From d7cee0e4467c5b88825d18ff3e44087953ced5e0 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Wed, 27 Jan 2021 23:24:54 -0800
Subject: [PATCH 01/10] Add cloudfront_origin_request_policy resource

---
 ...udfront_origin_request_policy_structure.go | 182 +++++++++++++++++
 aws/provider.go                               |   1 +
 ...ce_aws_cloudfront_origin_request_policy.go | 191 ++++++++++++++++++
 ...s_cloudfront_origin_request_policy_test.go | 179 ++++++++++++++++
 4 files changed, 553 insertions(+)
 create mode 100644 aws/cloudfront_origin_request_policy_structure.go
 create mode 100644 aws/resource_aws_cloudfront_origin_request_policy.go
 create mode 100644 aws/resource_aws_cloudfront_origin_request_policy_test.go

diff --git a/aws/cloudfront_origin_request_policy_structure.go b/aws/cloudfront_origin_request_policy_structure.go
new file mode 100644
index 00000000000..0c647dcada3
--- /dev/null
+++ b/aws/cloudfront_origin_request_policy_structure.go
@@ -0,0 +1,182 @@
+package aws
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func expandCloudFrontOriginRequestPolicyCookieNames(cookieNamesFlat map[string]interface{}) *cloudfront.CookieNames {
+	cookieNames := &cloudfront.CookieNames{}
+
+	var newCookieItems []*string
+	for _, cookie := range cookieNamesFlat["items"].(*schema.Set).List() {
+		newCookieItems = append(newCookieItems, aws.String(cookie.(string)))
+	}
+	cookieNames.Items = newCookieItems
+	cookieNames.Quantity = aws.Int64(int64(len(newCookieItems)))
+
+	return cookieNames
+}
+
+func expandCloudFrontOriginRequestPolicyCookiesConfig(cookiesConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyCookiesConfig {
+	cookies := &cloudfront.CookieNames{
+		Quantity: aws.Int64(int64(0)),
+	}
+
+	if cookiesFlat, ok := cookiesConfigFlat["cookies"].([]interface{}); ok && len(cookiesFlat) == 1 {
+		cookies = expandCloudFrontOriginRequestPolicyCookieNames(cookiesFlat[0].(map[string]interface{}))
+	} else {
+		cookies = nil
+	}
+
+	cookiesConfig := &cloudfront.OriginRequestPolicyCookiesConfig{
+		CookieBehavior: aws.String(cookiesConfigFlat["cookie_behavior"].(string)),
+		Cookies:        cookies,
+	}
+
+	return cookiesConfig
+}
+
+func expandCloudFrontOriginRequestPolicyHeaders(headerNamesFlat map[string]interface{}) *cloudfront.Headers {
+	headers := &cloudfront.Headers{}
+
+	var newHeaderItems []*string
+	for _, header := range headerNamesFlat["items"].(*schema.Set).List() {
+		newHeaderItems = append(newHeaderItems, aws.String(header.(string)))
+	}
+	headers.Items = newHeaderItems
+	headers.Quantity = aws.Int64(int64(len(newHeaderItems)))
+
+	return headers
+}
+
+func expandCloudFrontOriginRequestPolicyHeadersConfig(headersConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyHeadersConfig {
+	headers := &cloudfront.Headers{}
+
+	if headersFlat, ok := headersConfigFlat["headers"].([]interface{}); ok && len(headersFlat) == 1 && headersConfigFlat["header_behavior"] != "none" {
+		headers = expandCloudFrontOriginRequestPolicyHeaders(headersFlat[0].(map[string]interface{}))
+	} else {
+		headers = nil
+	}
+
+	headersConfig := &cloudfront.OriginRequestPolicyHeadersConfig{
+		HeaderBehavior: aws.String(headersConfigFlat["header_behavior"].(string)),
+		Headers:        headers,
+	}
+
+	return headersConfig
+}
+
+func expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringNamesFlat map[string]interface{}) *cloudfront.QueryStringNames {
+	queryStringNames := &cloudfront.QueryStringNames{}
+
+	var newQueryStringItems []*string
+	for _, queryString := range queryStringNamesFlat["items"].(*schema.Set).List() {
+		newQueryStringItems = append(newQueryStringItems, aws.String(queryString.(string)))
+	}
+	queryStringNames.Items = newQueryStringItems
+	queryStringNames.Quantity = aws.Int64(int64(len(newQueryStringItems)))
+
+	return queryStringNames
+}
+
+func expandCloudFrontOriginRequestPolicyQueryStringsConfig(queryStringConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyQueryStringsConfig {
+	queryStrings := &cloudfront.QueryStringNames{
+		Quantity: aws.Int64(int64(0)),
+	}
+
+	if queryStringFlat, ok := queryStringConfigFlat["query_strings"].([]interface{}); ok && len(queryStringFlat) == 1 {
+		queryStrings = expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringFlat[0].(map[string]interface{}))
+	} else {
+		queryStrings = nil
+	}
+
+	queryStringConfig := &cloudfront.OriginRequestPolicyQueryStringsConfig{
+		QueryStringBehavior: aws.String(queryStringConfigFlat["query_string_behavior"].(string)),
+		QueryStrings:        queryStrings,
+	}
+
+	return queryStringConfig
+}
+
+func expandCloudFrontOriginRequestPolicyConfig(d *schema.ResourceData) *cloudfront.OriginRequestPolicyConfig {
+
+	originRequestPolicy := &cloudfront.OriginRequestPolicyConfig{
+		Comment:            aws.String(d.Get("comment").(string)),
+		Name:               aws.String(d.Get("name").(string)),
+		CookiesConfig:      expandCloudFrontOriginRequestPolicyCookiesConfig(d.Get("cookies_config").([]interface{})[0].(map[string]interface{})),
+		HeadersConfig:      expandCloudFrontOriginRequestPolicyHeadersConfig(d.Get("headers_config").([]interface{})[0].(map[string]interface{})),
+		QueryStringsConfig: expandCloudFrontOriginRequestPolicyQueryStringsConfig(d.Get("query_strings_config").([]interface{})[0].(map[string]interface{})),
+	}
+
+	return originRequestPolicy
+}
+
