    "ETag": "E2A0YGF56Q1NVH",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Items": [
                {
                    "FieldLevelEncryptionId": "",
                    "TrustedSigners": {
                        "Enabled": false,
                        "Quantity": 0
                    },
                    "LambdaFunctionAssociations": {
                        "Quantity": 0
                    },
                    "TargetOriginId": "performance",
                    "ViewerProtocolPolicy": "redirect-to-https",
                    "ForwardedValues": {
                        "Headers": {
                            "Items": [
                                "authorization"
                            ],
                            "Quantity": 1
                        },
                        "Cookies": {
                            "Forward": "none"
                        },
                        "QueryStringCacheKeys": {
                            "Quantity": 0
                        },
                        "QueryString": true
                    },
                    "MaxTTL": 0,    # HERE
                    "PathPattern": "/performance*",
                    "SmoothStreaming": false,
                    "DefaultTTL": 0,    
                    "AllowedMethods": {
                        "Items": [
                            "HEAD",
                            "DELETE",
                            "POST",
                            "GET",
                            "OPTIONS",
                            "PUT",
                            "PATCH"
                        ],
                        "CachedMethods": {
                            "Items": [
                                "HEAD",
                                "GET",
                                "OPTIONS"
                            ],
                            "Quantity": 3
                        },
                        "Quantity": 7
                    },
                    "MinTTL": 0,
                    "Compress": false
                }
            ],
            "Quantity": 1
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "arn:aws:wafv2:us-east-1:xxx:global/webacl/xxx",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "https-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Items": [
                            {
                                "HeaderName": "x-xxx-auth",
                                "HeaderValue": "xxx"
                            }
                        ],
                        "Quantity": 1
                    },
                    "Id": "performance",
                    "DomainName": "xxx"
                },
                {
                    "OriginPath": "/int",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "https-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Items": [
                            {
                                "HeaderName": "x-xxx-auth",
                                "HeaderValue": "xxx"
                            }
                        ],
                        "Quantity": 1
                    },
                    "Id": "xxx",
                    "DomainName": "xxx"
                }
            ],
            "Quantity": 2
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_100",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "FieldLevelEncryptionId": "",
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "frontend_rtv",
            "ViewerProtocolPolicy": "redirect-to-https",
            "ForwardedValues": {
                "Headers": {
                    "Items": [
                        "*"
                    ],
                    "Quantity": 1
                },
                "Cookies": {
                    "Forward": "all"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": true
            },
            "MaxTTL": 0,  # Note that this one is OK, as the origin has forward all headers turned on
            "SmoothStreaming": false,
            "DefaultTTL": 0,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "terraform-20210311165846037600000002",
        "ViewerCertificate": {
            "SSLSupportMethod": "sni-only",
            "ACMCertificateArn": "arn:aws:acm:us-east-1:xxx:certificate/05576148-3f34-4086-b4af-0d4a4ddbad49",
            "MinimumProtocolVersion": "TLSv1.2_2019",
            "Certificate": "arn:aws:acm:us-east-1:xxx:certificate/05576148-3f34-4086-b4af-0d4a4ddbad49",
            "CertificateSource": "acm"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "OriginGroups": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "xxx.uk",
                "xxx.uk"
            ],
            "Quantity": 2
        }
    }
}

Here is my terraform:

resource "aws_cloudfront_distribution" "xxx" {
  provider = aws.virginia
  aliases = [local.frontend_api_domain, local.frontend_api_domain_cy]

  enabled         = true
  is_ipv6_enabled = true
  web_acl_id      = aws_wafv2_web_acl.xxx.arn

  origin {
    domain_name = "${aws_api_gateway_rest_api.xxx.id}.execute-api.${var.region}.amazonaws.com"
    origin_path = "/${local.environment}"
    origin_id   = "frontend_xxx"
    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
    custom_header {
      name  = "x-xxx-auth"
      value = random_id.xxx.b64
    }
  }

  origin {
    domain_name = local.perf_backend_domain
    origin_id   = "performance"
    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
    custom_header {
      name  = "x-xxx-auth"
      value = random_id.xxx.b64
    }
  }

  # Default layer is the "frontend_xxx", no caching (from origin headers)
  # See https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CacheBehavior.html
  # "You must create at least as many cache behaviors as you have origins"
  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "OPTIONS", "PUT", "PATCH", "POST", "DELETE"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "frontend_xxx"

    forwarded_values {
      query_string = true
      cookies {
        forward = "all"
      }
      headers = ["*"]
    }

    viewer_protocol_policy = "redirect-to-https"
  }

  ordered_cache_behavior {
    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "PATCH", "POST", "DELETE"]
    cached_methods         = ["GET", "HEAD", "OPTIONS"]
    path_pattern           = "/performance*"
    target_origin_id       = "performance"
    viewer_protocol_policy = "redirect-to-https"
    forwarded_values {
      query_string = true
      cookies {
        forward = "none"
      }
       headers = ["authorization"]
    }

  }

  price_class = "PriceClass_100"

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.frontend.arn
    ssl_support_method = "sni-only"
    minimum_protocol_version = "TLSv1.2_2019"
  }
}

Have I missed something?

Thanks

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!