Invalid S3 bucket when creating CloudFront distribution
5,468 views
Skip to first unread message
Andrew Langhorn
Oct 11, 2016, 7:34:26 AM10/11/16
to terrafo...@googlegroups.com
Hi,
I'm creating a CloudFront distribution with an S3 origin; the S3 bucket has static website hosting enabled, and I've therefore got my origin domain name.
Inside an aws_cloudfront_distribution resource, I have the following:
origin {
domain_name = "foo.io.s3-website-eu-west-1.amazonaws.com"
origin_id = "foo.io"
}
Yet, this errors when running apply with "InvalidArgument: The parameter Origin DomainName does not refer to a valid S3 bucket.".
Any ideas what might be up here?
Thanks in advance
Hector Castro
Oct 11, 2016, 7:44:36 AM10/11/16
to terrafo...@googlegroups.com
Hi Andrew,
If you're using a custom origin with CloudFront, then the `origin` block requires a `custom_origin_config`. I believe that an `s3_origin_config` is the default.
See: https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments
--
Hector
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1DJGhewa5khmaLAvVogj4b8D8ck7HYraRvktbn%3DWhvr2GQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
If you're using a custom origin with CloudFront, then the `origin` block requires a `custom_origin_config`. I believe that an `s3_origin_config` is the default.
See: https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments
--
Hector
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1DJGhewa5khmaLAvVogj4b8D8ck7HYraRvktbn%3DWhvr2GQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
Andrew Langhorn
Oct 11, 2016, 7:56:56 AM10/11/16
to terrafo...@googlegroups.com
Hi Hector,
Thanks. Given I'm using an S3 bucket as the origin, I omitted a custom origin configuration and an S3 origin configuration on the basis that the latter had only one optional argument I don't care a lot about.
That left me with the snippet I posted above, which doesn't work.
Andrew
Hector Castro
Oct 11, 2016, 8:46:34 AM10/11/16
to terrafo...@googlegroups.com
Despite being an S3 bucket under the covers, when you reference the website endpoint from a CloudFront distribution, CloudFront sees it as a custom origin (the same as it would any other web endpoint).
Something like this in the `origin` block should get you further:
custom_origin_config {
origin_protocol_policy = "http-only"
http_port = 80
https_port = 443
origin_ssl_protocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]
}
--
Hector
Something like this in the `origin` block should get you further:
custom_origin_config {
origin_protocol_policy = "http-only"
http_port = 80
https_port = 443
origin_ssl_protocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]
}
--
Hector
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1DJ-UkCi6mNWXdnX69hYM1xrtps7z8ggPwdju6P-sYyfXA%40mail.gmail.com.
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
Andrew Langhorn
Oct 11, 2016, 4:31:43 PM10/11/16
to terrafo...@googlegroups.com
Thanks Hector; that's working now.
If CloudFront sees any S3 bucket as a custom origin, what's the point in the S3 origin config block?
Hector Castro
Oct 11, 2016, 5:58:58 PM10/11/16
to terrafo...@googlegroups.com
CloudFront only sees it as a custom origin when the you specify the S3 bucket website endpoint as the distribution origin. If you didn't use the S3 bucket website endpoint, then you'd need an `s3_origin_config`.
As an example, you might want to use an S3 origin to take advantage of the CloudFront origin access identity functionality for restricting access to your S3 content.
--
Hector
> On Oct 11, 2016, at 16:31, Andrew Langhorn <lang...@thoughtworks.com> wrote:
>
> Thanks Hector; that's working now.
> If CloudFront sees any S3 bucket as a custom origin, what's the point in the S3 origin config block?
>
As an example, you might want to use an S3 origin to take advantage of the CloudFront origin access identity functionality for restricting access to your S3 content.
--
Hector
> On Oct 11, 2016, at 16:31, Andrew Langhorn <lang...@thoughtworks.com> wrote:
>
> Thanks Hector; that's working now.
> If CloudFront sees any S3 bucket as a custom origin, what's the point in the S3 origin config block?
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1D%2BHEgx2%2BSH0%3DrF1uOBS-1nv0f-n7fcy2x3kHu0gu0HgZQ%40mail.gmail.com.
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
Craig Blaszczyk
Sep 28, 2017, 5:30:55 AM9/28/17
to Terraform
Thanks Hector, your answer saved me too. I already knew about the CustomOrigin config stuff, but I had failed to specify the allowed SSL protocols, which was causing requests for things in the bucket to timeout.
Reply all
Reply to author
Forward
0 new messages