Cloudfront Function Update - Not triggering redeployment

[turingbeing]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.57.0

Affected Resource(s)

• aws_cloudfront_function
• aws_cloudfront_distribution

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cloudfront_distribution" "ppd_uk_all_main_demo" {
  origin {
    domain_name = data.aws_lb.ppd_uk_all_main_alb.dns_name
    origin_id   = "ALB-${data.aws_lb.ppd_uk_all_main_alb.name}"

    custom_origin_config {
      http_port                = 80
      https_port               = 443
      origin_keepalive_timeout = 60
      origin_protocol_policy   = "https-only"
      origin_read_timeout      = 60
      origin_ssl_protocols     = ["TLSv1.1", "TLSv1.2"]
    }

    custom_header {
      name  = "demo-cluster"
      value = "uka-main-demo"
    }
  }

  comment     = "UKA demo"
  aliases     = formatlist("%s.%s", module.portal_urls.uk_all_demo_urls, "staging.domain.com")
  price_class = "PriceClass_100"

  enabled         = true
  is_ipv6_enabled = true

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
    cached_methods         = ["GET", "HEAD"]
    viewer_protocol_policy = "redirect-to-https"
    target_origin_id       = "ALB-${data.aws_lb.ppd_uk_all_main_alb.name}"

    forwarded_values {
      query_string = true

      cookies {
        forward = "all"
      }

      headers = [
        "Accept",
        "Accept-Charset",
        "Accept-Datetime",
        "Accept-Encoding",
        "Accept-Language",
        "Authorization",
        "Host",
        "Origin",
        "Referer",
      ]
    }

    function_association {
      event_type   = "viewer-response"
      function_arn = aws_cloudfront_function.cf_function_headers.arn
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = data.aws_acm_certificate.star_staging.arn
    minimum_protocol_version = "TLSv1.2_2019"
    ssl_support_method       = "sni-only"
  }
}

resource "aws_cloudfront_function" "cf_function_headers" {
  name    = "SecurityHeaders"
  runtime = "cloudfront-js-1.0"
  comment = "Function to Set HTTP Security Headers"
  publish = true
  code    = file("${path.module}/files/http_headers.js")
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

When the aws_cloudfront_function Code ETAG changes, this should trigger a Redeployment of the Cloudfront Distribution.

Actual Behavior

The function changes are applied, but the distribution does not redeploy. A subsequent plan (after doing a manual redeploy) shows the changes outside of terraform

  # aws_cloudfront_function.cf_function_headers has been changed
  ~ resource "aws_cloudfront_function" "cf_function_headers" {
        id      = "POPSecurityHeaders"
        name    = "POPSecurityHeaders"
      ~ status  = "IN_PROGRESS" -> "DEPLOYED"
        # (6 unchanged attributes hidden)
    }
  # aws_cloudfront_distribution.ppd_uk_all_main_demo has been changed
  ~ resource "aws_cloudfront_distribution" "ppd_uk_all_main_demo" {
      ~ etag                           = "E2Z0B16NQZJQ3H" -> "EUQPULOFQTLCB"
        id                             = "E27CD39DEUV20Z"
      ~ last_modified_time             = "2021-09-03 13:58:54.529 +0000 UTC" -> "2021-09-03 14:09:03.471 +0000 UTC"
        tags                           = {}
        # (17 unchanged attributes hidden)




        # (4 unchanged blocks hidden)
    }

Steps to Reproduce

1. terraform apply
2. Await Cloudfront Redeployment
3. Update the Cloudfront Function Code
4. terraform apply

Cloudfront is not redeployed

Important Factoids

N/A

References

N/A

[ewbankkit]

Relates: #19529.

[justinretzolk]

Hi @turingbeing 👋 Thank you for taking the time to file this issue. It looks like this was related to #19529, as mentioned above, which looks to have been resolved by #19697 (released with 3.65.0). Can you test again with this newer version and let us know if the behavior has improved?

[fularac]

So you're expecting the distribution to be updated by terraform at the same time as modifying & publishing the CF function?

That is the behavior of Lambda edge functions but not CF functions. CF functions aren't versioned like lambdas. When updated CF function ARN is not also updated. When you have publish = true for a function, every time you update the function every distribution that has that function attached will begin using the updated function.

I mentioned a race condition that can occur because of this: #19529 (comment)

[turingbeing]

So you're expecting the distribution to be updated by terraform at the same time as modifying & publishing the CF function?

That is the behavior of Lambda edge functions but not CF functions. CF functions aren't versioned like lambdas. When updated CF function ARN is not also updated. When you have publish = true for a function, every time you update the function every distribution that has that function attached will begin using the updated function.

I mentioned a race condition that can occur because of this: #19529 (comment)

I am expecting Terraform to behave in the same manner as the AWS CLI Console, in that when you update the function, the Cloudfront Distribution updates.

I've not delved into the weeds, merely observed a functional difference between the two, they should have functional equivalence

[fularac]

How long did you wait before attempting to run plan again? Your plan is showing that the cloudfront function deployment was still IN_PROGRESS. I bet if you wait for the 5 - 20 minute distribution deploy time you'll see that the distribution is deployed.

[turingbeing]

time

I'm not sure tbh, but when I checked the distribution after running the apply, it certainly wasn't updating, and that would've been several minutes after running apply! I noticed it when inspecting the headers, and they weren't current.

I now use the new Policies feature rather than a function, but might revisit if I get time.

Thanks for the input

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.