AWS::CloudFront::CachePolicy and AWS::CloudFront::OriginRequestPolicy #571
Comments
PatMyron
changed the title
|
I know this isn't a support channel (and I have a ticket open anyway) but I tried this today in |
|
Ditto |
|
I Just ran into the same issue (eu-central-1). And while you're on it, please implement Brotli on the the AWS::CloudFront::CachePolicy ParametersInCacheKeyAndForwardedToOrigin type (EnableAcceptEncodingBrotli). |
|
Is there a workaround for this? cachepolicy is not working in ap-southeast-1 |
|
Yep would like also to have |
Support for the new Cache Policy concept in CloudFront, which replaces the existing `ForwardedValues` properties and specifies what parts of a request make up the cache key, and what TTLs to use. _Implementation notes:_ * To achieve the API I wanted for the managed policies, I opted to *not* have `ICachePolicy` extend `IResource`. I admit to not understanding all of the implications of this, so welcome feedback. * I also opted to exclude the `cachePolicyLastUpdatedTimestamp` attribute from both `ICachePolicy` and `CachePolicy`, as the use case for them isn't clear, and handling the property for managed/imported cache policies was awkward. * Lastly, I opted to remove completely (rather than deprecate) the `forwardedValues` property, forcing users to create (or use managed) Cache Policies to achieve the same behavior. * Related to the above, `ForwardedValues` is marked as deprecated and optional in the CloudFormation docs, but if no `CachePolicyId` or `ForwardedValues` are specified, the deployment will fail claiming `ForwardedValues` is missing. That's why I opted to default the `CachePolicyId` to "CachingOptimized". *--NOTE: This functionality is currently broken:--* The CloudFormation support for creating new Cache Policies was released, but subsequent issues have been found and it appears users have been unable to create Cache Policies. See aws-cloudformation/cloudformation-coverage-roadmap#571 Marking this as draft until the above issue is resolved. fixes #9644 BREAKING CHANGES: Distribution `forwardedValues` have been removed in favor of `cachePolicy` and the new CachePolicy construct. * **cloudfront:** Distributions now default to the "CachingOptimized" managed cache policy
|
For those experiencing the |
|
This seems to be fully supported and working now 👍 |
|
I'm getting failure with the following policy on us-east-1: Does that look right? Is it a bug w/aws?
|
|
I had the same error. Turned out that |
|
I was getting |
|
@burritoIand Make sure you dont already have a policy with that name, take a look in CloudFront. I had encountered a similar error and I figure out I already had a policy with same name. |
|
@BogdanDarius thanks for the suggestion, I just checked and it only has the default policies. I also tried adding the stackname to the
|
|
@burritoIand can you share your yaml file maybe? |
|
hey @BogdanDarius, will paste again: DefaultCachePolicy:
Type: 'AWS::CloudFront::CachePolicy'
Properties:
CachePolicyConfig:
DefaultTTL: 86400
MaxTTL: 31536000
MinTTL: 1
Name: !Sub 'CachePolicy-${AWS::StackName}'
ParametersInCacheKeyAndForwardedToOrigin:
CookiesConfig:
CookieBehavior: 'none'
EnableAcceptEncodingBrotli: true
EnableAcceptEncodingGzip: true
HeadersConfig:
HeaderBehavior: 'none'
QueryStringsConfig:
QueryStringBehavior: 'none'When my build is running it successfully creates the changeset, but then fails during "CHANGE_SET_EXECUTE" with above error. I've been sort of background tinkering with this but I suppose I could try to create the policy using the cli and see if I get any more information on the error? Not sure how to get more info than "error reported downstream" |
|
It'd be great if |
|
Would love to find out if it there is indeed a bug preventing creating the cache policy with cloudformation... |
|
Hit another issue with OriginRequestPolicy. HeaderBehavior set to |
|
I also hit the Turns our I did not have the necessary |
|
@elgordino that was it! thank you |
|
In my case that's not the problem, CloudFormation has AdministratorAccess but fails to create the Template: |
|
If you try to whitelist This was the reason my CloudFormation template failed with I can confirm the problem mentioned by @stephankaag in OriginRequestPolicy. The problem also exists for |
|
I can white-list the Authorization header via the UI but not via CloudFormation. That always gives me this error: |
I am having the same problem just now.. not sure why.. would be great if someone could be of help! Thanks! update: |
|
Keeping this open in case you have not resolved your issues and want me to report back. It is shipped though. |
|
I'm unable to create a cache policy with min, default and max ttl all 0s. "invalid request provided" ... the error messages for CachePolicy could use some work. |
|
Error messages from CloudTrail are very usefull here. For example this is one.
