How to Import an AWS CloudFront Origin Request Policy into Terraform
terraback aws import --method bulk. Terraback writes the matching aws_cloudfront_origin_request_policy resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the origin request policy ID (for example, ccca32ef-dce3-4df3-80df-1bd3000bc4d3), not the policy name.Import AWS CloudFront Origin Request Policy with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the Amazon CloudFront resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS CloudFront Origin Request Policy to managed Terraform.
Scan your AWS account
terraback scan all aws --region us-east-1Generate import blocks and import into state
terraback aws import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = aws_cloudfront_origin_request_policy.example
id = "ccca32ef-dce3-4df3-80df-1bd3000bc4d3"
}Example aws_cloudfront_origin_request_policy configuration
Here is a realistic AWS CloudFront Origin Request Policy block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "aws_cloudfront_origin_request_policy" "example" {
name = "example-origin-request-policy"
comment = "Forward all viewer headers to the origin"
headers_config {
header_behavior = "allViewer"
}
cookies_config {
cookie_behavior = "none"
}
query_strings_config {
query_string_behavior = "all"
}
}Gotchas when importing a AWS CloudFront Origin Request Policy
- Import uses the policy ID, not the name; retrieve it with `aws cloudfront list-origin-request-policies` and use the Id value.
- AWS-managed policies like Managed-AllViewer are read-only and cannot be imported; only custom policies you created are importable.
- An origin request policy controls what CloudFront forwards to the origin and is distinct from a cache policy, which controls the cache key; the two are separate resources even though a behavior references both.
- All three nested blocks (headers_config, cookies_config, query_strings_config) are required and CloudFront returns explicit behavior values, so omit none of them or expect a perpetual diff.
Doing it manually with terraform import
The native approach is to write the aws_cloudfront_origin_request_policy block by hand, then run terraform import aws_cloudfront_origin_request_policy.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other AWS resources
Import your whole AWS account in minutes
Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.