Cloudfront multi-tenant distribution: `response_completion_timeout` for origins cannot be cleared once set

[dsp0x4]

Terraform and AWS Provider Version

Terraform v1.15.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v6.43.0

Affected Resource(s) or Data Source(s)

• aws_cloudfront_multitenant_distribution

Expected Behavior

If a user removes (or sets to null) the response_completion_timeout for a origin from HCL, after a previous apply set it to a non-null value, the next plan should show the attribute being cleared and the next apply should disable it.

Actual Behavior

Once response_completion_timeout has been written to state, removing it from HCL does nothing. The only way to disable the timeout is to manually do it via the API, outside terraform.

Computed: true causes Terraform to use the value from the AWS API when the config is null, which hides the user's intent to disable the timeout. The CloudFront API does not return ResponseCompletionTimeout in GetDistributionConfig when the field is not in effect, so there is no AWS-side default to "compute".

Relevant Error/Panic Output

n/a

Sample Terraform Configuration

Click to expand configuration

provider "aws" {
  region = "us-east-1"
}

data "aws_cloudfront_cache_policy" "caching_optimized" {
  name = "Managed-CachingOptimized"
}

resource "aws_cloudfront_multitenant_distribution" "example" {
  comment = "example multi-tenant distribution"
  enabled = false

  origin {
    domain_name = "example.com"
    id          = "example-origin"

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }

    response_completion_timeout = 30   # remove this line on the second plan
  }

  default_cache_behavior {
    target_origin_id       = "example-origin"
    viewer_protocol_policy = "redirect-to-https"
    cache_policy_id        = data.aws_cloudfront_cache_policy.caching_optimized.id

    allowed_methods {
      items          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
      cached_methods = ["GET", "HEAD"]
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  tenant_config {}

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  tags = {
    Name = "example"
  }
}

Steps to Reproduce

1. Apply the configuration with response_completion_timeout = 30
2. Remove the response_completion_timeout line (or set the value to null)
3. Run terraform plan
4. Observe "No changes" instead of the expected diff that would clear the timeout

Debug Logging

n/a

GenAI / LLM Assisted Development

n/a

Important Facts and References

API Reference: https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_Origin.html#cloudfront-Type-Origin-ResponseCompletionTimeout

Would you like to implement a fix?

Yes

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.