Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_cloudfront_distribution diffs didn't match during apply #8271

Closed
lussier opened this issue Aug 17, 2016 · 5 comments · Fixed by #9171
Closed

aws_cloudfront_distribution diffs didn't match during apply #8271

lussier opened this issue Aug 17, 2016 · 5 comments · Fixed by #9171
Labels
bug provider/aws

Comments

@lussier
Copy link

lussier commented Aug 17, 2016
edited
Loading

Hi,

I've got an issue creating an S3 bucket, with an associated CloudFront distribution and Origin Access Identity:

aws_cloudfront_distribution.super-magic-bucket-for-terraform-bug-report: diffs didn't match during apply.

When I create these components independently I don't experience the issue.

Also, if I remove origin_access_identity from s3_origin_config in the CloudFront distribution it works fine.

Terraform Version

0.7.0

Affected Resource(s)

  • aws_cloudfront_distribution

Terraform Configuration Files

variable aws_profile { default = "AAAAAA" }
variable aws_region { default = "us-east-1" }

provider "aws" {
  profile = "${var.aws_profile}"
  region = "${var.aws_region}"
}

resource "aws_s3_bucket" "super-magic-bucket-for-terraform-bug-report" {
  bucket = "super-magic-bucket-for-terraform-bug-report"
  acl = "private"
  policy = <<EOF
{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${aws_cloudfront_origin_access_identity.super-magic-bucket-for-terraform-bug-report.iam_arn}"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::super-magic-bucket-for-terraform-bug-report/*"
        }
    ]
}
EOF
  tags {
    Name = "super-magic-bucket-for-terraform-bug-report"
  }
}

resource "aws_cloudfront_origin_access_identity" "super-magic-bucket-for-terraform-bug-report" {
  comment = "super-magic-bucket-for-terraform-bug-report"
}

resource "aws_cloudfront_distribution" "super-magic-bucket-for-terraform-bug-report" {
  origin {
    domain_name = "super-magic-bucket-for-terraform-bug-report.s3.amazonaws.com"
    origin_id   = "super-magic-bucket-for-terraform-bug-report"
    s3_origin_config {
      origin_access_identity = "${aws_cloudfront_origin_access_identity.super-magic-bucket-for-terraform-bug-report.cloudfront_access_identity_path}"
    }
  }

  enabled = true
  default_root_object = "index.html"
  price_class = "PriceClass_100"

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "super-magic-bucket-for-terraform-bug-report"
    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }


  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations = ["US", "CA"]
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Debug Output

https://gist.github.com/lussier/1474a898edff60159cc49f490120b82a

Panic Output

None

Expected Behavior

It should have:

  1. Created a CloudFront Origin Access Identity.
  2. Create an S3 bucket and use the abovementioned Origin Access Identity ARN inside of the S3 bucket inline policy.
  3. Create a CloudFront distribution that has the S3 bucket as origin.

Steps to Reproduce

terraform apply on the provided configuration

Important Factoids

No, nothing special
@lussier
Copy link
Author

lussier commented Aug 17, 2016

I believe it may be a duplicate of: #6527. The symptom is similar, and I can also fix it by hardcoding the origin_access_identity.

This was referenced Oct 1, 2016
Closed
Merged
@caquino
Copy link

caquino commented Nov 9, 2016

This still an issue on 0.7.8, is there any workaround for it?

@bvdwiel
Copy link

bvdwiel commented Nov 15, 2016

Seems to still be b0rked in 0.7.10. Worked around it by manuall configuring CloudFront for now.

@mcheshier1
Copy link

Still failing in 0.7.11.

gusmat pushed a commit to gusmat/terraform that referenced this issue Dec 6, 2016
@vancluever
core: Ensure hasComputedSubKeys iterates over Sets and Lists properly
1361c54 
This fixes some edge-ish cases where a set in a config has a set or list
in it that contains computed values, but non-set or list values in the
parent do not.

This can cause "diffs didn't match during apply" errors in a scenario
such as when a set's hash is calculated off of child items (including
any sub-lists or sets, as it should be), and the hash changes between
the plan and apply diffs due to the computed values present in the
sub-list or set items. These will be marked as computed, but due to the
fact that the function was not iterating over the list or set items
properly (ie: not adding the item number to the address, so
set.0.set.foo was being yielded instead of set.0.set.0.foo), these
computed values were not being properly propagated to the parent set to
be marked as computed.

Fixes hashicorp#6527.
Fixes hashicorp#8271.

This possibly fixes other non-CloudFront related issues too.
@engmsaleh engmsaleh mentioned this issue Dec 15, 2016
Closed
fatmcgav pushed a commit to fatmcgav/terraform that referenced this issue Feb 27, 2017
@vancluever @fatmcgav
core: Ensure hasComputedSubKeys iterates over Sets and Lists properly
ace791d 
This fixes some edge-ish cases where a set in a config has a set or list
in it that contains computed values, but non-set or list values in the
parent do not.

This can cause "diffs didn't match during apply" errors in a scenario
such as when a set's hash is calculated off of child items (including
any sub-lists or sets, as it should be), and the hash changes between
the plan and apply diffs due to the computed values present in the
sub-list or set items. These will be marked as computed, but due to the
fact that the function was not iterating over the list or set items
properly (ie: not adding the item number to the address, so
set.0.set.foo was being yielded instead of set.0.set.0.foo), these
computed values were not being properly propagated to the parent set to
be marked as computed.

Fixes hashicorp#6527.
Fixes hashicorp#8271.

This possibly fixes other non-CloudFront related issues too.
@ghost
Copy link

ghost commented Apr 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

core: Ensure hasComputedSubKeys iterates over Sets and Lists properly
5 participants
@caquino @stack72 @lussier @bvdwiel @mcheshier1