aws-samples/amazon-cloudfront-secure-static-site

Invalid request provided: AWS::CloudFront::OriginAccessControl

Closed this issue ยท 7 comments

I merged PR #65 into my private repo but when I run the CloudFormation stack, I get the following error:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::OriginAccessControl" (RequestToken: <REDACTED>, HandlerErrorCode: InvalidRequest)

The error doesn't give much information but a quick web search seems to indicate that InvalidRequest errors are usually caused by syntax errors in the CF template. So I ran cfn-lint and cfn_nag on my template but I get no complaint from either tool.

I've also tried adding a description to the OriginAccessControl in case it's not optional despite what the doc says. That didn't help either. Any suggestion would be greatly appreciated.

This is my YAML in case I am missed something during the merge:

  OriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Name: !Sub 'oac-${AWS::StackName}-${AWS::Region}'
        Description: !Sub 'CloudFront OAC for ${SubDomain}.${DomainName}'
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

Thanks for opening an issue. I've recreated it.

I will investigate to find the cause.

Can you try using a shorter stack name @thomasleplus?

My hypothesis is that this error occurs when the Name property is longer than allowed. I've been able to recreate the error when using a long stack name, and able to deploy the template successfully when using a short stack name (five characters).

I think we encounter this issue because the Name property is set to be !Sub 'oac-${AWS::StackName}-${AWS::Region}'. OriginAccessControlConfig resources must have a unique name across all regions. to ensure this, the Name is derived from both the StackName and Region.

The default stack name (amazon-cloudfront-secure-static-site-templates-main) when using the quick deploy link is too long, triggering this issue.

There isn't an ideal fix. Some options are:

  • Don't use the stack name to derive the OriginAccessControlConfig.Name property. A long stack name would not break deployments. Users would receive an error if they deployed the template with the same stack name in two different regions. The error message is more clear at least.
  • Add a CloudFormation Rule to reject Stacknames larger than a certain length, with a helpful error message. I'm not sure if this is possible, as we would need to derive the length of a string (AWS::StackName). This isn't possible
  • Leave as is and update the documentation.
  • Reduce the length of the default stack name. Users would still hit a cryptic error if they choose a stack name longer than a certain length.

Hi @ConnorKirk,

Shortening the OAC config name did the trick!

I went with using the subdomain and domain name instead of the stack name because it's short enough and unique enough for my use case:

OriginAccessControlConfig:
  Name: !Sub
    - 'oac-${Subdomain}-${DashedDomainName}'
    - DashedDomainName: !Join ['-', !Split ['.', !Ref DomainName]]

Thanks!

As far as I am concerned this issue is resolved. If others have the same issue, I am happy to make a PR with my changes but I am not sure if my solution above would work for everyone (for example what if someone doesn't use a subdomain).

Thanks @thomasleplus

Glad to hear you have resolved your issue. I'm still considering the best resolution for users of the sample. I'm working on PR to fix the issue. Once that is merged I will close this. I'll keep it open in the mean time in case another user encounters the same problem.

Fixed in #69

In the end I used the Stack ID, as this is constant length, but different in each stack. thank you for your help in identifying and resolving the issue.

Here's the relevant snippet in case it is helpful.

 Name: !Sub
          - amzn-secure-static-site-${guid}
          - guid: !Select [2, !Split ['/', !Ref 'AWS::StackId']]