+func flattenCloudFrontOriginRequestPolicyCookiesConfig(cookiesConfig *cloudfront.OriginRequestPolicyCookiesConfig) []map[string]interface{} {
+	cookiesConfigFlat := map[string]interface{}{}
+
+	cookies := []map[string]interface{}{}
+	if cookiesConfig.Cookies != nil {
+		cookies = []map[string]interface{}{
+			{
+				"items": cookiesConfig.Cookies.Items,
+			},
+		}
+	}
+
+	cookiesConfigFlat["cookie_behavior"] = aws.StringValue(cookiesConfig.CookieBehavior)
+	cookiesConfigFlat["cookies"] = cookies
+
+	return []map[string]interface{}{
+		cookiesConfigFlat,
+	}
+}
+
+func flattenCloudFrontOriginRequestPolicyHeadersConfig(headersConfig *cloudfront.OriginRequestPolicyHeadersConfig) []map[string]interface{} {
+	headersConfigFlat := map[string]interface{}{}
+
+	headers := []map[string]interface{}{}
+	if headersConfig.Headers != nil {
+		headers = []map[string]interface{}{
+			{
+				"items": headersConfig.Headers.Items,
+			},
+		}
+	}
+
+	headersConfigFlat["header_behavior"] = aws.StringValue(headersConfig.HeaderBehavior)
+	headersConfigFlat["headers"] = headers
+
+	return []map[string]interface{}{
+		headersConfigFlat,
+	}
+}
+
+func flattenCloudFrontOriginRequestPolicyQueryStringsConfig(queryStringsConfig *cloudfront.OriginRequestPolicyQueryStringsConfig) []map[string]interface{} {
+	queryStringsConfigFlat := map[string]interface{}{}
+
+	queryStrings := []map[string]interface{}{}
+	if queryStringsConfig.QueryStrings != nil {
+		queryStrings = []map[string]interface{}{
+			{
+				"items": queryStringsConfig.QueryStrings.Items,
+			},
+		}
+	}
+
+	queryStringsConfigFlat["query_string_behavior"] = aws.StringValue(queryStringsConfig.QueryStringBehavior)
+	queryStringsConfigFlat["query_strings"] = queryStrings
+
+	return []map[string]interface{}{
+		queryStringsConfigFlat,
+	}
+}
+
+func flattenCloudFrontOriginRequestPolicy(d *schema.ResourceData, originRequestPolicy *cloudfront.OriginRequestPolicyConfig) {
+	d.Set("comment", aws.StringValue(originRequestPolicy.Comment))
+	d.Set("name", aws.StringValue(originRequestPolicy.Name))
+	d.Set("cookies_config", flattenCloudFrontOriginRequestPolicyCookiesConfig(originRequestPolicy.CookiesConfig))
+	d.Set("headers_config", flattenCloudFrontOriginRequestPolicyHeadersConfig(originRequestPolicy.HeadersConfig))
+	d.Set("query_strings_config", flattenCloudFrontOriginRequestPolicyQueryStringsConfig(originRequestPolicy.QueryStringsConfig))
+}
diff --git a/aws/provider.go b/aws/provider.go
index 53a745319ca..9aec8ccd060 100644
--- a/aws/provider.go
+++ b/aws/provider.go
@@ -486,6 +486,7 @@ func Provider() *schema.Provider {
 			"aws_cloudformation_stack_set_instance":                   resourceAwsCloudFormationStackSetInstance(),
 			"aws_cloudfront_distribution":                             resourceAwsCloudFrontDistribution(),
 			"aws_cloudfront_origin_access_identity":                   resourceAwsCloudFrontOriginAccessIdentity(),
+			"aws_cloudfront_origin_request_policy":                    resourceAwsCloudFrontOriginRequestPolicy(),
 			"aws_cloudfront_public_key":                               resourceAwsCloudFrontPublicKey(),
 			"aws_cloudtrail":                                          resourceAwsCloudTrail(),
 			"aws_cloudwatch_event_bus":                                resourceAwsCloudWatchEventBus(),
diff --git a/aws/resource_aws_cloudfront_origin_request_policy.go b/aws/resource_aws_cloudfront_origin_request_policy.go
new file mode 100644
index 00000000000..b97ffd8cf63
--- /dev/null
+++ b/aws/resource_aws_cloudfront_origin_request_policy.go
@@ -0,0 +1,191 @@
+package aws
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func resourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsCloudFrontOriginRequestPolicyCreate,
+		Read:   resourceAwsCloudFrontOriginRequestPolicyRead,
+		Update: resourceAwsCloudFrontOriginRequestPolicyUpdate,
+		Delete: resourceAwsCloudFrontOriginRequestPolicyDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"comment": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"etag": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"cookies_config": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Required: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cookie_behavior": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"none", "whitelist", "all"}, false),
+						},
+						"cookies": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"headers_config": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Required: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"header_behavior": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validation.StringInSlice([]string{"none", "whitelist", "allViewer", "allViewerAndWhitelistCloudFront"}, false),
+						},
+						"headers": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"query_strings_config": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Required: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"query_string_behavior": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"none", "whitelist", "allExcept", "all"}, false),
+						},
+						"query_strings": {
+							Type:     schema.TypeList,
+							MaxItems: 1,
+							Optional: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsCloudFrontOriginRequestPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+
+	request := &cloudfront.CreateOriginRequestPolicyInput{
+		OriginRequestPolicyConfig: expandCloudFrontOriginRequestPolicyConfig(d),
+	}
+
+	resp, err := conn.CreateOriginRequestPolicy(request)
+
+	if err != nil {
+		return err
+	}
+
+	d.SetId(aws.StringValue(resp.OriginRequestPolicy.Id))
+
+	return resourceAwsCloudFrontOriginRequestPolicyRead(d, meta)
+}
+
+func resourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	request := &cloudfront.GetOriginRequestPolicyInput{
+		Id: aws.String(d.Id()),
+	}
+
+	resp, err := conn.GetOriginRequestPolicy(request)
+	if err != nil {
+		return err
+	}
+	d.Set("etag", aws.StringValue(resp.ETag))
+
+	flattenCloudFrontOriginRequestPolicy(d, resp.OriginRequestPolicy.OriginRequestPolicyConfig)
+
+	return nil
+}
+
+func resourceAwsCloudFrontOriginRequestPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+
+	request := &cloudfront.UpdateOriginRequestPolicyInput{
+		OriginRequestPolicyConfig: expandCloudFrontOriginRequestPolicyConfig(d),
+		Id:                        aws.String(d.Id()),
+		IfMatch:                   aws.String(d.Get("etag").(string)),
+	}
+
+	_, err := conn.UpdateOriginRequestPolicy(request)
+	if err != nil {
+		return err
+	}
+
+	return resourceAwsCloudFrontOriginRequestPolicyRead(d, meta)
+}
+
+func resourceAwsCloudFrontOriginRequestPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+
+	request := &cloudfront.DeleteOriginRequestPolicyInput{
+		Id:      aws.String(d.Id()),
+		IfMatch: aws.String(d.Get("etag").(string)),
+	}
+
+	_, err := conn.DeleteOriginRequestPolicy(request)
+	if err != nil {
+		if isAWSErr(err, cloudfront.ErrCodeNoSuchOriginRequestPolicy, "") {
+			return nil
+		}
+		return err
+	}
+
+	return nil
+}
diff --git a/aws/resource_aws_cloudfront_origin_request_policy_test.go b/aws/resource_aws_cloudfront_origin_request_policy_test.go
new file mode 100644
index 00000000000..1822f324413
--- /dev/null
+++ b/aws/resource_aws_cloudfront_origin_request_policy_test.go
@@ -0,0 +1,179 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccAWSCloudFrontOriginRequestPolicy_basic(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontPublicKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCloudFrontOriginRequestPolicyConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+				),
+			},
+			{
+				ResourceName:            "aws_cloudfront_origin_request_policy.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{},
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontOriginRequestPolicy_update(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontPublicKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCloudFrontOriginRequestPolicyConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+				),
+			},
+			{
+				Config: testAccAWSCloudFrontOriginRequestPolicyConfigUpdate(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment updated"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test2"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "none"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.#", "0"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test2"),
+				),
+			},
+			{
+				ResourceName:            "aws_cloudfront_origin_request_policy.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{},
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontOriginRequestPolicy_noneBehavior(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontPublicKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCloudFrontOriginRequestPolicyConfigNoneBehavior(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "none"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.#", "0"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "none"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.#", "0"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "none"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.#", "0"),
+				),
+			},
+			{
+				ResourceName:            "aws_cloudfront_origin_request_policy.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{},
+			},
+		},
+	})
+}
+
+func testAccAWSCloudFrontOriginRequestPolicyConfig(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_cloudfront_origin_request_policy" "example" {
+  name    = "test-policy%[1]d"
+  comment = "test comment"
+  cookies_config {
+    cookie_behavior = "whitelist"
+    cookies {
+      items = ["test"]
+    }
+  }
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = ["test"]
+    }
+  }
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = ["test"]
+    }
+  }
+}
+`, rInt)
+}
+
+func testAccAWSCloudFrontOriginRequestPolicyConfigUpdate(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_cloudfront_origin_request_policy" "example" {
+  name    = "test-policy-updated%[1]d"
+  comment = "test comment updated"
+  cookies_config {
+    cookie_behavior = "whitelist"
+    cookies {
+      items = ["test2"]
+    }
+  }
+  headers_config {
+    header_behavior = "none"
+  }
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = ["test2"]
+    }
+  }
+}
+`, rInt)
+}
+
+func testAccAWSCloudFrontOriginRequestPolicyConfigNoneBehavior(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_cloudfront_origin_request_policy" "example" {
+  name    = "test-policy-updated%[1]d"
+  comment = "test comment"
+  cookies_config {
+    cookie_behavior = "none"
+  }
+  headers_config {
+    header_behavior = "none"
+  }
+  query_strings_config {
+    query_string_behavior = "none"
+  }
+}
+`, rInt)
+}

From 22c43f9f9d09d1158b6fe5a5c94f9972b916cd16 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 28 Jan 2021 00:03:06 -0800
Subject: [PATCH 02/10] wip

---
 ...nt_distribution_configuration_structure.go |  3 +
 aws/resource_aws_cloudfront_distribution.go   |  8 ++
 ...source_aws_cloudfront_distribution_test.go | 97 +++++++++++++++++++
 3 files changed, 108 insertions(+)

diff --git a/aws/cloudfront_distribution_configuration_structure.go b/aws/cloudfront_distribution_configuration_structure.go
index 71ca5c39316..40643c3bdaa 100644
--- a/aws/cloudfront_distribution_configuration_structure.go
+++ b/aws/cloudfront_distribution_configuration_structure.go
@@ -230,6 +230,7 @@ func expandCacheBehavior(m map[string]interface{}) *cloudfront.CacheBehavior {
 		ForwardedValues:        expandForwardedValues(m["forwarded_values"].([]interface{})[0].(map[string]interface{})),
 		MaxTTL:                 aws.Int64(int64(m["max_ttl"].(int))),
 		MinTTL:                 aws.Int64(int64(m["min_ttl"].(int))),
+		OriginRequestPolicyId:  aws.String(m["origin_request_policy_id"].(string)),
 		TargetOriginId:         aws.String(m["target_origin_id"].(string)),
 		ViewerProtocolPolicy:   aws.String(m["viewer_protocol_policy"].(string)),
 	}
@@ -266,6 +267,7 @@ func flattenCloudFrontDefaultCacheBehavior(dcb *cloudfront.DefaultCacheBehavior)
 		"viewer_protocol_policy":    aws.StringValue(dcb.ViewerProtocolPolicy),
 		"target_origin_id":          aws.StringValue(dcb.TargetOriginId),
 		"min_ttl":                   aws.Int64Value(dcb.MinTTL),
+		"origin_request_policy_id":  aws.StringValue(dcb.OriginRequestPolicyId),
 	}
 
 	if dcb.ForwardedValues != nil {
@@ -304,6 +306,7 @@ func flattenCacheBehavior(cb *cloudfront.CacheBehavior) map[string]interface{} {
 	m["viewer_protocol_policy"] = aws.StringValue(cb.ViewerProtocolPolicy)
 	m["target_origin_id"] = aws.StringValue(cb.TargetOriginId)
 	m["min_ttl"] = int(aws.Int64Value(cb.MinTTL))
+	m["origin_request_policy_id"] = aws.StringValue(cb.OriginRequestPolicyId)
 
 	if cb.ForwardedValues != nil {
 		m["forwarded_values"] = []interface{}{flattenForwardedValues(cb.ForwardedValues)}
diff --git a/aws/resource_aws_cloudfront_distribution.go b/aws/resource_aws_cloudfront_distribution.go
index 68e900ef6d3..f63cfd2745e 100644
--- a/aws/resource_aws_cloudfront_distribution.go
+++ b/aws/resource_aws_cloudfront_distribution.go
@@ -151,6 +151,10 @@ func resourceAwsCloudFrontDistribution() *schema.Resource {
 							Optional: true,
 							Default:  0,
 						},
+						"origin_request_policy_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 						"path_pattern": {
 							Type:     schema.TypeString,
 							Required: true,
@@ -313,6 +317,10 @@ func resourceAwsCloudFrontDistribution() *schema.Resource {
 							Optional: true,
 							Default:  0,
 						},
+						"origin_request_policy_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 						"smooth_streaming": {
 							Type:     schema.TypeBool,
 							Optional: true,
diff --git a/aws/resource_aws_cloudfront_distribution_test.go b/aws/resource_aws_cloudfront_distribution_test.go
index 0f1fa7964eb..e4c703d63f3 100644
--- a/aws/resource_aws_cloudfront_distribution_test.go
+++ b/aws/resource_aws_cloudfront_distribution_test.go
@@ -212,6 +212,31 @@ func TestAccAWSCloudFrontDistribution_customOrigin(t *testing.T) {
 	})
 }
 
+func TestAccAWSCloudFrontDistribution_originPolicy(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontDistributionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCloudFrontDistributionOriginRequestPolicyConfig,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr("aws_cloudfront_distribution.custom_distribution", "default_cache_behavior.0.origin_request_policy_id", regexp.MustCompile("[A-z0-9]+")),
+				),
+			},
+			{
+				ResourceName:      "aws_cloudfront_distribution.custom_distribution",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"retain_on_delete",
+					"wait_for_deployment",
+				},
+			},
+		},
+	})
+}
+
 // TestAccAWSCloudFrontDistribution_multiOrigin runs an
 // aws_cloudfront_distribution acceptance test with multiple origins.
 //
@@ -1363,6 +1388,78 @@ resource "aws_cloudfront_distribution" "custom_distribution" {
 }
 `, acctest.RandInt(), logBucket, testAccAWSCloudFrontDistributionRetainConfig())
 
+var testAccAWSCloudFrontDistributionOriginRequestPolicyConfig = fmt.Sprintf(`
+variable rand_id {
+  default = %[1]d
+}
+
+resource "aws_cloudfront_origin_request_policy" "test_policy" {
+  name    = "test-policy%[1]d"
+  comment = "test comment"
+  cookies_config {
+    cookie_behavior = "whitelist"
+    cookies {
+      items = ["test"]
+    }
+  }
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = ["test"]
+    }
+  }
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = ["test"]
+    }
+  }
+}
+
+resource "aws_cloudfront_distribution" "custom_distribution" {
+  enabled             = true
+  comment             = "Some comment"
+  default_root_object = "index.html"
+
+  default_cache_behavior {
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "myCustomOrigin"
+    smooth_streaming = false
+
+		origin_request_policy_id = aws_cloudfront_origin_request_policy.test_policy.id
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "all"
+      }
+    }
+
+    viewer_protocol_policy = "allow-all"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+  }
+
+  price_class = "PriceClass_200"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = ["US", "CA", "GB", "DE"]
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  %[2]s
+}
+`, acctest.RandInt(), testAccAWSCloudFrontDistributionRetainConfig())
+
 var testAccAWSCloudFrontDistributionMultiOriginConfig = fmt.Sprintf(`
 variable rand_id {
   default = %d

From dab088d0ba3180abe6c519c7a3033227100b9661 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 28 Jan 2021 11:12:53 -0800
Subject: [PATCH 03/10] Add cloudfront_origin_request_policy data source

---
 ...ce_aws_cloudfront_origin_request_policy.go | 154 ++++++++++++++++++
 ...s_cloudfront_origin_request_policy_test.go |  64 ++++++++
 aws/provider.go                               |   1 +
 ...dfront_origin_request_policy.html.markdown |  54 ++++++
 ...dfront_origin_request_policy.html.markdown |  75 +++++++++
 5 files changed, 348 insertions(+)
 create mode 100644 aws/data_source_aws_cloudfront_origin_request_policy.go
 create mode 100644 aws/data_source_aws_cloudfront_origin_request_policy_test.go
 create mode 100644 website/docs/d/cloudfront_origin_request_policy.html.markdown
 create mode 100644 website/docs/r/cloudfront_origin_request_policy.html.markdown

