In a lot of cases, you don't want CloudFront to overwrite the Cache-Control headers sent by the origin.

In my case, my origin is an AWS S3 bucket where each object has its own Cache-Control metadata, which are then translated to headers. By the way, this is the only way to implement these headers on S3, because CloudFront can't add them if they're not already sent by the origin. You can only overwrite or forward them.

On a CloudFront distribution's behavior settings, there is an option to Use Origin Cache Headers, but by default it's using the customised TTLs :

Note that you may have different TTL values, it doesn't matter.

In the Terraform documentation for the aws_cloudfront_distribution provider, there are indeed options to customise the TTLs, as follow:

min_ttl                = 0
default_ttl            = 3600
max_ttl                = 86400

But there is nothing about Use Origin Cache Headers.

After some search, the solution lies in a GitHub issue of terraform-provider-aws.

The solution is to remove these 3 values from your terraform config. When doing this, I thought it would leave them as they are or put their default values back, but no, it enables Use Origin Cache Headers.

There you have it! This can quickly become a headache since it's not documented at all, but I hope this post will help someone out there. 😊