Skip to content

fix: Avoid phantom resource changes in the plan #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 4, 2025
Merged

fix: Avoid phantom resource changes in the plan #141

merged 3 commits into from
Apr 4, 2025

Conversation

jwadolowski
Copy link
Contributor

@jwadolowski jwadolowski commented Apr 1, 2025
edited
Loading

what

  1. Zero all *_ttl params when custom cache policy is specified (TTLs included in the policy take precedence)
  2. Use TLSv1 minimum viewer policy for alias-less distribution

why

Certain parameter combinations may lead to phantom changes in the plan. This PR aligns some arguments with AWS's default values that aren't explicitly stated in the documentation.

#
# Slightly modified version of examples/complete/main.tf
#

provider "aws" {
  region = var.region
}

resource "aws_cloudfront_cache_policy" "default" {
  name        = "DefaultCachePolicy"
  default_ttl = 180
  max_ttl     = 3600
  min_ttl     = 1

  parameters_in_cache_key_and_forwarded_to_origin {
    cookies_config {
      cookie_behavior = "none"
    }

    headers_config {
      header_behavior = "none"
    }

    query_strings_config {
      query_string_behavior = "none"
    }
  }
}

module "cdn" {
  # source = "../../"
  source  = "cloudposse/cloudfront-cdn/aws"
  version = "1.2.0"

  aliases            = var.aliases
  origin_domain_name = var.origin_domain_name
  parent_zone_name   = var.parent_zone_name
  logging_enabled    = false

  cache_policy_id = aws_cloudfront_cache_policy.default.id

  context = module.this.context
}

No matter how many times you apply the above, the plan always produces the following (the min_ttl does not show up, as it's set to 0 by default):

Terraform will perform the following actions:

  # module.cdn.aws_cloudfront_distribution.default[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "default" {
        id                              = "E1NE1WD4E24L7"
        tags                            = {
            "Name"      = "eg-test-cdn"
            "Namespace" = "eg"
            "Stage"     = "test"
        }
        # (23 unchanged attributes hidden)

      ~ default_cache_behavior {
          ~ default_ttl                = 0 -> 60
          ~ max_ttl                    = 0 -> 31536000
            # (14 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }

      ~ viewer_certificate {
          ~ minimum_protocol_version       = "TLSv1" -> "TLSv1.2_2021"
            # (4 unchanged attributes hidden)
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

When a local module is referenced (source = "../../"), then the subsequent apply works as expected:

No changes. Your infrastructure matches the configuration.

references

@jwadolowski jwadolowski requested review from a team as code owners April 1, 2025 09:10
@mergify mergify bot added the triage Needs triage label Apr 1, 2025
@jwadolowski
fix: Zero all TTL params when cache policy ID is configured
bfa1128 
When cache policy ID is specified, all TTL arguments should be zeroed,
as the policy-scoped TTLs take precedence. If non-zero `min_ttl`,
`default_ttl` or `max_ttl` is set to non-0 value and at the same time
cache policy is specified it leads to phantom changes in the plan:

default_ttl                = 0 -> 60
@jwadolowski
fix: Force correct TLS policy for CloudFront distribution without cus…
ebc607e 
…tom aliases

By default `var.viewer_minimum_protocol_version` is set to
`TLSv1.2_2021`. This value makes sense only when custom aliases are
used. A distribution without custom domains resets this param to
`TLSv1`. Right now it leads to a dummy change included in every plan:

```
      ~ viewer_certificate {
          ~ minimum_protocol_version       = "TLSv1" -> "TLSv1.2_2021"
            # (4 unchanged attributes hidden)
        }
```
@jwadolowski jwadolowski force-pushed the fix/avoid-phantom-resource-changes branch from 7a5955b to ebc607e Compare April 1, 2025 18:52
@mihaiplesa
Copy link
Contributor

@hans-d @RoseSecurity can someone start the tests please? Thanks.

@milldr
Copy link
Member

milldr commented Apr 4, 2025

/terratest

@milldr milldr added minor New features that do not break anything no-release Do not create a new release (wait for additional code changes) and removed triage Needs triage minor New features that do not break anything labels Apr 4, 2025
@milldr
Copy link
Member

milldr commented Apr 4, 2025

adding no-release. Will release with another follow up PR: #140

@milldr milldr enabled auto-merge (squash) April 4, 2025 14:15
@milldr milldr merged commit 8b13bb7 into cloudposse:main Apr 4, 2025
52 of 64 checks passed
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 4, 2025

These changes were released in v1.3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@milldr milldr milldr approved these changes

@hans-d hans-d Awaiting requested review from hans-d hans-d is a code owner automatically assigned from cloudposse/contributors

@RoseSecurity RoseSecurity Awaiting requested review from RoseSecurity RoseSecurity is a code owner automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
no-release Do not create a new release (wait for additional code changes)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jwadolowski @mihaiplesa @milldr