Skip to content

feat/cloudfront-cross-account-vpc-origin #45021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat/cloudfront-cross-account-vpc-origin #45021

wants to merge 1 commit into from
+114 −2

Conversation

@kharouny
Copy link

@kharouny kharouny commented Nov 10, 2025
edited
Loading

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

No changes to security controls. This adds an optional parameter that enables cross-account resource access already configured via AWS Resource Access Manager (RAM). The parameter only exposes existing AWS CloudFront API functionality.

Description

Adds support for cross-account VPC origins in CloudFront distributions by implementing the owner_account_id parameter in vpc_origin_config.

AWS CloudFront requires the OwnerAccountId field when referencing a VPC origin from a different account. Without this parameter, Terraform fails with a 404 EntityNotFound error even when the VPC origin is properly shared via AWS RAM.

Changes:

  • Add owner_account_id field to vpc_origin_config schema (Optional, Computed)
  • Update expand/flatten functions to handle the parameter
  • Add acceptance test TestAccCloudFrontDistribution_vpcOriginConfigOwnerAccountID
  • Update documentation

Backward compatible: When omitted, CloudFront assumes same-account origin (existing behavior).

Relations

Closes #45011

References

Output from Acceptance Testing (Did not run)

% make testacc TESTS=TestAccXXX PKG=ec2
...

@kharouny kharouny requested a review from a team as a code owner November 10, 2025 18:39
@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2025

Welcome @kharouny 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider repository. Thank you very much for taking the time to do so, and welcome to the community! 🎉

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/cloudfront Issues and PRs that pertain to the cloudfront service. size/M Managed by automation to categorize the size of a PR. labels Nov 10, 2025
@kharouny kharouny changed the title F cloudfront cross account vpc origin fix/cloudfront cross account vpc origin Nov 10, 2025
@kharouny kharouny changed the title fix/cloudfront cross account vpc origin feat/cloudfront cross account vpc origin Nov 10, 2025
@kharouny kharouny changed the title feat/cloudfront cross account vpc origin feat/cloudfront-cross-account-vpc-origin Nov 10, 2025
@ewbankkit ewbankkit added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Nov 10, 2025
@kharouny kharouny force-pushed the f-cloudfront-cross-account-vpc-origin branch from 3e90409 to ffe5013 Compare November 10, 2025 20:14
@kharouny
Add cross-account VPC origin support to CloudFront distribution
fa5938a 
Fixes hashicorp#45011

AWS released cross-account VPC Origins for CloudFront on November 7, 2025.
The CloudFront API requires the OwnerAccountId field when referencing a
VPC origin from a different account. Without this parameter, Terraform
returns 404 EntityNotFound even when the VPC origin is properly shared via RAM.

Changes:
- Add owner_account_id field to vpc_origin_config schema (Optional, Computed)
- Update expandVPCOriginConfig to include OwnerAccountId when provided
- Update flattenVPCOriginConfig to read OwnerAccountId from API response
- Add acceptance test TestAccCloudFrontDistribution_vpcOriginConfigOwnerAccountID
- Update documentation

Backward compatible: When owner_account_id is omitted, CloudFront uses
the distribution's account.
@kharouny kharouny force-pushed the f-cloudfront-cross-account-vpc-origin branch from ffe5013 to fa5938a Compare November 11, 2025 14:04
@kharouny
Copy link
Author

kharouny commented Nov 12, 2025

Looks like this needs another pipeline trigger from one of the owners to get the checks running.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Tobias-RomanoWBD Tobias-RomanoWBD Tobias-RomanoWBD approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/cloudfront Issues and PRs that pertain to the cloudfront service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for CloudFront cross-account VPC Origins

3 participants

@kharouny @Tobias-RomanoWBD @ewbankkit