[Bug]: aws_cloudfront_distribution origin is marked as changed each run

[IliaGe]

Terraform Core Version

1.1.3

AWS Provider Version

v4.67.0

Affected Resource(s)

aws_cloudfront_distribution

Expected Behavior

Plan should finish empty

Actual Behavior

The Origin is being re-created with the same content

  ~ resource "aws_cloudfront_distribution" "s3_distribution" {
        id                             = "E2ZU6WXXXXXL"
        tags                           = {
            "Application"  = "xxx"
            "CreateBy"     = "terraform"
        }
        # (19 unchanged attributes hidden)

      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = "xxx-main.s3.us-east-2.amazonaws.com"
          + origin_id           = "xxx-main"

          + origin_shield {
              + enabled              = false
              + origin_shield_region = "us-east-1"
            }

          + s3_origin_config {
              + origin_access_identity = "origin-access-identity/cloudfront/xxx"
            }
        }
      - origin {
          - connection_attempts = 3 -> null
          - connection_timeout  = 10 -> null
          - domain_name         = "xxx-main.s3.us-east-2.amazonaws.com" -> null
          - origin_id           = "xxx-main" -> null

          - s3_origin_config {
              - origin_access_identity = "origin-access-identity/cloudfront/xxx" -> null
            }
        }

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudfront_distribution" "s3_distribution" {
  count = var.create_extra_cdn ? 1 : 0

  origin {
    origin_shield {
      enabled              = var.origin_shield_enabled
      origin_shield_region = var.origin_shield_region
    }
    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.admin_oai[0].cloudfront_access_identity_path
    }
    domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name
    origin_id   = aws_s3_bucket.bucket.id
    origin_path = var.origin_path
  }
  enabled = var.enabled
  comment = aws_s3_bucket.bucket.id

  aliases = var.acm_certificate_arn != "" ? var.aliases : []

  default_cache_behavior {
    allowed_methods  = var.default_cache_behavior_allowed_methods
    cached_methods   = var.default_cache_behavior_cached_methods
    target_origin_id = aws_s3_bucket.bucket.id

    forwarded_values {
      query_string = var.target_origin_id_forwarded_values_query_string

      cookies {
        forward = var.target_origin_id_forwarded_values_cookies_forward
      }
    }

    viewer_protocol_policy = var.default_cache_behavior_viewer_protocol_policy
    min_ttl                = var.default_cache_behavior_viewer_min_ttl
    default_ttl            = var.default_cache_behavior_viewer_default_ttl
    max_ttl                = var.default_cache_behavior_viewer_max_ttl
  }

  restrictions {
    geo_restriction {
      restriction_type = var.restrictions_geo_restriction_restriction_type
    }
  }

  tags = var.tags

  viewer_certificate {
    acm_certificate_arn            = var.acm_certificate_arn
    ssl_support_method             = var.acm_certificate_arn == "" ? null : "sni-only"
    minimum_protocol_version       = var.minimum_protocol_version
    cloudfront_default_certificate = var.acm_certificate_arn == "" ? true : false
  }
}

Steps to Reproduce

a

Debug Output

No response

Panic Output

No response

Important Factoids

It looks like it is related to "origin_shield" As I have 20 more environments with the same module (which origin_shield is enabled) and it works as expected there

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @IliaGe 👋 Thank you for taking the time to raise this! For your other configurations that are using the same module, do any of the other ones have var.origin_shield_enabled set to false? I'm wondering if that might be the difference here, and if so, whether moving origin_shield to a dynamic block might help.

[IliaGe]

Hey @justinretzolk, all other places that use the same module it is set to true :0 Can you elaborate on what you suggest regarding the movement to a dynamic block? Thanks !

[vazkir]

Any update on this issue?