AWS::CloudFront::CachePolicy and AWS::CloudFront::OriginRequestPolicy

[joaopenteado]

1. Title

AWS::CloudFront::CachePolicy
AWS::CloudFront::OriginRequestPolicy

2. Scope of request

Last week, CloudFront introduced reusable cache policies and origin request policies and deprecated the previous way of specifying these behaviors through the distribution configuration. I imagine the CloudFormation team is already aware of this change since the corresponding documentation in in CloudFormation is already up to date.

3. Expected behavior

The required parameters should probably stick with what the CreateCachePolicy and CreateOriginRequestPolicy API calls require, I think there's not much room for discussion regarding this.

Both of these should somehow return their ID to use along with the AWS::CloudFront::Distribution resource, otherwise there would be no meaning in including these resources in the first place.

4. Suggest specific test cases

When creating a new distribution with AWS::CloudFront::Distribution you would probably want to specify its cache policy and origin request policy along with it, as most have done up until now with the legacy way of specifying these parameters.

It's not a very good practice to hard-code the IDs of the cache policy and origin request policy, especially since if you use the same stack for multi-account deployments you would want to avoid both hard-coded values and parameters altogether, and the only option you would be left with would be to create an AWS::AccountId-based mapping with each account's cache policy/origin request policy ID, which as I'm sure you're aware, can lead to problems if your AccountID starts with a zero and you have to package your template before deploying it (awscli team I'm looking at you).

5. Helpful Links to speed up research and evaluation

Feature announcement

Relevant CloudFront developer guide documentation

Relevant CloudFront API documentation for cache policies (CreateCachePolicy, UpdateCachePolicy and DeleteCachePolicy)

Relevant CloudFront API documentation for origin request policies (CreateOriginRequestPolicy, UpdateOriginRequestPolicy and DeleteOriginRequestPolicy)

CloudFormation documentation page for AWS::CloudFront::Distribution DefaultCacheBehavior, which is already up to date regarding these changes.

6. Category

Networking & Content Delivery

[PatMyron]

AWS::CloudFront
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html

[bootc]

I know this isn't a support channel (and I have a ticket open anyway) but I tried this today in eu-west-1 and us-east-1 and both times received an Invalid request provided message. Should this be working?

[timdawborn]

Ditto ap-southeast-2.

2020-09-14T03:20:42.598000+00:00 CloudFrontCachePolicy CREATE_FAILED

    Invalid request provided: AWS::CloudFront::CachePolicy
    {"CachePolicyConfig":<snip>}

[henning-krause]

I Just ran into the same issue (eu-central-1).

And while you're on it, please implement Brotli on the the AWS::CloudFront::CachePolicy ParametersInCacheKeyAndForwardedToOrigin type (EnableAcceptEncodingBrotli).

[thanakijwanavit]

Is there a workaround for this? cachepolicy is not working in ap-southeast-1

[yvele]

Yep would like also to have EnableAcceptEncodingBrotli working 🙏

[njlynch]

For those experiencing the Invalid request provided error, one thing to try is to check the Name of the CachePolicy; remove any spaces or special characters, and keep it alphanumeric. That unblocked me.

[Lanchez]

This seems to be fully supported and working now 👍

[erichaus]

I'm getting failure with the following policy on us-east-1:

  DefaultCachePolicy:
    Type: 'AWS::CloudFront::CachePolicy'
    Properties:
      CachePolicyConfig:
        DefaultTTL: 86400
        MaxTTL: 31536000
        MinTTL: 1
        Name: 'web-default-cache-policy'
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: 'none'
          EnableAcceptEncodingBrotli: true
          EnableAcceptEncodingGzip: true
          HeadersConfig:
            HeaderBehavior: 'none'
          QueryStringsConfig:
            QueryStringBehavior: 'none'

  AppCloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          CachePolicyId: !Ref DefaultCachePolicy
          Compress: true

Does that look right? Is it a bug w/aws?
The error I get during change_set_execute is: Internal error reported from downstream service during operation

[spg]

I had the same error. Turned out that minTtl was larger than maxTtl, which caused the error. Also, defaultTtl must be larger than minTtl.