Trying to migrate off of aws cloudfront origin_access_identity but apply graphs incorrectly

I’m using aws_cloudfront_origin_access_identity with cloudfront and am working on changing my terraform to migrate to aws_cloudfront_origin_access_control as recommended. I’m at the step where I am removing the aws_cloudfront_origin_access_identity from cloudfront and destroying the aws_cloudfront_origin_access_control itself, but terraform always fails the apply because it tries to destroy the aws_cloudfront_origin_access_control before removing its reference from the aws_cloudfront_distribution resource.

module.test-static.aws_cloudfront_origin_access_identity.origin_access_identity[0]: Destroying... [id=E3O7TE8TTRI6UF]
│ Error: deleting Amazon CloudFront Origin Access Identity (E3O7TE8TTRI6UF): CloudFrontOriginAccessIdentityInUse: The CloudFront origin access identity is still being used.
│ 	status code: 409, request id: 461cbcdb-357f-4c57-8b5f-5043cb1fa327

The OAI is referenced as aws_cloudfront_origin_access_identity.origin_access_identity[0].cloudfront_access_identity_path in the aws_cloudfront_distribution resource, and the aws_cloudfront_origin_access_identity resource doesn’t reference anything.

Here’s a snippet:

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
  count    = var.enable_origin_access_identity ? 1 : 0
  provider = aws.cloudfront
  comment  = "Access Identity for Cloudfront for ${local.product} ${local.service} ${local.environment}"

resource "aws_cloudfront_origin_access_control" "oac" {
  count                             = local.enable_origin_access_control ? 1 : 0
  provider                          = aws.cloudfront
  name                              = substr("${local.cloudfront_name}_${local.origin_id}", 0, 63)
  description                       = "Lockdown control to ${local.origin_id}"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"

resource "aws_cloudfront_distribution" "d" {
  count    = var.enable_cloudfront ? 1 : 0
  provider = aws.cloudfront

  origin {
    domain_name              = aws_s3_bucket.primary.bucket_regional_domain_name
    origin_id                = local.origin_id
    origin_access_control_id = local.enable_origin_access_control ? aws_cloudfront_origin_access_control.oac[0].id : null

    dynamic "s3_origin_config" {
      for_each = var.enable_origin_access_identity ? [true] : []
      content {
        origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity[0].cloudfront_access_identity_path


  lifecycle {
    create_before_destroy = true

to the aws_cloudfront_distribution.

It is incredibly hard to understand the details of what this actually does - I think I’ve read through terraform/ at main · hashicorp/terraform · GitHub about 5 times now, and only about ~80% understand what is going on, especially as the user-facing docs only explain this option in terms of what happens when replacing the resource it is set on.

However, in addition to that meaning, it also influences the order of operations between updating the distribution, and destroying things the distribution depends on.

yeah that doesn’t help. The distribution isn’t getting recreated anyway.

that does give me an idea of just leaving the aws_cloudfront_origin_access_identity resource in the module without a count on it. Then once I get everyone off of that, I’ll remove it from the module.

Still vexing that it doesn’t remove it in the right order.