diff --git a/aws/data_source_aws_cloudfront_origin_request_policy.go b/aws/data_source_aws_cloudfront_origin_request_policy.go
new file mode 100644
index 00000000000..0e2a4366076
--- /dev/null
+++ b/aws/data_source_aws_cloudfront_origin_request_policy.go
@@ -0,0 +1,154 @@
+package aws
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsCloudFrontOriginRequestPolicyRead,
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"comment": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"etag": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"cookies_config": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cookie_behavior": {
+							Computed: true,
+							Type:     schema.TypeString,
+						},
+						"cookies": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"headers_config": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"header_behavior": {
+							Computed: true,
+							Type:     schema.TypeString,
+						},
+						"headers": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"query_strings_config": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"query_string_behavior": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"query_strings": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"items": {
+										Type:     schema.TypeSet,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d *schema.ResourceData, conn *cloudfront.CloudFront) error {
+	var originRequestPolicy *cloudfront.OriginRequestPolicy
+	request := &cloudfront.ListOriginRequestPoliciesInput{}
+	resp, err := conn.ListOriginRequestPolicies(request)
+	if err != nil {
+		return err
+	}
+
+	for _, policySummary := range resp.OriginRequestPolicyList.Items {
+		if *policySummary.OriginRequestPolicy.OriginRequestPolicyConfig.Name == d.Get("name").(string) {
+			originRequestPolicy = policySummary.OriginRequestPolicy
+			break
+		}
+	}
+
+	if originRequestPolicy != nil {
+		d.SetId(aws.StringValue(originRequestPolicy.Id))
+	}
+	return nil
+}
+
+func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+
+	if d.Id() == "" {
+		if err := dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d, conn); err != nil {
+			return err
+		}
+	}
+
+	if d.Id() != "" {
+		request := &cloudfront.GetOriginRequestPolicyInput{
+			Id: aws.String(d.Id()),
+		}
+
+		resp, err := conn.GetOriginRequestPolicy(request)
+		if err != nil {
+			return err
+		}
+		d.Set("etag", aws.StringValue(resp.ETag))
+
+		flattenCloudFrontOriginRequestPolicy(d, resp.OriginRequestPolicy.OriginRequestPolicyConfig)
+	}
+
+	return nil
+}
diff --git a/aws/data_source_aws_cloudfront_origin_request_policy_test.go b/aws/data_source_aws_cloudfront_origin_request_policy_test.go
new file mode 100644
index 00000000000..1ca5a7cc9cc
--- /dev/null
+++ b/aws/data_source_aws_cloudfront_origin_request_policy_test.go
@@ -0,0 +1,64 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccAWSCloudFrontDataSourceOriginRequestPolicy_basic(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontPublicKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCloudFrontDataSourceOriginRequestPolicyConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+				),
+			},
+		},
+	})
+}
+func testAccAWSCloudFrontDataSourceOriginRequestPolicyConfig(rInt int) string {
+	return fmt.Sprintf(`
+data "aws_cloudfront_origin_request_policy" "example" {
+  name = aws_cloudfront_origin_request_policy.example.name
+}
+
+resource "aws_cloudfront_origin_request_policy" "example" {
+  name    = "test-policy%[1]d"
+  comment = "test comment"
+  cookies_config {
+    cookie_behavior = "whitelist"
+    cookies {
+      items = ["test"]
+    }
+  }
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = ["test"]
+    }
+  }
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = ["test"]
+    }
+  }
+}
+`, rInt)
+}
diff --git a/aws/provider.go b/aws/provider.go
index 9aec8ccd060..b03e3f783a5 100644
--- a/aws/provider.go
+++ b/aws/provider.go
@@ -190,6 +190,7 @@ func Provider() *schema.Provider {
 			"aws_cloudformation_export":                      dataSourceAwsCloudFormationExport(),
 			"aws_cloudformation_stack":                       dataSourceAwsCloudFormationStack(),
 			"aws_cloudfront_distribution":                    dataSourceAwsCloudFrontDistribution(),
+			"aws_cloudfront_origin_request_policy":           dataSourceAwsCloudFrontOriginRequestPolicy(),
 			"aws_cloudhsm_v2_cluster":                        dataSourceCloudHsmV2Cluster(),
 			"aws_cloudtrail_service_account":                 dataSourceAwsCloudTrailServiceAccount(),
 			"aws_cloudwatch_log_group":                       dataSourceAwsCloudwatchLogGroup(),
diff --git a/website/docs/d/cloudfront_origin_request_policy.html.markdown b/website/docs/d/cloudfront_origin_request_policy.html.markdown
new file mode 100644
index 00000000000..0a152a1ca9f
--- /dev/null
+++ b/website/docs/d/cloudfront_origin_request_policy.html.markdown
@@ -0,0 +1,54 @@
+---
+subcategory: "CloudFront"
+layout: "aws"
+page_title: "AWS: aws_cloudfront_origin_request_policy"
+description: |-
+  Determines the values that CloudFront includes in requests that it sends to the origin.
+---
+
+# Data Source: aws_cloudfront_origin_request_policy
+
+## Example Usage
+
+The following example below creates a CloudFront origin request policy.
+
+```hcl
+data "aws_cloudfront_origin_request_policy" "example" {
+  name = "example-policy"
+}
+
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - A unique name to identify the origin request policy.
+* `id` - The identifier for the origin request policy. 
+
+## Attributes Reference
+
+* `comment` - A comment to describe the origin request policy.
+* `cookies_config` - An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
+* `etag` - The current version of the origin request policy.
+* `headers_config` - An object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
+* `query_strings_config` - An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
+
+### Cookies Config
+
+`cookie_behavior` - Determines whether any cookies in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist` `all`.
+`cookies` - An object that contains a list of cookie names. See [Items](#items) for more information.
+
+### Headers Config
+
+`header_behavior` - Determines whether any HTTP headers are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `allViewer`, `allViewerAndWhitelistCloudFront`.
+`headers` - An object that contains a list of header names. See [Items](#items) for more information.
+
+### Query String Config
+
+`query_string_behavior` - Determines whether any URL query strings in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `all`.
+`query_strings` - An object that contains a list of query string names. See [Items](#items) for more information.
+
+### Items
+
+`items` - A list of item names (cookies, headers, or query strings).
diff --git a/website/docs/r/cloudfront_origin_request_policy.html.markdown b/website/docs/r/cloudfront_origin_request_policy.html.markdown
new file mode 100644
index 00000000000..bd7069cacbe
--- /dev/null
+++ b/website/docs/r/cloudfront_origin_request_policy.html.markdown
@@ -0,0 +1,75 @@
+---
+subcategory: "CloudFront"
+layout: "aws"
+page_title: "AWS: aws_cloudfront_origin_request_policy"
+description: |-
+  Determines the values that CloudFront includes in requests that it sends to the origin.
+---
+
+# Resource: aws_cloudfront_origin_request_policy
+
+## Example Usage
+
+The following example below creates a CloudFront origin request policy.
+
+```hcl
+resource "aws_cloudfront_origin_request_policy" "example" {
+  name    = "example-policy"
+  comment = "example comment"
+  cookies_config {
+    cookie_behavior = "whitelist"
+    cookies {
+      items = ["example"]
+    }
+  }
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = ["example"]
+    }
+  }
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = ["example"]
+    }
+  }
+}
+
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) A unique name to identify the origin request policy.
+* `comment` - (Optional) A comment to describe the origin request policy.
+* `cookies_config` - (Required) An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
+* `headers_config` - (Required) An object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
+* `query_strings_config` - (Required) An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
+
+### Cookies Config
+
+`cookie_behavior` - (Required) Determines whether any cookies in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist` `all`.
+`cookies` - (Optional) An object that contains a list of cookie names. See [Items](#items) for more information.
+
+### Headers Config
+
+`header_behavior` - (Required) Determines whether any HTTP headers are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `allViewer`, `allViewerAndWhitelistCloudFront`.
+`headers` - (Optional) An object that contains a list of header names. See [Items](#items) for more information.
+
+### Query String Config
+
+`query_string_behavior` - (Required) Determines whether any URL query strings in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `all`.
+`query_strings` - (Optional) An object that contains a list of query string names. See [Items](#items) for more information.
+
+### Items
+
+`items` - (Required) A list of item names (cookies, headers, or query strings).
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `etag` - The current version of the origin request policy.
+* `id` - The identifier for the origin request policy. 

