[Bug]: aws_cloudfront_origin_access_control creation China Region

[stephenrjohnson]

Terraform Core Version

1.7.3

AWS Provider Version

5.42.0

Affected Resource(s)

aws_cloudfront_origin_access_control

Expected Behavior

Create a new origin access control in cloudformation

Actual Behavior

The api returns a throttling error but this happens when they don't support something in China. It's been happening over multiple days, accounts and users.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  region = "cn-northwest-1"
  alias = "cf-region"
}

resource "aws_cloudfront_origin_access_control" "this" {
  name                              = "testtest"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
  provider                          = aws.cf-region
}

Steps to Reproduce

Use the above code and try to create a aws_cloudfront_origin_access_control in the China region

Debug Output

2024-03-27T10:27:32.774Z [DEBUG] provider.terraform-provider-aws_v5.42.0_x5: HTTP Request Sent: tf_mux_provider="*schema.GRPCProviderServer" http.url=https://cloudfront.cn-northwest-1.amazonaws.com.cn/2020-05-31/origin-access-control tf_aws.sdk=aws-sdk-go http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************STJ5/20240327/cn-northwest-1/cloudfront/aws4_request, SignedHeaders=content-length;host;x-amz-date, Signature=*****" rpc.system=aws-api tf_resource_type=aws_cloudfront_origin_access_control tf_rpc=ApplyResourceChange aws.region=cn-northwest-1
  http.request.body=
  | <OriginAccessControlConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"><Name>testtest</Name><OriginAccessControlOriginType>s3</OriginAccessControlOriginType><SigningBehavior>always</SigningBehavior><SigningProtocol>sigv4</SigningProtocol><Description>Managed by Terraform</Description></OriginAccessControlConfig>
   http.flavor=1.1 http.request.header.x_amz_date=20240327T102732Z rpc.method=CreateOriginAccessControl2020_05_31 rpc.service=CloudFront @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.51/logger.go:109 @module=aws net.peer.name=cloudfront.cn-northwest-1.amazonaws.com.cn tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=02437e76-6b86-d5e9-cd54-3341493e2685 http.method=POST http.request_content_length=335 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.3 (+https://www.terraform.io) terraform-provider-aws/5.42.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.51.4 (go1.21.8; darwin; arm64)" timestamp=2024-03-27T10:27:32.774Z
2024-03-27T10:27:33.653Z [DEBUG] provider.terraform-provider-aws_v5.42.0_x5: HTTP Response Received: http.response.header.x_amzn_requestid=6728994c-5381-4047-96bb-5f1a2297aef2 rpc.service=CloudFront tf_resource_type=aws_cloudfront_origin_access_control
  http.response.body=
  | <?xml version="1.0"?>
  | <ErrorResponse xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"><Error><Type>Sender</Type><Code>Throttling</Code><Message>Rate exceeded</Message></Error><RequestId>6728994c-5381-4047-96bb-5f1a2297aef2</RequestId></ErrorResponse>

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[green3g]

Can confirm this issue is happening to us as well. ~Is the solution to manually create the resource then import into TF state?~

Edit:

Looks like cloudfront does not support Origin access control policies in AWS China. https://docs.amazonaws.cn/en_us/aws/latest/userguide/cloudfront.html - instead they suggest using origin access identity.