(CloudFront): Initial Create Succeeds, Subsequent Updates Fail with Invalid request provided: AWS::CloudFront::PublicKey

[mcalello]

The following code will create a proper Cloudfront PublicKey and it is usable to restrict access to private resources.

But, any updates to the stack that update the CloudFront PublicKey will fail with:

Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey" (RequestToken: fd28451c-389a-cdd8-d3f7-2bb76874bfee, HandlerErrorCode: InvalidRequest)

Reproduction Steps

        cloudfront_public_key = cloudfront.PublicKey(
            self, "cloudfront-public-key",
            encoded_key=<generated_public_key>
        )
        cloudfront_keygroup = cloudfront.KeyGroup(
            self, "cloudfront-keygroup",
            items=[cloudfront_public_key]
        )

What did you expect to happen?

I would expect the PublicKey to update without error.

What actually happened?

Environment

• **CDK CLI Version : ** 1.108.0 (build b23f781)
• Framework Version: 1.108.0 (build b23f781)
• Node.js Version: v12.18.2
• OS : CodeBuild/CodePipeline
• Language (Version): Python 3.7.4

Other

---

This is 🐛 Bug Report

[njlynch]

It seems like this issue impacts a significant number of customers, and I've tagged it as P1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute a bug fix or new feature to the CDK. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster.

[mcalello]

Thank you @njlynch. I looked at the source and the CloudFormation docs and have questions about the CallerReference. The CF docs read:

A string included in the request to help make sure that the request can’t be replayed.

Can anyone shed more light on this required field? How's it work?

[mcalello]

@njlynch @robertd

Based on the boto3 documentation and a little hint on the Cloudfront UI:

I believe Cloudfront does not support changing the PublicKey's encoded_key value. Perhaps this could be handled by the L2 construct, or at least a better error message and some warning in the documentation.

[flavioleggio]

Any news on this? We really need to update certs in our production environment. This can be a security issue.

[Jrodseth]

+1

[comcalvi]

We're still investigating this issue. A potential workaround now would be to change the logical ID of the public key, which will force a new one to be created with the correct properties.

[JLucky]

+1