CreateDistributionWithTags sends empty string for ResponsePagePath

[BenGale]

Describe what happened

When creating a CloudFront distribution I was trying to set CustomErrorResponse to redirect 403 to 404. I was getting consistent failure to deploy this from AWS with a less than helpful error:

"errorCode": "ServiceUnavailableException",
"errorMessage": "An unknown error occurred".

Speaking with AWS support they indicated that you cannot set custom response codes, without also setting the ResponsePagePath. When I look at the output from Pulumi I see that the library is setting this to an empty string, which is invalid.

Sample program

Example CloudFront Distribution:

const distribution = new aws.cloudfront.Distribution(
    `assets-distribution-${environment}`,
    {
      enabled: true,
      isIpv6Enabled: true,
      priceClass: 'PriceClass_100',
      aliases: [domain],
      origins: [
        {
          originId: originId,
          domainName: bucket.bucketRegionalDomainName,
          originAccessControlId: oac.id,
        },
      ],
      defaultCacheBehavior: {
        targetOriginId: originId,
        viewerProtocolPolicy: 'https-only',
        allowedMethods: ['GET', 'HEAD'],
        cachedMethods: ['GET', 'HEAD'],
        cachePolicyId: '4135ea2d-6df8-44a3-9df3-4b5a84be39ad', // CachingDisabled policy ID
        originRequestPolicyId: '216adef6-5c7f-47e4-b989-5492eafa07d3', // AllViewer policy ID
        compress: true,
      },
      restrictions: {
        geoRestriction: {
          restrictionType: 'none',
        },
      },
      viewerCertificate: {
        acmCertificateArn: certificateValidation.certificateArn,
        minimumProtocolVersion: 'TLSv1.2_2021',
        sslSupportMethod: 'sni-only',
      },
      // Return 404 for both missing files and invalid signatures to prevent file enumeration
      customErrorResponses: [
        {
          errorCode: 403,
          responseCode: 404,
          errorCachingMinTtl: 5,
        },
        {
          errorCode: 404,
          responseCode: 404,
          errorCachingMinTtl: 5,
        },
      ],
    }
)

Log output

Relevant snippet from CloudTrail Logs.

"customErrorResponses": {
    "quantity": 2,
    "items": [
        {
            "responsePagePath": "",
            "errorCode": 403,
            "errorCachingMinTTL": 5,
            "responseCode": "404"
        },
        {
            "responsePagePath": "",
            "errorCode": 404,
            "errorCachingMinTTL": 5,
            "responseCode": "404"
        }
    ]
},

Affected Resource(s)

aws.cloudfront.Distribution

Output of pulumi about

CLI
Version 3.142.0
Go Version go1.23.3
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.64.0
resource aws 6.56.1
resource aws 6.27.0
resource awsx 2.19.0
resource awsx 2.16.1
resource awsx 2.6.0
resource docker 4.5.1
resource docker 4.5.1
resource docker 3.6.1
resource docker 3.6.1
language nodejs unknown
resource random 4.16.7

Host
OS darwin
Version 15.2
Arch arm64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

@BenGale thanks for reporting this issue! It looks like there is an enhancement request upstream tracking this. The idea would be to require you to configure both properties together or throw a validation error. Does that look like it would solve your problem?

hashicorp/terraform-provider-aws#32431

[BenGale]

Yeah that sounds spot on. Was very difficult to find out what was up with the useless aws error so it would be great if the type enforced setting both.