But this error does not align with the documentation then. Here is another failed attempt. |
|
CloudTrail was a great way to see more errors. For me this was the error I found that caused this problem:
|
|
I'm also getting Checked CloudTrail, says: |
|
@petrgazarov you should avoid adding the Authorization header (or any Auth related / user- identifying header) to the Origin Policy According to the documentation adding a header to the Cache policy, should automatically forward it to the Origin (so that's where it should be added) Last week there was an issue with doing that though, I'm not sure if that has been solved yet: https://twitter.com/donkersgood/status/1358547329381498880 |
|
@benbridts You cannot forward header if you set default, min and max ttl to zero for api distribution. I have made issue for that |
|
Unfortunately, nothing that CloudFormation (or CDK) can do about that. It's a limitation of the CloudFront API (I recommend opening a support case / feature request if you can). I still stand by the assertion that putting anything that is used to provide authorization or authentication in the OriginRequestPolicy is a bad idea. That means that currently the options are:
There is a slight difference in behaviour for some headers between all three:
|
|
@benbridts My question is about security related. Lambda authorizer supports identity source. |
|
@benbridts Just for your information. You cannot forward all headers to the API gateway from cloudfront. Also from my testing the min ttl default value is 1 second. And if I set the same 1 second for default ttl and max ttl then it forwards the header. Not tried the older way. |
You can set everything except maximum to 0 too:
Apologies, I didn't re-read the context. The reason for that is the host header. If you don't forward the host header from CloudFront, API-GW will see the Origin DomainName ( There is a trick that works with Regional API Gateways. If you define a domain-mapping as-if there wouldn't be a cloudfront in front of it, api-gw will find the right stage. It's not ideal (if you know the api-gw IP addresses, you could bypass CloudFront, but since you're not using CloudFront for caching that's probably not a big concern). Here is a proof-of-concept template (you need to create acm certificates beforehand, and configure dns after deploying): Transform: AWS::Serverless-2016-10-31
Parameters:
DomainName:
Type: String
Description: DomainName to use
RegionalCertificateArn:
Type: String
Description: ARN of a regional ACM certificate that contains the DomainName
AllowedPattern: arn:aws:acm:[a-z0-9-]+:[0-9]{12}:certificate/[a-z0-9-]+
GlobalCertificateArn:
Type: String
Description: ARN of a ACM certificate in us-east-1 that contains the DomainName
AllowedPattern: arn:aws:acm:us-east-1:[0-9]{12}:certificate/[a-z0-9-]+
Mappings:
Constants:
ManagedPolicyIds:
CachingDisabled: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
AllViewer: 216adef6-5c7f-47e4-b989-5492eafa07d3
Resources:
Distribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: !Ref AWS::StackName
Aliases: [!Ref DomainName]
ViewerCertificate:
AcmCertificateArn: !Ref GlobalCertificateArn
SslSupportMethod: sni-only
Origins:
- Id: apigw
# ApiEndpoint starts with https://
DomainName: !Select [1, !Split ['https://', !GetAtt ServerlessHttpApi.ApiEndpoint]]
CustomOriginConfig: {OriginProtocolPolicy: https-only}
DefaultCacheBehavior:
TargetOriginId: apigw
ViewerProtocolPolicy: redirect-to-https
AllowedMethods: [GET, HEAD, OPTIONS, PUT, PATCH, POST, DELETE]
CachedMethods: [GET, HEAD, OPTIONS]
Compress: True
CachePolicyId: !FindInMap [Constants, ManagedPolicyIds, CachingDisabled]
OriginRequestPolicyId: !FindInMap [Constants, ManagedPolicyIds, AllViewer]
Enabled: true
HttpVersion: http2
IPV6Enabled: true
ApiGatewayDomainName:
Type: AWS::ApiGatewayV2::DomainName
Properties:
DomainName: !Ref DomainName
DomainNameConfigurations:
- CertificateArn: !Ref RegionalCertificateArn
EndpointType: "REGIONAL"
ApiGatewayMapping:
Type: AWS::ApiGatewayV2::ApiMapping
Properties:
ApiId: !Ref ServerlessHttpApi
DomainName: !Ref DomainName
Stage: !Ref ServerlessHttpApiApiGatewayDefaultStage
EchoFunction:
# Implicitly creates ServerlessHttpApi and ServerlessHttpApiApiGatewayDefaultStage
Type: AWS::Serverless::Function
Properties:
Description: !Sub "${AWS::StackName} Echo Function"
Events:
HttpApiEvent:
Type: HttpApi
Handler: index.handler
InlineCode: |
import json
def handler(event, _):
return {
"statusCode": 200,
"headers": {"Content-Type": "application/json"},
"body": json.dumps(event, indent=4),
}
Runtime: python3.8
Outputs:
CloudFrontDomainName:
Value: !GetAtt Distribution.DomainName
Description: Configure this in DNS
ApiEndpoint:
Value: !GetAtt ServerlessHttpApi.ApiEndpoint
Description: The API Gateway Endpoint |
|
@benbridts About the big solution what is the domain name you are using? The main reason for using cloudfront is so that I don't have to open It is not clear what domain name you are trying to use. |
|
I'm using the same domain name on the api-gateway as on CloudFront. Note that you don't actually point DNS to the API-Gateway. In your example, it would be |
|
Thanks but this solution really difficult to understand. |
The important parts are the
That's great, personally, I prefer using the Cache Policy too, I would even raise the MaxTTL and take advantage of the Caching feature (if responses contains cache headers, so I'd leave the default at 0).
If you use a regional api-gateway the ACM certificate that you use needs to exist in the same region as the API-GW For CloudFront and Edge-Optimized API-GW it needs to be in us-east-1 (source). If you're deploying in us-east-1, you can use the same ARN for both.
The same method should also work in the CDK, at least with L1 constructs. I don't know if there are L2 constructs that make this easier. Explaining CloudFormation will take a bit more time :) |
I had this problem, min, default, and max were all set to 0. My configuration mirrored the managed policy Name: CachingDisabled The fact that CFN only returns |
|
So a little bit of followup, we're using CDK to deploy the same Stack containing a CF CachePolicy and OriginRequestPolicy across different stages (i.e production vs development). We were previously relying on CDK/CFN to auto-generate names for CachePolicy and OriginRequestPolicy. This worked fine for the first stack, but we ran into what looked like a name collision when deploying another stack. The error is highly opaque: Manually specifying a name for CachePolicy ( These constructs are really finicky, I generally expect CFN to successfully generate non-colliding names for resources, and give me something to work on as an error besides "Internal Error." |
|
Can confirm this bug is still alive and well in 2022. If, in a cache policy, you set Thanks for everyone's comments here, saved a lot of trial and error to reverse engineer the opaque "Invalid request" error 👏👏 |
|
Can confirm it's still here in Aug 2022, ap-southeast-2. As njlynch said, check the name used for the cache policy. I found the same with origin request policies, in my case because I had punctuation in the policy names which triggered the issue. Changing to lowercase alphanumeric fixed it. Can I suggest a temporary workaround to sort this issue would be for CloudFormation to return a meaningful error message ie "cache policy creation failed. Policy name must be lowercase alphanumeric"? Then you can ignore the issue for another 2 years..... |
|
The error "Invalid request provided" can also be caused by having |
|
I solved it by looking at CloudTrail, it shows the actual API error message which is much more useful. |
and others
1. Title
AWS::CloudFront::CachePolicy
AWS::CloudFront::OriginRequestPolicy
2. Scope of request
Last week, CloudFront introduced reusable cache policies and origin request policies and deprecated the previous way of specifying these behaviors through the distribution configuration. I imagine the CloudFormation team is already aware of this change since the corresponding documentation in in CloudFormation is already up to date.
3. Expected behavior
The required parameters should probably stick with what the
CreateCachePolicyandCreateOriginRequestPolicyAPI calls require, I think there's not much room for discussion regarding this.Both of these should somehow return their ID to use along with the
AWS::CloudFront::Distributionresource, otherwise there would be no meaning in including these resources in the first place.4. Suggest specific test cases
When creating a new distribution with
AWS::CloudFront::Distributionyou would probably want to specify its cache policy and origin request policy along with it, as most have done up until now with the legacy way of specifying these parameters.It's not a very good practice to hard-code the IDs of the cache policy and origin request policy, especially since if you use the same stack for multi-account deployments you would want to avoid both hard-coded values and parameters altogether, and the only option you would be left with would be to create an
AWS::AccountId-based mapping with each account's cache policy/origin request policy ID, which as I'm sure you're aware, can lead to problems if your AccountID starts with a zero and you have to package your template before deploying it (awscli team I'm looking at you).5. Helpful Links to speed up research and evaluation
Feature announcement
Relevant CloudFront developer guide documentation
Relevant CloudFront API documentation for cache policies (CreateCachePolicy, UpdateCachePolicy and DeleteCachePolicy)
Relevant CloudFront API documentation for origin request policies (CreateOriginRequestPolicy, UpdateOriginRequestPolicy and DeleteOriginRequestPolicy)
CloudFormation documentation page for AWS::CloudFront::Distribution DefaultCacheBehavior, which is already up to date regarding these changes.
6. Category
Networking & Content Delivery
The text was updated successfully, but these errors were encountered: