Skip to content

CloudFront Distribution receives IllegalUpdate error when applying change to OriginΒ #2461

New issue
New issue
Open
Open
CloudFront Distribution receives IllegalUpdate error when applying change to Origin#2461
Labels
kind/bugCategorizes issue or PR as related to a bug.service/cloudfrontIndicates issues or PRs that are related to cloudfront-controller.
@knottnt

Description

@knottnt
knottnt
opened on May 8, 2025

Describe the bug
After applying a change to an origin of a CloudFront Distribution that has been successfully created the ACK controller fails to apply the update to the AWS resource reporting that an IllegalUpdate occurred.

Steps to reproduce
Create a CloudFront Distribution such as the one below.

apiVersion: cloudfront.services.k8s.aws/v1alpha1
kind: Distribution
metadata:
  name: my-distribution
spec:
  distributionConfig:
    comment: "test distribution"
    enabled: true
    defaultCacheBehavior:
      targetOriginID: <s3-buck-name>
      viewerProtocolPolicy: allow-all
      minTTL: 1000
      forwardedValues:
        queryString: false
        cookies:
          forward: "none"
    origins:
      items:
      - id: <s3-buck-name> 
        connectionTimeout: 9
        domainName: <s3-buck-domain-name>
        s3OriginConfig:
          originAccessIdentity: ''
  tags:
  - key: hello
    value: world

Once the Distribution has been deployed and the ACK controller reports that it has synced. Apply an update to the Distribution.

apiVersion: cloudfront.services.k8s.aws/v1alpha1
kind: Distribution
metadata:
  name: my-distribution
spec:
  distributionConfig:
    comment: "test distribution"
    enabled: true
    defaultCacheBehavior:
      targetOriginID: <s3-buck-name>
      viewerProtocolPolicy: allow-all
      minTTL: 1000
      forwardedValues:
        queryString: false
        cookies:
          forward: "none"
    origins:
      items:
      - id: <s3-buck-name> 
        connectionTimeout: 8 # Updated value
        domainName: <s3-buck-domain-name>
        s3OriginConfig:
          originAccessIdentity: ''
  tags:
  - key: hello
    value: world

The ACK controller fails to apply the update reporting the below error.

{
  "level": "error",
  "ts": "2025-05-08T10:17:48.237-0700",
  "msg": "Reconciler error",
  "controller": "distribution",
  "controllerGroup": "cloudfront.services.k8s.aws",
  "controllerKind": "Distribution",
  "Distribution": {
    "name": "my-distribution",
    "namespace": "default"
  },
  "namespace": "default",
  "name": "my-distribution",
  "reconcileID": "4aac5bf1-6bb3-4688-a0b4-cd9ec22e8127",
  "error": "operation error CloudFront: UpdateDistribution, https response error StatusCode: 400, RequestID: 4f6c5d93-d535-4398-adc2-14bcd2d463ce, IllegalUpdate: The 'OriginCustomHeaders' field is missing.",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"
}

Expected outcome
The ACK successfully applies the spec changes to the CloudFront Distribution.

Environment

  • Kubernetes version: 1.32.2
  • Using EKS (yes/no), if so version? No, KIND local cluster
  • AWS service targeted (S3, RDS, etc.) CloudFront

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.service/cloudfrontIndicates issues or PRs that are related to cloudfront-controller.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions