[hashicorp/terraform-provider-aws] CloudFront invalid argument DomainName when origin is S3 Website endpoint - Go

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11 + provider.aws v2.0.0

Affected Resource(s)

  • awscloudfrontdistribution
  • awss3bucket

Terraform Configuration Files

provider "aws" {
  region  = "eu-west-1"
  profile = "develop"

resource "aws_s3_bucket" "bucket-web" {
  bucket = "foo"
  region = "eu-west-1"

  website {
    index_document = "index.html"

resource "aws_cloudfront_distribution" "distribution" {
  origin {
    domain_name = "${aws_s3_bucket.bucket-web.website_endpoint}"
    origin_id   = "wiiimeeeeehhhh"

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = "wiiimeeeeehhhh"
    viewer_protocol_policy = "redirect-to-https"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"

  restrictions {
    geo_restriction {
      restriction_type = "none"

  viewer_certificate {
    acm_certificate_arn      = "arn:my_certificate_arn"
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2018"

  enabled     = true
  price_class = "PriceClass_100"

Debug Output

Relevant log below:

  origin.3576990599.domain_name:                                 "" => "foo.s3-website-eu-west-1.amazonaws.com"
  origin.3576990599.origin_id:                                   "" => "wiiimeeeeehhhh"

* aws_cloudfront_distribution.distribution: error creating CloudFront Distribution: InvalidArgument: The parameter Origin DomainName does not refer to a valid S3 bucket.

Expected Behavior

Two resources should be created: - A S3 bucket for static web hosting. - A CloudFront distribution with an origin pointing to the bucket's website endpoint (foo.s3-website-eu-west-1.amazonaws.com).

Actual Behavior

The bucket is created without any issues, however the distribution fails because it considers the domain_name is not valid.

Notice that for using CloudFront to serve a S3 static website, we can't use the bucket's name, we must use the website endpoint. More info on https://aws.amazon.com/premiumsupport/knowledge-center/s3-website-cloudfront-error-403/

Steps to Reproduce

  1. Copy the configuration file above 2.terraform apply
Asked Apr 21 '22 21:04
avatar ay0o

2 Answer:

Just found the solution. Maybe the documentation could be improved regarding this case.

When we want to create a CloudFront origin for a S3 static website, we must define a custom_origin_config, otherwise it won't work.

    custom_origin_config {
      http_port              = "80"
      https_port             = "443"
      origin_protocol_policy = "http-only"
      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
Answered Mar 07 '19 at 11:36
avatar  of ay0o


Answered Apr 21 '22 at 09:04
avatar  of Renato Alencar
Renato Alencar