Terraform Error: Solving NoSuchOrigin in CloudFront Distribution

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

When setting up a content delivery network (CDN) using AWS CloudFront with an Amazon S3 bucket as the origin, you might encounter the "NoSuchOrigin" error. This error message, displayed in the AWS console or through infrastructure-as-code tools like Terraform, indicates that CloudFront cannot locate or access the specified S3 bucket. This issue can arise due to various configuration errors or permission issues between CloudFront and S3.

When using Terraform to create an AWS CloudFront distribution with an S3 bucket origin, you might encounter the "NoSuchOrigin" error. This error occurs when CloudFront cannot find the S3 bucket you've specified as the origin. Here's a breakdown of the issue and how to resolve it:

Understanding the Error

The "NoSuchOrigin" error message indicates that the origin (your S3 bucket) specified in your CloudFront distribution configuration doesn't exist or isn't accessible by CloudFront.

Common Causes and Solutions

1. Typographical Errors: Double-check for any typos in the S3 bucket name or ARN within your Terraform code.

   origin {
     domain_name = "your-s3-bucket-name.s3.amazonaws.com" 
   }

2. Bucket Region Mismatch: Ensure that your S3 bucket and CloudFront distribution are in the same AWS region. CloudFront distributions are global, but they need to be associated with origins in the same region.

3. Incorrect Origin Domain Name: When using an S3 bucket as the origin, use the bucket's website endpoint as the domain_name in your origin configuration.

   origin {
     domain_name = aws_s3_bucket.example.website_endpoint
   }

4. Missing Permissions: CloudFront needs permission to access your S3 bucket. You can grant this permission by either:

   • Bucket Policy: Add a bucket policy to your S3 bucket that allows CloudFront to read its contents.

     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Sid": "AllowCloudFrontAccess",
           "Effect": "Allow",
           "Principal": {
             "Service": "cloudfront.amazonaws.com"
           },
           "Action": "s3:GetObject",
           "Resource": "arn:aws:s3:::your-s3-bucket-name/*"
         }
       ]
     }

   • Origin Access Identity (OAI): Create an OAI in CloudFront and modify your S3 bucket policy to grant access to that OAI. This is the recommended approach for enhanced security.

     resource "aws_cloudfront_origin_access_identity" "example" {
       comment = "Some comment"
     }
     
     origin {
       domain_name = aws_s3_bucket.example.website_endpoint
       origin_id   = "example"
     
       s3_origin_config {
         origin_access_identity = aws_cloudfront_origin_access_identity.example.cloudfront_access_identity_path
       }
     }

5. Resource Dependency: Make sure your Terraform code establishes the correct resource dependencies. The CloudFront distribution should be created after the S3 bucket and any necessary policies or OAIs.

   depends_on = [aws_s3_bucket.example]

Troubleshooting Tips

• Terraform State: Examine your Terraform state file to ensure that the S3 bucket and CloudFront distribution resources are correctly defined and associated.
• AWS Console: Verify the existence and configuration of your S3 bucket and CloudFront distribution in the AWS Management Console.
• CloudFront Logs: Enable CloudFront logging to get detailed insights into the error and identify any potential configuration issues.

By carefully reviewing your Terraform code, S3 bucket settings, and CloudFront configuration, and following these steps, you can resolve the "NoSuchOrigin" error and successfully deploy your CloudFront distribution.

This Terraform code sets up a CloudFront distribution to serve content from an S3 bucket. It creates an S3 bucket configured for website hosting, an Origin Access Identity (OAI) for CloudFront access, and a bucket policy granting the OAI read permissions. The CloudFront distribution is configured with the S3 bucket as the origin, using the OAI for secure access. It also defines caching behavior, geographic restrictions, and viewer certificate settings. The code ensures that the CloudFront distribution is created only after the S3 bucket and its policy are successfully provisioned to prevent the "NoSuchOrigin" error.

# Configure the AWS Provider
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "us-west-2" # Replace with your desired region
}

# Create an S3 bucket
resource "aws_s3_bucket" "example" {
  bucket = "your-s3-bucket-name" # Replace with your desired bucket name

  # Enable website hosting for the bucket
  website {
    index_document = "index.html"
    error_document = "error.html"
  }
}

# Create a CloudFront Origin Access Identity (OAI)
resource "aws_cloudfront_origin_access_identity" "example" {
  comment = "OAI for CloudFront distribution"
}

# Grant CloudFront access to the S3 bucket using the OAI
resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudFrontAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_cloudfront_origin_access_identity.example.iam_arn}"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.example.id}/*"
    }
  ]
}
POLICY
}

# Create a CloudFront distribution
resource "aws_cloudfront_distribution" "example" {
  depends_on = [
    aws_s3_bucket.example,
    aws_s3_bucket_policy.example
  ]

  origin {
    domain_name = aws_s3_bucket.example.website_endpoint
    origin_id   = "exampleS3Origin"

    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.example.cloudfront_access_identity_path
    }
  }

  enabled             = true
  is_ipv6_enabled    = true
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]
    target_origin_id = "exampleS3Origin"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl           = 3600
    max_ttl                = 86400
  }

  price_class = "PriceClass_100"

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Explanation:

1. S3 Bucket Creation: The code creates an S3 bucket with website hosting enabled.
2. Origin Access Identity (OAI): An OAI is created to allow CloudFront to access the S3 bucket securely.
3. Bucket Policy: A policy is attached to the S3 bucket, granting read access (s3:GetObject) to the CloudFront OAI.
4. CloudFront Distribution: The code defines a CloudFront distribution with the following key configurations:
   • Origin: The S3 bucket's website endpoint is set as the origin, and the OAI is associated with it.
   • Default Cache Behavior: Basic settings for caching and allowed HTTP methods are configured.
   • Other Settings: General settings like enabling IPv6, price class, and viewer certificate are defined.

Important Notes:

• Replace Placeholders: Ensure you replace the placeholders for the bucket name and region with your desired values.
• Resource Dependencies: The depends_on meta-argument in the aws_cloudfront_distribution resource ensures that the distribution is created only after the S3 bucket and its policy are successfully provisioned.
• Error Handling: While this code addresses the "NoSuchOrigin" error, other issues might arise during deployment. It's recommended to implement robust error handling and logging mechanisms in your Terraform code.

This comprehensive example demonstrates how to create a CloudFront distribution with an S3 bucket origin using Terraform, addressing the "NoSuchOrigin" error by ensuring correct configuration and resource dependencies. Remember to adapt the code to your specific requirements and environment.

Here are some additional points to consider when troubleshooting and preventing the "NoSuchOrigin" error:

General Best Practices:

• Modularization: For larger infrastructures, consider using Terraform modules to define reusable components for your S3 buckets and CloudFront distributions. This improves code organization and reduces the likelihood of errors.
• Testing: Implement automated testing for your Terraform code to catch configuration errors early on. Tools like Terratest can help you write tests that validate your infrastructure deployments.
• Versioning: Use Terraform state and code versioning (e.g., with Git) to track changes and revert to previous configurations if needed.
• Security: Follow AWS best practices for securing your S3 buckets and CloudFront distributions. This includes using HTTPS, enabling appropriate logging, and implementing least privilege access control.

Specific to "NoSuchOrigin" Error:

• CloudFront Distribution Propagation: Remember that CloudFront distribution changes take time to propagate globally. After fixing the error, allow sufficient time for the changes to take effect before testing.
• Alternative Origin Types: While the notes focus on S3 buckets, the "NoSuchOrigin" error can occur with other origin types (e.g., custom origins). The troubleshooting principles remain similar: ensure the origin exists, is accessible, and has the correct permissions.
• CloudFront Functions: If you're using CloudFront Functions, ensure they don't interfere with origin resolution. A misconfigured function could potentially modify requests in a way that leads to the "NoSuchOrigin" error.

Beyond Terraform:

• AWS CLI/SDK: The same configuration issues can arise when using the AWS CLI or SDKs. Refer to the AWS documentation for troubleshooting steps specific to your chosen toolset.
• AWS Support: If you've exhausted all troubleshooting options, don't hesitate to contact AWS Support for assistance. They have access to more detailed logs and can help diagnose complex issues.

By understanding the common causes of the "NoSuchOrigin" error, following best practices, and utilizing available resources, you can streamline your CloudFront deployments and ensure the smooth delivery of your content.

This table summarizes common causes and solutions for the "NoSuchOrigin" error when using Terraform to create an AWS CloudFront distribution with an S3 bucket origin:

Troubleshooting Tips:

• Examine your Terraform state file for resource definition and association.
• Verify S3 bucket and CloudFront distribution configuration in the AWS Management Console.
• Enable CloudFront logging for detailed error insights.

By addressing these common causes and implementing the solutions provided, you can effectively troubleshoot and resolve the "NoSuchOrigin" error in your Terraform CloudFront deployments. Remember to double-check your configurations, ensure resource dependencies are correctly defined, and leverage AWS tools and support when needed. With a clear understanding of these concepts and a systematic approach to troubleshooting, you can establish a robust and reliable content delivery network using AWS CloudFront and Amazon S3.

• Error on the Terraform AWS Cloud front multiple s3 buckets : r ... | Posted by u/sherani1987 - 1 vote and 2 comments
• amazon ec2 - Configure Resource "aws_cloud_distribution" with ... | Apr 9, 2021 ... Terraform can't create a CloudFront's origin with a static S3 website endpoint · 25 · Error creating CloudFront Distribution: NoSuchOrigin: · 2.
• Resolve origin or origin groups do not exist error in CloudFormation ... | When I try to use AWS CloudFormation to update an AWS::CloudFront::Distribution resource, I receive the following error: "One or more of your origins or origin groups do not exist."
• aws_cloudfront_distribution.s3_distribution: error creating ... | May 16, 2019 ... Any hint to fix this will ... Error creating CloudFront Distribution: NoSuchOrigin: · 11 · Error creating cloudfront distribution with terraform.
• AWS CloudFront Origin OriginName Bug - AWS - HashiCorp Discuss | Error There is an error when creating AWS CloudFront distribution linked to AWS S3 bucket which is configured to redirect all requests. The error origin is marked on line 98 in frontend/cloudfront.tf. A Github Repo to re-create the issue is here: https://github.com/subaquatic-pierre/s3-webapp-infrastructure Note: You will need AWS Hosted zone for testing Expected Use aws_s3_bucket_website_configuration.redirect.website_endpoint as cloudfront Origin DomainName instead of aws_s3_bucket....
• UpdateDistribution - Amazon CloudFront | ... create a distribution, CloudFront returns a DistributionAlreadyExists error. ... NoSuchOrigin. No origin exists with the specified Origin Id . HTTP Status ...
• Amazon CloudFront introduces Origin Access Control (OAC ... | Amazon CloudFront is a global content delivery network that securely delivers applications, websites, videos, and APIs to viewers across the globe in milliseconds. Using CloudFront, customers can access different types of origin services to suit their use cases. One of the performant architectures customers adopt is to use Amazon S3 as the origin to host […]
• Distribution settings reference - Amazon CloudFront | The values that you specify when creating or updating a CloudFront distribution, such as origin and cache behavior settings.