cloudposse · npwolf · Dec 20, 2025
@@ -463,6 +463,7 @@ module "cdn" {
 | <a name="input_cloudfront_access_log_include_cookies"></a> [cloudfront\_access\_log\_include\_cookies](#input\_cloudfront\_access\_log\_include\_cookies) | Set true to include cookies in Cloudfront Access Logs | `bool` | `false` | no |
 | <a name="input_cloudfront_access_log_prefix"></a> [cloudfront\_access\_log\_prefix](#input\_cloudfront\_access\_log\_prefix) | Prefix to use for Cloudfront Access Log object keys. Defaults to no prefix. | `string` | `""` | no |
 | <a name="input_cloudfront_access_logging_enabled"></a> [cloudfront\_access\_logging\_enabled](#input\_cloudfront\_access\_logging\_enabled) | Set true to enable delivery of Cloudfront Access Logs to an S3 bucket | `bool` | `true` | no |
+| <a name="input_cloudfront_ignore_etag_changes"></a> [cloudfront\_ignore\_etag\_changes](#input\_cloudfront\_ignore\_etag\_changes) | Set to `true` to ignore changes to the CloudFront distribution etag. This is useful when an external process updates the CloudFront distribution and you want to prevent Terraform from showing the etag change in plans and state. | `bool` | `false` | no |
 | <a name="input_cloudfront_origin_access_control_id"></a> [cloudfront\_origin\_access\_control\_id](#input\_cloudfront\_origin\_access\_control\_id) | CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) and origin access identity (OAI). OAC helps you secure your origins, such as for Amazon S3. | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_iam_arn"></a> [cloudfront\_origin\_access\_identity\_iam\_arn](#input\_cloudfront\_origin\_access\_identity\_iam\_arn) | Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_path"></a> [cloudfront\_origin\_access\_identity\_path](#input\_cloudfront\_origin\_access\_identity\_path) | Existing cloudfront origin access identity path used in the cloudfront distribution's s3\_origin\_config content | `string` | `""` | no |

@@ -476,6 +476,10 @@ resource "aws_cloudfront_distribution" "default" {
     module.logs
   ]
 
+  lifecycle {
+    ignore_changes = var.cloudfront_ignore_etag_changes ? [etag] : []
+  }
+
   dynamic "logging_config" {
     for_each = local.cloudfront_access_logging_enabled ? ["true"] : []
 

@@ -748,3 +748,9 @@ variable "bucket_versioning" {
     error_message = "Please choose one of 'Enabled', 'Disabled', or 'Suspended'"
   }
 }
+
+variable "cloudfront_ignore_etag_changes" {
+  type        = bool
+  default     = false
+  description = "Set to `true` to ignore changes to the CloudFront distribution etag. This is useful when an external process updates the CloudFront distribution and you want to prevent Terraform from showing the etag change in plans and state."
+}