Cloudfront public key is associated when it's recreated. It errors as AWS asks for dissasociation before removal.

[joanayma]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.15.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.37.0

Affected Resource(s)

• aws_cloudfront_key_group
• aws_cloudfront_public_key

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cloudfront_key_group" "foo" {
  name  = "foo"
  items = [
    aws_cloudfront_public_key.foo.id,
  ]
}

resource "aws_cloudfront_public_key" "foo" {
  name        = "foo"
  encoded_key = file("public_key.pem")
}

Debug Output

I will need to do a full separated test in another account to get a clean debug log.

Panic Output

Expected Behavior

During apply it should:

1. remove the public key from key group
2. delete the key
3. create the key
4. add the key to the key group

Steps to Reproduce

1. terraform apply shows that will change the key group item and the public key encoded_key.
2. When changes are accepted it goes to recreate the public key but it can't as it's still associated to key group.

First, a public_key.pem file is required in same working directory.
You need to create the two resources first with a usual terraform apply. It will succeed.
Then modify the public_key.pem file to make terraform need to recreate the aws_cloudfront_public_key resource.
The next terraform apply is the one in the failure description.

I think there's nothing that could effect this two resources.

I think using file("*.pem") and for_each can do the trick without changing the tf code. But I also think this isn't much terraforming as I will have to do two applies and not really sure it will change anything as the order of the apply will be still start with the aws_cloudfront_key_group. Using depends_on gets to a cycle error (ofc).

aws_cloudfront_key_group was created some days ago:

• Support the use of CloudFront Trusted Key Group as a signer #15912

[joanayma]

I filled this as bug but now I realize it's more a feature than a bug 😉 sorry

[gdavison]

No worries about bug vs feature 🙂

Unfortunately, because of how Terraform currently models dependencies between resources, there isn't a good way to fix this problem. There is an open issue on Terraform core to address this.

There is a potential workaround described at hashicorp/terraform#16065 (comment), which may work for you.

Since this issue requires changes to the core Terraform dependency model, I'm going to close this issue. Once the support is available, we will address this and other issues caused by dependencies across resources. You may be able to find other workarounds or solutions in our forums for the AWS Provider or Terraform.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.