Skip to content

(aws-cloudfront-origins): VpcOrigin ID collision in separate region of same AWS account #34799

New issue
New issue
Open
#35338
Open
(aws-cloudfront-origins): VpcOrigin ID collision in separate region of same AWS account#34799
#35338
Labels
@aws-cdk/aws-cloudfront-originsRelated to CloudFront Origins for the CDK CloudFront LibrarybugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@athewsey

Description

@athewsey
athewsey
opened on Jun 24, 2025

Describe the bug

VpcOrigin.withApplicationLoadBalancer()s with default settings are colliding and failing to create, in otherwise-same CDK apps/stacks deployed to different regions in the same AWS account.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

I'd expect to be able to deploy copies of a stack which creates a CloudFormation distribution, ELB, and VPC Origin to connect one to the other, to multiple regions in the same AWS Account.

I believe VPC Origins are treated as 'global resources' in the AWS Console, but map to an origin (like an ELB) which is in a region. Shouldn't the default behaviour of this construct be to generate a VPC Origin ID that's unique to the stack environment/context being built?

As far as I'm aware, this isn't a problem for e.g. CloudFront Distributions?

Current Behavior

The second stack/region fails to deploy, with an error message like:

MyCoolStack | 166/188 | 7:20:26 AM | CREATE_FAILED        | AWS::CloudFront::VpcOrigin                  | Path/To/CloudFront/Origin1/VpcOrigin (MyCoolStackLoadBalancerCloudFrontOrigin1VpcOrigin3DA297F9) Resource handler returned message: "Resource of type 'AWS::CloudFront::VpcOrigin' with identifier 'Another vpc origin with the same name already exists within the aws account. (Service: CloudFront, Status Code: 409, Request ID: 1443d547-3f89-44b8-97db-59ed26088048) (SDK Attempt Count: 1)' already exists." (RequestToken: ec840dba-af37-7339-8db3-5a2ef4968b93, HandlerErrorCode: AlreadyExists)

Reproduction Steps

Our app creates an elbv2.ApplicationLoadBalancer and a CloudFront VPC Origin with default settings, like this:

const cfOrigin = cloudfront_origins.VpcOrigin.withApplicationLoadBalancer(
  this.loadBalancer,
  {
    protocolPolicy: cloudfront.OriginProtocolPolicy.HTTP_ONLY,
  },
);

We're synthesizing the app with an explicitly-configured AWS Account ID and Region in each region we try to deploy it (env setting), because we have another resource that requires those and throws an error if they're not set/resolved.

Deploying in the first region works fine, but the second region fails with the above-mentioned error.

Possible Solution

I haven't dug deep into it so far, but seems like the physical/unique ID generation logic should be made to be specific to AWS region and/or account, where present in the context?

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.184.1

AWS CDK CLI version

2.1004.0

Node.js Version

v22.15.1

OS

macOS 15.5

Language

TypeScript

Language Version

5.6.3

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-cloudfront-originsRelated to CloudFront Origins for the CDK CloudFront LibrarybugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions