How do I resolve the "One or more of your origins or origin groups do not exist" error in AWS CloudFormation?

Last updated: 2020-06-19

When I try to create or update an AWS CloudFormation stack that contains an Amazon CloudFront distribution, I get the following error from AWS CloudFormation: "One or more of your origins or origin groups do not exist." How can I resolve this error?

Short description

You get this error from AWS CloudFormation when the TargetOriginId property of CacheBehavior or DefaultCacheBehavior doesn't match a CloudFront origin or origin group ID. This ID is a user-defined string that uniquely identifies an origin or origin group.

Before AWS CloudFormation supported origin groups, you could create an origin group manually and reference the origin group on TargetOriginId. Now, you must define an origin group in the template and manage all your resources through AWS CloudFormation.

Tip: It's a best practice to avoid making changes to stack resources outside of AWS CloudFormation. This can create a mismatch between your stack's template and the current state of your stack resources. If you update or delete the stack, the mismatch can cause errors.

Resolution

1.    To confirm that the TargetOriginId matches the ID of one of the defined origins or origin groups, enter the correct origin ID as a parameter for DefaultCacheBehavior or CacheBehavior.

In the following example JSON and YAML template snippets, a CloudFront distribution with a single origin is defined and consumed by the DefaultCacheBehavior. Additionally, this origin uses an origin access identity (OAI) for authentication. In the examples, the origin ID is set to my-s3-origin.

JSON:

{
    "AWSTemplateFormatVersion": "2010-09-09T00:00:00.000Z",
    "Resources": {
        "cloudfrontdistribution": {
            "Type": "AWS::CloudFront::Distribution",
            "Properties": {
                "DistributionConfig": {
                    "DefaultCacheBehavior": {
                        "ViewerProtocolPolicy": "https-only",
                        "DefaultTTL": 3600,
                        "ForwardedValues": {
                            "Cookies": {
                                "Forward": "none"
                            },
                            "QueryString": true
                        },
                        "TargetOriginId": "my-s3-origin"
                    },
                    "Enabled": true,
                    "Origins": [{
                        "DomainName": "my-s3-bucket.s3.amazonaws.com",
                        "Id": "my-s3-origin",
                        "S3OriginConfig": {
                            "OriginAccessIdentity": { "Fn::Sub" : "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}" }

                        },
                        "OriginPath": "/my-content"
                    }]
                }
            }
        },
        "CloudFrontOriginAccessIdentity": {
            "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
            "Properties": {
                "CloudFrontOriginAccessIdentityConfig": {
                    "Comment": { "Ref": "AWS::StackName" }
                }
            }
        }
    }
}

Note: Replace my-s3-origin with your origin ID. Replace my-s3-bucket.s3.amazonaws.com with your domain name. Replace /my-content with your origin path.

YAML:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          ViewerProtocolPolicy: https-only
          DefaultTTL: 3600
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: true
          TargetOriginId: my-s3-origin
        Enabled: true
        Origins:
          - DomainName: 'my-s3-bucket.s3.amazonaws.com'
            Id: my-s3-origin
            S3OriginConfig:
              OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
            OriginPath: /my-content
          
  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub ${AWS::StackName}

2.    To verify that your AWS CloudFormation stack was created or updated, test your CloudFront distribution.