CloudFront get redeployed every time if forward custom headers

[JoeShi]

Terraform Version

Terraform v0.11.13

Terraform Configuration Files

resource "aws_s3_bucket" "aos_bucket_cf" {
  bucket = "${var.aos_bucket_cf_name}"
  region = "${var.region}"
}

locals {
  s3_origin_id = "aos_bucket_cf"
}

resource "aws_cloudfront_distribution" "aos_cf" {
  origin {
    domain_name = "${aws_s3_bucket.aos_bucket_cf.bucket_regional_domain_name}"
    origin_id = "${local.s3_origin_id}"
  }
  enabled = true
  is_ipv6_enabled = false
  comment = "AOS CloudFront"
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods = ["GET", "HEAD"]
    forwarded_values {
      cookies {
        forward = "none"
      }
      query_string = true
      headers      = ["Accept-Language", "Referer", "CloudFront-Viewer-Country", "User-Agent"]
    }
    target_origin_id = "${local.s3_origin_id}"
    viewer_protocol_policy = "allow-all"
    min_ttl = 0
    max_ttl = 0
    default_ttl = 0
    lambda_function_association {
      event_type = "origin-request"
      lambda_arn = "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:function:aos-${var.version}-index:${var.aos_lambda_edge_index_version}"
    }
  }

  price_class = "PriceClass_All"

  restrictions {
    "geo_restriction" {
      restriction_type = "none"
    }
  }

  "viewer_certificate" {
    cloudfront_default_certificate = true
  }
}

Debug Output

Additional Context

  ~ aws_cloudfront_distribution.aos_cf
      default_cache_behavior.0.forwarded_values.0.headers.1: "CloudFront-Viewer-Country" => "Referer"
      default_cache_behavior.0.forwarded_values.0.headers.2: "Referer" => "CloudFront-Viewer-Country"

Expected Behavior

CloudFront distribution should NOT refresh.

Actual Behavior

CloudFront distribution refreshed every time after a terraform apply

Steps to Reproduce

terraform init
terraform apply

• Add issue_template #6017

[JoeShi]

The workaround is change

headers      = ["Accept-Language", "Referer", "CloudFront-Viewer-Country", "User-Agent"]

to

headers      = ["Accept-Language", "CloudFront-Viewer-Country", "Referer",  "User-Agent"]

The headers should be alphabet order. Just want to let others aware of this.

Like to see Terraform can put it in aws_cloudfront_distribution docs or auto order them before invoke the AWS API.

[ghost]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#8140 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#8140.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.