Skip to content

aws_cloudfront_multitenant_distribution: Provider produced inconsistent result after apply #47773

Open
Open
aws_cloudfront_multitenant_distribution: Provider produced inconsistent result after apply#47773
Labels
bugAddresses a defect in current functionality.needs-triageWaiting for first response or review from a maintainer.service/cloudfrontIssues and PRs that pertain to the cloudfront service.
@pkqk

Description

@pkqk
pkqk
opened on May 5, 2026

Terraform and AWS Provider Version

Terraform v1.14.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.41.0
+ provider registry.terraform.io/hashicorp/dns v3.5.0

Affected Resource(s) or Data Source(s)

  • aws_cloudfront_multitenant_distribution

Expected Behavior

Create a multi-tenant cloudfront distribution

Actual Behavior

Creating the multi-tenant distribution exits with an error after successfully creating the resource but importing it with a tainted state

Relevant Error/Panic Output


│ Error: Provider produced inconsistent result after apply

│ When applying changes to aws_cloudfront_multitenant_distribution.content, provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value: .origin: planned set
│ element cty.ObjectVal(map[string]cty.Value{"connection_attempts":cty.NumberIntVal(3), "connection_timeout":cty.NumberIntVal(10),
│ "custom_header":cty.ListValEmpty(cty.Object(map[string]cty.Type{"header_name":cty.String, "header_value":cty.String})),
│ "custom_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"http_port":cty.Number, "https_port":cty.Number, "ip_address_type":cty.String, "origin_keepalive_timeout":cty.Number,
│ "origin_protocol_policy":cty.String, "origin_read_timeout":cty.Number, "origin_ssl_protocols":cty.Set(cty.String)})),
│ "domain_name":cty.StringVal("bucketname-{{region}}.s3.{{s3_region}}.amazonaws.com"), "id":cty.StringVal("shared"), "origin_access_control_id":cty.NullVal(cty.String),
│ "origin_path":cty.StringVal(""), "origin_shield":cty.ListValEmpty(cty.Object(map[string]cty.Type{"enabled":cty.Bool, "origin_shield_region":cty.String})),
│ "response_completion_timeout":cty.NullVal(cty.Number), "vpc_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"origin_keepalive_timeout":cty.Number, "origin_read_timeout":cty.Number,
│ "vpc_origin_id":cty.String}))}) does not correlate with any element in actual.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Sample Terraform Configuration

Click to expand configuration 
resource "aws_cloudfront_multitenant_distribution" "content" {
  comment = "Content"
  enabled = true

  tags = {
    Name = "Content"
  }

  # To handle /shared/* request, that will result in requesting /shared/key
  origin {
    id   = "shared"
    domain_name = "bucketname-{{region}}.s3.{{s3_region}}.amazonaws.com"
    origin_path = ""
  }
  # to handle /global/* request that will result in requesting /global/shared/key 
  origin {
    id   = "global"
    domain_name = "bucketname-{{region}}.s3.{{s3_region}}.amazonaws.com"
    origin_path = "/global"
  }
  origin {
    id   = "content"
    domain_name = "bucketname-{{region}}.s3.{{s3_region}}.amazonaws.com"
    origin_path = "/{{tenant}}"
  }

  default_root_object = "/index.html"

  tenant_config {
    parameter_definition {
      name = "tenant"
      definition {
        string_schema {
          required = true
        }
      }
    }
    parameter_definition {
      name = "region"
      definition {
        string_schema {
          required = true
        }
      }
    }
    parameter_definition {
      name = "s3_region"
      definition {
        string_schema {
          required = true
        }
      }
    }
  }

  cache_behavior {
    path_pattern           = "/shared/*"
    target_origin_id       = "shared"
    viewer_protocol_policy = "https-only"
    cache_policy_id        = data.aws_cloudfront_cache_policy.caching-optimized.id
    allowed_methods {
      items          = ["GET", "HEAD"]
      cached_methods = ["GET", "HEAD"]
    }
  }
  cache_behavior {
    path_pattern           = "/global/*"
    target_origin_id       = "global"
    viewer_protocol_policy = "https-only"
    cache_policy_id        = data.aws_cloudfront_cache_policy.caching-optimized.id
    allowed_methods {
      items          = ["GET", "HEAD"]
      cached_methods = ["GET", "HEAD"]
    }
  }

  default_cache_behavior {
    target_origin_id       = "content"
    cache_policy_id        = data.aws_cloudfront_cache_policy.caching-optimized.id
    viewer_protocol_policy = "https-only"
    allowed_methods {
      items          = ["GET", "HEAD"]
      cached_methods = ["GET", "HEAD"]
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    # This certificate is not used, but createwithtags requires a default certificate
    # even though AWS does not
    acm_certificate_arn      = aws_acm_certificate.wildcard-cert.arn
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2021"
  }

  lifecycle {
    ignore_changes = [
      tags,
    ]
  }
}

Steps to Reproduce

  1. Apply terraform
  2. Create fails with Provider produced inconsistent result after apply error

Debug Logging

Click to expand log output 




GenAI / LLM Assisted Development


n/a


Important Facts and References


There are multiple origins pointing to the same s3 bucket with different origin_paths due to how our current setup works.


Would you like to implement a fix?


No
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugAddresses a defect in current functionality.needs-triageWaiting for first response or review from a maintainer.service/cloudfrontIssues and PRs that pertain to the cloudfront service.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions