[Bug]: Unable to remove Trusted Key Group from CloudFront distribution

[thaim]

Terraform Core Version

1.7.0, 1.5.7

AWS Provider Version

5.33.0

Affected Resource(s)

• aws_cloudfront_distribution

Expected Behavior

When trusted_key_groups are removed from cloudfront distribution configuration in Terraform, the restricted viewer access mode should be disabled in the CloudFront distribution settings.

Actual Behavior

After removing trusted_key_groups from the Terraform configuration and running terraform apply, Terraform detects no changes. The CloudFront distribution still has the viewer access mode enabled with the previously configured trusted key groups.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = data.aws_s3_bucket.this.bucket_regional_domain_name
    origin_id   = data.aws_s3_bucket.this.id
  }
  enabled             = true
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD", "OPTIONS"]
    target_origin_id = data.aws_s3_bucket.this.id
    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400

    trusted_key_groups = [aws_cloudfront_key_group.this.id]
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

data "aws_s3_bucket" "this" {
  bucket = "sample-bucket-thaim"
}

resource "aws_cloudfront_key_group" "this" {
  name  = "sample-key-group"
  items = [aws_cloudfront_public_key.example.id]
}

resource "aws_cloudfront_public_key" "example" {
  name        = "sample-key"
  encoded_key = tls_private_key.example.public_key_pem
}

resource "tls_private_key" "example" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

Steps to Reproduce

1. Run terraform init
2. Run terraform apply
3. Remove trusted_key_groups attribute from the aws_cloudfront_distribution resource in the Terraform configuration.
4. Run terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ciffelia]

I have same issue on AWS Provider version 5.53.0.

Additional information: when trusted_key_groups is removed from ordered_cache_behavior everything works fine. When it is removed from default_cache_behavior terraform detects no changes.