Add cross-account VPC origin support to CloudFront distribution

kharouny · kharouny · commit fa5938a6893d · 2025-11-11T09:04:15.000-05:00
Fixes #45011 AWS released cross-account VPC Origins for CloudFront on November 7, 2025. The CloudFront API requires the OwnerAccountId field when referencing a VPC origin from a different account. Without this parameter, Terraform returns 404 EntityNotFound even when the VPC origin is properly shared via RAM. Changes: - Add owner_account_id field to vpc_origin_config schema (Optional, Computed) - Update expandVPCOriginConfig to include OwnerAccountId when provided - Update flattenVPCOriginConfig to read OwnerAccountId from API response - Add acceptance test TestAccCloudFrontDistribution_vpcOriginConfigOwnerAccountID - Update documentation Backward compatible: When owner_account_id is omitted, CloudFront uses the distribution's account.
diff --git a/.changelog/45011.txt b/.changelog/45011.txt
@@ -0,0 +1,4 @@
+```release-note:enhancement
+resource/aws_cloudfront_distribution: Add `owner_account_id` argument to `vpc_origin_config` for cross-account VPC origin support
+```
+
diff --git a/internal/service/cloudfront/distribution.go b/internal/service/cloudfront/distribution.go
@@ -739,6 +739,11 @@ func resourceDistribution() *schema.Resource {
 										Default:      30,
 										ValidateFunc: validation.IntAtLeast(1),
 									},
+									names.AttrOwnerAccountID: {
+										Type:     schema.TypeString,
+										Optional: true,
+										Computed: true,
+									},
 									"vpc_origin_id": {
 										Type:     schema.TypeString,
 										Required: true,
@@ -2530,11 +2535,17 @@ func expandVPCOriginConfig(tfMap map[string]any) *awstypes.VpcOriginConfig {
 		return nil
 	}
 
-	return &awstypes.VpcOriginConfig{
+	apiObject := &awstypes.VpcOriginConfig{
 		OriginKeepaliveTimeout: aws.Int32(int32(tfMap["origin_keepalive_timeout"].(int))),
 		OriginReadTimeout:      aws.Int32(int32(tfMap["origin_read_timeout"].(int))),
 		VpcOriginId:            aws.String(tfMap["vpc_origin_id"].(string)),
 	}
+
+	if v, ok := tfMap[names.AttrOwnerAccountID].(string); ok && v != "" {
+		apiObject.OwnerAccountId = aws.String(v)
+	}
+
+	return apiObject
 }
 
 func flattenOriginShield(apiObject *awstypes.OriginShield) map[string]any {
@@ -2563,11 +2574,17 @@ func flattenVPCOriginConfig(apiObject *awstypes.VpcOriginConfig) map[string]any
 		return nil
 	}
 
-	return map[string]any{
+	tfMap := map[string]any{
 		"origin_keepalive_timeout": aws.ToInt32(apiObject.OriginKeepaliveTimeout),
 		"origin_read_timeout":      aws.ToInt32(apiObject.OriginReadTimeout),
 		"vpc_origin_id":            aws.ToString(apiObject.VpcOriginId),
 	}
+
+	if apiObject.OwnerAccountId != nil {
+		tfMap[names.AttrOwnerAccountID] = aws.ToString(apiObject.OwnerAccountId)
+	}
+
+	return tfMap
 }
 
 func expandCustomErrorResponses(tfList []any) *awstypes.CustomErrorResponses {
diff --git a/internal/service/cloudfront/distribution_test.go b/internal/service/cloudfront/distribution_test.go
@@ -1591,6 +1591,50 @@ func TestAccCloudFrontDistribution_vpcOriginConfig(t *testing.T) {
 	})
 }
 
+func TestAccCloudFrontDistribution_vpcOriginConfigOwnerAccountID(t *testing.T) {
+	ctx := acctest.Context(t)
+	var distribution awstypes.Distribution
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cloudfront_distribution.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckPartitionHasService(t, names.CloudFrontEndpointID) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.CloudFrontServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDistributionDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDistributionConfig_vpcOriginConfigOwnerAccountID(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDistributionExists(ctx, resourceName, &distribution),
+					resource.TestCheckResourceAttr(resourceName, "origin.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "origin.*", map[string]string{
+						"custom_header.#":        "0",
+						"custom_origin_config.#": "0",
+						names.AttrDomainName:     "www.example.com",
+						"origin_id":              "test",
+						"origin_shield.#":        "0",
+						"s3_origin_config.#":     "0",
+						"vpc_origin_config.#":    "1",
+						"vpc_origin_config.0.origin_keepalive_timeout": "5",
+						"vpc_origin_config.0.origin_read_timeout":      "30",
+					}),
+					resource.TestCheckResourceAttrSet(resourceName, fmt.Sprintf("vpc_origin_config.0.%s", names.AttrOwnerAccountID)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"retain_on_delete",
+					"wait_for_deployment",
+				},
+			},
+		},
+	})
+}
+
 func TestAccCloudFrontDistribution_responseCompletionTimeout(t *testing.T) {
 	ctx := acctest.Context(t)
 	var distribution awstypes.Distribution
@@ -4883,6 +4927,52 @@ resource "aws_cloudfront_distribution" "test" {
 `)
 }
 
+func testAccDistributionConfig_vpcOriginConfigOwnerAccountID(rName string) string {
+	return acctest.ConfigCompose(testAccVPCOriginConfig_basic(rName), `
+data "aws_caller_identity" "current" {}
+
+resource "aws_cloudfront_distribution" "test" {
+  enabled          = false
+  retain_on_delete = false
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+    target_origin_id       = "test"
+    viewer_protocol_policy = "allow-all"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "all"
+      }
+    }
+  }
+
+  origin {
+    domain_name = "www.example.com"
+    origin_id   = "test"
+
+    vpc_origin_config {
+      vpc_origin_id    = aws_cloudfront_vpc_origin.test.id
+      owner_account_id = data.aws_caller_identity.current.account_id
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+}
+`)
+}
+
 func testAccDistributionConfig_responseCompletionTimeout(enabled, retainOnDelete bool, responseCompletionTimeout int) string {
 	return fmt.Sprintf(`
 resource "aws_cloudfront_distribution" "test" {
diff --git a/website/docs/r/cloudfront_distribution.html.markdown b/website/docs/r/cloudfront_distribution.html.markdown
@@ -568,6 +568,7 @@ argument should not be specified.
 
 * `origin_keepalive_timeout` - (Optional) Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds. Defaults to `5`.
 * `origin_read_timeout` - (Optional) Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the _origin response timeout_. The minimum timeout is 1 second, the maximum is 60 seconds. Defaults to `30`.
+* `owner_account_id` - (Optional) The AWS account ID that owns the VPC origin. Required when referencing a VPC origin from a different AWS account for cross-account VPC origin access.
 * `vpc_origin_id` (Required) - The VPC origin ID.
 
 #### Origin Group Arguments

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +```release-note:enhancement
 +resource/aws_cloudfront_distribution: Add `owner_account_id` argument to `vpc_origin_config` for cross-account VPC origin support
 +```
++