aws_cloudfront_distribution takes 10 mins for updating tags instead of 10 seconds

[schammah]

Terraform Version

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

 Any cloudfront distribution creation, for which you update the TAGS

Debug Output

2020-02-23T10:42:21.752+0200 [DEBUG] plugin.terraform-provider-aws_v2.49.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2020-02-23T10:42:21.752+0200 [DEBUG] plugin.terraform-provider-aws_v2.49.0_x4: PUT /2019-03-26/distribution/E34W9FSLFIIZ7E/config HTTP/1.1

files generated before apply

 # module.fe-stack.module.cf_distribution.module.cloudfront_dist.aws_cloudfront_distribution.cloudfront_distribution[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "cloudfront_distribution" {
        active_trusted_signers         = {
            "enabled" = "false"
            "items.#" = "0"
        }
        aliases                        = [
            "acc-qa.autodesk.com",
        ]
        arn                            = "arn:aws:cloudfront::487986017923:distribution/E34W9FSLFIIZ7E"
        caller_reference               = "terraform-20200220094934939000000001"
        comment                        = "ACCWBPLT-C-UW2 CDN"
        domain_name                    = "d2up58t5iqm1zu.cloudfront.net"
        enabled                        = true
        etag                           = "E192WWI3HWHNWL"
        hosted_zone_id                 = "Z2FDTNDATAQYW2"
        http_version                   = "http2"
        id                             = "E34W9FSLFIIZ7E"
        in_progress_validation_batches = 0
        is_ipv6_enabled                = true
        last_modified_time             = "2020-02-23 08:22:39.079 +0000 UTC"
        price_class                    = "PriceClass_100"
        retain_on_delete               = false
        status                         = "Deployed"
      ~ tags                           = {
          - "Name"                = "ACCWBPLT-C-UW2 CDN"
          - "adsk:environment"    = "dev"
2020/02/23 10:40:00 [DEBUG] command: asking for input: "Do you want to perform these actions?"
          - "adsk:moniker"        = "ACCWBPLT-C-UW2"
          - "last_automation_run" = "2020-02-23T08:22:06Z"
          - "last_run_arn_id"     = "arn:aws:sts::487986017923:assumed-role/Application-Ops/vault-ldap-chammas-Application-Ops-1582446016-5474"
        } -> (known after apply)

Expected Behavior

Expected the provider to use the TagResource
If a change in tags occurs, therefor the run would take 10 secs and not 10 minutes
Same as if you modify a tag from the console

Actual Behavior

AWS Provider is using the 4: PUT /2019-03-26/distribution/E34W9FSLFIIZ7E/config HTTP/1.1
the PUT config API for the whole distribution which is taking 10 minutes to complete

1. Create any cloudfront distribution
2. Update the tags=**** parameter inside the resource
   3 runterraform apply , wait 10 minutes

Important Factoids

This might be occurring for other updates than tags only, it's worth investigating and modify the behavior of the provider on cloudfront distribution to be more efficient

[ewbankkit]

@schammah Thanks for reporting this.
Looking at the code

https://github.com/terraform-providers/terraform-provider-aws/blob/4875ae5fef0990f4a7e3768c81fcc732b90e0f13/aws/resource_aws_cloudfront_distribution.go#L842-L865

UpdateDistribution is called even when the update is just to the tags attribute.

[ewbankkit]

This is a great use case for the proposed schema.ResourceData.HasChangeExcept method: hashicorp/terraform-plugin-sdk#457.

[ptierno]

👍 upvoting this. quite an annoying issue.

[jameshalsall]

I've recently seen this when modifying a distribution's origin too, except it's taking way longer than 10 mins and currently been running for 30 mins!

module.serverless.module.cloudfront.aws_cloudfront_distribution.api_distribution: Still modifying... [id=E3IIWP497XXANV, 30m0s elapsed]

[mfontanaar]

Upvoting. Takes 8 minutes to replace a tag on cloudfront_distribution. It's completely annoying.

[ewbankkit]

terraform-provider-aws/internal/service/cloudfront/distribution.go

Lines 929 to 953 in 96e3d82

	func resourceDistributionUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
	var diags diag.Diagnostics
	conn := meta.(*conns.AWSClient).CloudFrontConn(ctx)
	params := &cloudfront.UpdateDistributionInput{
	Id: aws.String(d.Id()),
	DistributionConfig: expandDistributionConfig(d),
	IfMatch: aws.String(d.Get("etag").(string)),
	}
	// Handle eventual consistency issues
	err := retry.RetryContext(ctx, 1*time.Minute, func() *retry.RetryError {
	_, err := conn.UpdateDistributionWithContext(ctx, params)
	// ACM and IAM certificate eventual consistency
	// InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
	if tfawserr.ErrCodeEquals(err, cloudfront.ErrCodeInvalidViewerCertificate) {
	return retry.RetryableError(err)
	}
	if err != nil {
	return retry.NonRetryableError(err)
	}
	return nil
	})

should add if d.HasChangesExcept("tags", "tags_all") guard.

[github-actions]

This functionality has been released in v5.12.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.