[bugfix] aws_cloudfront_distribution: Allow setting logging_config.include_cookies without enabling V1 logging

[tabito-hara]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

• Missing argument to enable Cookie Logging for CloudFront Standard Logging (V2) #44827 reported that it is unclear how to enable the cookie logging option with CloudFront V2 logging.

• When I enabled the cookie logging option in the AWS Management Console, CloudTrail recorded the following operation:

"logging": {
    "includeCookies": true,
    "prefix": "",
    "enabled": false,
    "bucket": ""
},

• Even when using V2 logging, the logging.include_cookies setting is still evaluated by the AWS API.

• However, in the current AWS Provider implementation, the logging_config.enabled argument does not exist. Instead, V1 logging is implicitly enabled when the logging_config block is present.
  Therefore, it is currently not possible to set include_cookies while keeping V1 logging disabled.

• This PR allows logging_config.include_cookies to be set to true when V1 logging is disabled (and V2 logging is enabled).

  • logging_config.bucket is changed from Required to Optional, and now determines whether V1 logging is enabled: if logging_config.bucket is specified, V1 logging is enabled; if omitted, V1 logging is disabled.
  • With this change, logging_config.include_cookies can be enabled independently of V1 logging.

• A new attribute, logging_v1_enabled, is added to allow users to easily monitor the status of V1 logging.

Relations

Closes #44827

References

terraform-provider-aws/internal/service/cloudfront/distribution.go

Lines 2650 to 2666 in 69b29c4

	func expandLoggingConfig(tfMap map[string]any) *awstypes.LoggingConfig {
	apiObject := &awstypes.LoggingConfig{}
	if tfMap != nil {
	apiObject.Bucket = aws.String(tfMap[names.AttrBucket].(string))
	apiObject.Enabled = aws.Bool(true)
	apiObject.IncludeCookies = aws.Bool(tfMap["include_cookies"].(bool))
	apiObject.Prefix = aws.String(tfMap[names.AttrPrefix].(string))
	} else {
	apiObject.Bucket = aws.String("")
	apiObject.Enabled = aws.Bool(false)
	apiObject.IncludeCookies = aws.Bool(false)
	apiObject.Prefix = aws.String("")
	}
	return apiObject
	}

Output from Acceptance Testing

One test failed, which is the same error reported in #44691 and #44753.

$ AWS_PROFILE=admin make testacc TESTS='TestAccCloudFrontDistribution_' PKG=cloudfront 
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 b-aws_cloudfront_distribution-logging_config_include_cookies 🌿...
TF_ACC=1 go1.24.8 test ./internal/service/cloudfront/... -v -count 1 -parallel 20 -run='TestAccCloudFrontDistribution_'  -timeout 360m -vet=off
2025/10/28 23:18:06 Creating Terraform AWS Provider (SDKv2-style)...
2025/10/28 23:18:06 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccCloudFrontDistribution_basic
=== PAUSE TestAccCloudFrontDistribution_basic
=== RUN   TestAccCloudFrontDistribution_disappears
=== PAUSE TestAccCloudFrontDistribution_disappears
=== RUN   TestAccCloudFrontDistribution_tags
=== PAUSE TestAccCloudFrontDistribution_tags
=== RUN   TestAccCloudFrontDistribution_s3Origin
=== PAUSE TestAccCloudFrontDistribution_s3Origin
=== RUN   TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
=== PAUSE TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
=== RUN   TestAccCloudFrontDistribution_customOrigin
=== PAUSE TestAccCloudFrontDistribution_customOrigin
=== RUN   TestAccCloudFrontDistribution_customOriginIPAddressType
=== PAUSE TestAccCloudFrontDistribution_customOriginIPAddressType
=== RUN   TestAccCloudFrontDistribution_originPolicyDefault
=== PAUSE TestAccCloudFrontDistribution_originPolicyDefault
=== RUN   TestAccCloudFrontDistribution_originPolicyOrdered
=== PAUSE TestAccCloudFrontDistribution_originPolicyOrdered
=== RUN   TestAccCloudFrontDistribution_multiOrigin
=== PAUSE TestAccCloudFrontDistribution_multiOrigin
=== RUN   TestAccCloudFrontDistribution_orderedCacheBehavior
=== PAUSE TestAccCloudFrontDistribution_orderedCacheBehavior
=== RUN   TestAccCloudFrontDistribution_orderedCacheBehaviorCachePolicy
=== PAUSE TestAccCloudFrontDistribution_orderedCacheBehaviorCachePolicy
=== RUN   TestAccCloudFrontDistribution_orderedCacheBehaviorResponseHeadersPolicy
=== PAUSE TestAccCloudFrontDistribution_orderedCacheBehaviorResponseHeadersPolicy
=== RUN   TestAccCloudFrontDistribution_forwardedValuesToCachePolicy
=== PAUSE TestAccCloudFrontDistribution_forwardedValuesToCachePolicy
=== RUN   TestAccCloudFrontDistribution_Origin_emptyDomainName
=== PAUSE TestAccCloudFrontDistribution_Origin_emptyDomainName
=== RUN   TestAccCloudFrontDistribution_Origin_emptyOriginID
=== PAUSE TestAccCloudFrontDistribution_Origin_emptyOriginID
=== RUN   TestAccCloudFrontDistribution_Origin_connectionAttempts
=== PAUSE TestAccCloudFrontDistribution_Origin_connectionAttempts
=== RUN   TestAccCloudFrontDistribution_Origin_connectionTimeout
=== PAUSE TestAccCloudFrontDistribution_Origin_connectionTimeout
=== RUN   TestAccCloudFrontDistribution_Origin_originShield
=== PAUSE TestAccCloudFrontDistribution_Origin_originShield
=== RUN   TestAccCloudFrontDistribution_Origin_originAccessControl
=== PAUSE TestAccCloudFrontDistribution_Origin_originAccessControl
=== RUN   TestAccCloudFrontDistribution_noOptionalItems
=== PAUSE TestAccCloudFrontDistribution_noOptionalItems
=== RUN   TestAccCloudFrontDistribution_http11
=== PAUSE TestAccCloudFrontDistribution_http11
=== RUN   TestAccCloudFrontDistribution_isIPV6Enabled
=== PAUSE TestAccCloudFrontDistribution_isIPV6Enabled
=== RUN   TestAccCloudFrontDistribution_noCustomErrorResponse
=== PAUSE TestAccCloudFrontDistribution_noCustomErrorResponse
=== RUN   TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValuesCookies_whitelistedNames
=== PAUSE TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValuesCookies_whitelistedNames
=== RUN   TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValues_headers
=== PAUSE TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValues_headers
=== RUN   TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedKeyGroups
=== PAUSE TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedKeyGroups
=== RUN   TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedSigners
=== PAUSE TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedSigners
=== RUN   TestAccCloudFrontDistribution_DefaultCacheBehavior_realtimeLogARN
=== PAUSE TestAccCloudFrontDistribution_DefaultCacheBehavior_realtimeLogARN
=== RUN   TestAccCloudFrontDistribution_OrderedCacheBehavior_realtimeLogARN
=== PAUSE TestAccCloudFrontDistribution_OrderedCacheBehavior_realtimeLogARN
=== RUN   TestAccCloudFrontDistribution_enabled
=== PAUSE TestAccCloudFrontDistribution_enabled
=== RUN   TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValuesCookies_whitelistedNames
=== PAUSE TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValuesCookies_whitelistedNames
=== RUN   TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValues_headers
=== PAUSE TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValues_headers
=== RUN   TestAccCloudFrontDistribution_ViewerCertificate_acmCertificateARN
=== PAUSE TestAccCloudFrontDistribution_ViewerCertificate_acmCertificateARN
=== RUN   TestAccCloudFrontDistribution_ViewerCertificateACMCertificateARN_conflictsWithCloudFrontDefaultCertificate
=== PAUSE TestAccCloudFrontDistribution_ViewerCertificateACMCertificateARN_conflictsWithCloudFrontDefaultCertificate
=== RUN   TestAccCloudFrontDistribution_waitForDeployment
=== PAUSE TestAccCloudFrontDistribution_waitForDeployment
=== RUN   TestAccCloudFrontDistribution_preconditionFailed
=== PAUSE TestAccCloudFrontDistribution_preconditionFailed
=== RUN   TestAccCloudFrontDistribution_originGroups
=== PAUSE TestAccCloudFrontDistribution_originGroups
=== RUN   TestAccCloudFrontDistribution_vpcOriginConfig
=== PAUSE TestAccCloudFrontDistribution_vpcOriginConfig
=== RUN   TestAccCloudFrontDistribution_responseCompletionTimeout
=== PAUSE TestAccCloudFrontDistribution_responseCompletionTimeout
=== RUN   TestAccCloudFrontDistribution_grpcConfig
=== PAUSE TestAccCloudFrontDistribution_grpcConfig
=== CONT  TestAccCloudFrontDistribution_basic
=== CONT  TestAccCloudFrontDistribution_isIPV6Enabled
=== CONT  TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValues_headers
=== CONT  TestAccCloudFrontDistribution_grpcConfig
=== CONT  TestAccCloudFrontDistribution_responseCompletionTimeout
=== CONT  TestAccCloudFrontDistribution_vpcOriginConfig
=== CONT  TestAccCloudFrontDistribution_originGroups
=== CONT  TestAccCloudFrontDistribution_preconditionFailed
=== CONT  TestAccCloudFrontDistribution_waitForDeployment
=== CONT  TestAccCloudFrontDistribution_ViewerCertificateACMCertificateARN_conflictsWithCloudFrontDefaultCertificate
=== CONT  TestAccCloudFrontDistribution_ViewerCertificate_acmCertificateARN
=== CONT  TestAccCloudFrontDistribution_enabled
=== CONT  TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValuesCookies_whitelistedNames
=== CONT  TestAccCloudFrontDistribution_orderedCacheBehaviorCachePolicy
=== CONT  TestAccCloudFrontDistribution_http11
=== CONT  TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedSigners
=== CONT  TestAccCloudFrontDistribution_noOptionalItems
=== CONT  TestAccCloudFrontDistribution_Origin_originAccessControl
=== CONT  TestAccCloudFrontDistribution_Origin_originShield
=== CONT  TestAccCloudFrontDistribution_OrderedCacheBehavior_realtimeLogARN
2025-10-28T23:21:35.383+0900 [ERROR] aws.autoflex: Source does not implement attr.Value: tf_resource_type=aws_cloudfront_vpc_origin autoflex.target.path="" autoflex.source.type=github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront.originSSLProtocolsModel autoflex.target.type=github.com/aws/aws-sdk-go-v2/service/cloudfront/types.SslProtocol tf_mux_provider="*proto5server.Server" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange tf_req_id=eb0ffb34-e66b-61ca-d2fe-4ba48ea8bef9 autoflex.source.path=""
=== NAME  TestAccCloudFrontDistribution_vpcOriginConfig
    distribution_test.go:1557: Step 1/2 error: Error running apply: exit status 1
        
        Error: Incompatible Types
        
          with aws_cloudfront_vpc_origin.test,
          on terraform_plugin_test.tf line 88, in resource "aws_cloudfront_vpc_origin" "test":
          88: resource "aws_cloudfront_vpc_origin" "test" {
        
        An unexpected error occurred while expanding configuration. This is always an
        error in the provider. Please report the following to the provider developer:
        
        Source type
        "github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront.originSSLProtocolsModel"
        does not implement attr.Value
        
        Error: creating CloudFront VPC Origin
        
          with aws_cloudfront_vpc_origin.test,
          on terraform_plugin_test.tf line 88, in resource "aws_cloudfront_vpc_origin" "test":
          88: resource "aws_cloudfront_vpc_origin" "test" {
        
        operation error CloudFront: CreateVpcOrigin, 1 validation error(s) found.
        - missing required field, CreateVpcOriginInput.VpcOriginEndpointConfig.
        
--- FAIL: TestAccCloudFrontDistribution_vpcOriginConfig (224.25s)
=== CONT  TestAccCloudFrontDistribution_DefaultCacheBehavior_realtimeLogARN
--- PASS: TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValuesCookies_whitelistedNames (237.86s)
=== CONT  TestAccCloudFrontDistribution_Origin_emptyDomainName
--- PASS: TestAccCloudFrontDistribution_Origin_emptyDomainName (0.91s)
=== CONT  TestAccCloudFrontDistribution_Origin_connectionAttempts
--- PASS: TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedSigners (245.29s)
=== CONT  TestAccCloudFrontDistribution_Origin_emptyOriginID
--- PASS: TestAccCloudFrontDistribution_OrderedCacheBehaviorForwardedValues_headers (245.51s)
=== CONT  TestAccCloudFrontDistribution_customOriginIPAddressType
--- PASS: TestAccCloudFrontDistribution_Origin_emptyOriginID (0.85s)
=== CONT  TestAccCloudFrontDistribution_orderedCacheBehavior
--- PASS: TestAccCloudFrontDistribution_grpcConfig (258.09s)
=== CONT  TestAccCloudFrontDistribution_forwardedValuesToCachePolicy
--- PASS: TestAccCloudFrontDistribution_basic (262.43s)
=== CONT  TestAccCloudFrontDistribution_Origin_connectionTimeout
--- PASS: TestAccCloudFrontDistribution_OrderedCacheBehavior_realtimeLogARN (279.43s)
=== CONT  TestAccCloudFrontDistribution_orderedCacheBehaviorResponseHeadersPolicy
--- PASS: TestAccCloudFrontDistribution_ViewerCertificateACMCertificateARN_conflictsWithCloudFrontDefaultCertificate (286.28s)
=== CONT  TestAccCloudFrontDistribution_customOrigin
--- PASS: TestAccCloudFrontDistribution_ViewerCertificate_acmCertificateARN (286.29s)
=== CONT  TestAccCloudFrontDistribution_originPolicyOrdered
--- PASS: TestAccCloudFrontDistribution_noOptionalItems (444.22s)
=== CONT  TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
--- PASS: TestAccCloudFrontDistribution_http11 (561.01s)
=== CONT  TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValuesCookies_whitelistedNames
=== CONT  TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValues_headers
--- PASS: TestAccCloudFrontDistribution_isIPV6Enabled (561.03s)
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehaviorCachePolicy (561.25s)
=== CONT  TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedKeyGroups
--- PASS: TestAccCloudFrontDistribution_originGroups (567.98s)
=== CONT  TestAccCloudFrontDistribution_noCustomErrorResponse
--- PASS: TestAccCloudFrontDistribution_Origin_originShield (568.69s)
=== CONT  TestAccCloudFrontDistribution_tags
--- PASS: TestAccCloudFrontDistribution_DefaultCacheBehavior_realtimeLogARN (349.14s)
=== CONT  TestAccCloudFrontDistribution_originPolicyDefault
--- PASS: TestAccCloudFrontDistribution_waitForDeployment (573.85s)
=== CONT  TestAccCloudFrontDistribution_disappears
--- PASS: TestAccCloudFrontDistribution_enabled (895.25s)
=== CONT  TestAccCloudFrontDistribution_s3Origin
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehavior (649.33s)
=== CONT  TestAccCloudFrontDistribution_multiOrigin
--- PASS: TestAccCloudFrontDistribution_DefaultCacheBehavior_trustedKeyGroups (335.20s)
--- PASS: TestAccCloudFrontDistribution_customOrigin (610.99s)
--- PASS: TestAccCloudFrontDistribution_Origin_connectionTimeout (636.77s)
--- PASS: TestAccCloudFrontDistribution_Origin_connectionAttempts (661.59s)
--- PASS: TestAccCloudFrontDistribution_Origin_originAccessControl (901.46s)
--- PASS: TestAccCloudFrontDistribution_preconditionFailed (901.52s)
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehaviorResponseHeadersPolicy (623.04s)
--- PASS: TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValues_headers (341.80s)
--- PASS: TestAccCloudFrontDistribution_originPolicyOrdered (618.23s)
--- PASS: TestAccCloudFrontDistribution_responseCompletionTimeout (909.19s)
--- PASS: TestAccCloudFrontDistribution_DefaultCacheBehaviorForwardedValuesCookies_whitelistedNames (350.58s)
--- PASS: TestAccCloudFrontDistribution_disappears (339.83s)
--- PASS: TestAccCloudFrontDistribution_tags (369.66s)
--- PASS: TestAccCloudFrontDistribution_noCustomErrorResponse (550.11s)
--- PASS: TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled (675.20s)
--- PASS: TestAccCloudFrontDistribution_forwardedValuesToCachePolicy (861.78s)
--- PASS: TestAccCloudFrontDistribution_originPolicyDefault (549.69s)
--- PASS: TestAccCloudFrontDistribution_customOriginIPAddressType (885.37s)
--- PASS: TestAccCloudFrontDistribution_multiOrigin (471.44s)
--- PASS: TestAccCloudFrontDistribution_s3Origin (471.87s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront 1372.694s
FAIL
make: *** [testacc] Error 1

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccCloudFrontDistribution_basic\|TestAccCloudFrontDistribution_s3Origin\|TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled' PKG=cloudfront      
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 HEAD 🌿...
TF_ACC=1 go1.24.8 test ./internal/service/cloudfront/... -v -count 1 -parallel 20  -run=TestAccCloudFrontDistribution_basic\|TestAccCloudFrontDistribution_s3Origin\|TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled -timeout 360m -vet=off
2025/11/04 12:18:46 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/04 12:18:46 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccCloudFrontDistribution_basic
=== PAUSE TestAccCloudFrontDistribution_basic
=== RUN   TestAccCloudFrontDistribution_s3Origin
=== PAUSE TestAccCloudFrontDistribution_s3Origin
=== RUN   TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
=== PAUSE TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
=== CONT  TestAccCloudFrontDistribution_basic
=== CONT  TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled
=== CONT  TestAccCloudFrontDistribution_s3Origin
--- PASS: TestAccCloudFrontDistribution_basic (233.02s)
--- PASS: TestAccCloudFrontDistribution_s3Origin (454.96s)
--- PASS: TestAccCloudFrontDistribution_includeCookieWhenV1loggingDisabled (455.02s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront	460.702s

[ewbankkit]

@tabito-hara Thanks for the contribution 🎉 👏.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.