From 0e8e5c338d457507ef80e05fabfb4409d137ae56 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 28 Jan 2021 12:06:59 -0800
Subject: [PATCH 04/10] Fix cloudfront_distribution request policy tests

---
 ...nt_distribution_configuration_structure.go |  1 +
 ...source_aws_cloudfront_distribution_test.go | 59 +++++++++++++++++--
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/aws/cloudfront_distribution_configuration_structure.go b/aws/cloudfront_distribution_configuration_structure.go
index 40643c3bdaa..6473b5ccef7 100644
--- a/aws/cloudfront_distribution_configuration_structure.go
+++ b/aws/cloudfront_distribution_configuration_structure.go
@@ -195,6 +195,7 @@ func expandCloudFrontDefaultCacheBehavior(m map[string]interface{}) *cloudfront.
 		ForwardedValues:        expandForwardedValues(m["forwarded_values"].([]interface{})[0].(map[string]interface{})),
 		MaxTTL:                 aws.Int64(int64(m["max_ttl"].(int))),
 		MinTTL:                 aws.Int64(int64(m["min_ttl"].(int))),
+		OriginRequestPolicyId:  aws.String(m["origin_request_policy_id"].(string)),
 		TargetOriginId:         aws.String(m["target_origin_id"].(string)),
 		ViewerProtocolPolicy:   aws.String(m["viewer_protocol_policy"].(string)),
 	}
diff --git a/aws/resource_aws_cloudfront_distribution_test.go b/aws/resource_aws_cloudfront_distribution_test.go
index e4c703d63f3..a90692322cb 100644
--- a/aws/resource_aws_cloudfront_distribution_test.go
+++ b/aws/resource_aws_cloudfront_distribution_test.go
@@ -1393,6 +1393,37 @@ variable rand_id {
   default = %[1]d
 }
 
+# log bucket
+%[2]s
+
+resource "aws_cloudfront_cache_policy" "example" {
+  name        = "test-policy%[1]d"
+  comment     = "test comment"
+  default_ttl = 50
+  max_ttl     = 100
+  min_ttl     = 1
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "whitelist"
+      cookies {
+        items = ["test"]
+      }
+    }
+    headers_config {
+      header_behavior = "whitelist"
+      headers {
+        items = ["test"]
+      }
+    }
+    query_strings_config {
+      query_string_behavior = "whitelist"
+      query_strings {
+        items = ["test"]
+      }
+    }
+  }
+}
+
 resource "aws_cloudfront_origin_request_policy" "test_policy" {
   name    = "test-policy%[1]d"
   comment = "test comment"
@@ -1417,10 +1448,30 @@ resource "aws_cloudfront_origin_request_policy" "test_policy" {
 }
 
 resource "aws_cloudfront_distribution" "custom_distribution" {
+  origin {
+    domain_name = "www.example.com"
+    origin_id   = "myCustomOrigin"
+
+    custom_origin_config {
+      http_port                = 80
+      https_port               = 443
+      origin_protocol_policy   = "http-only"
+      origin_ssl_protocols     = ["SSLv3", "TLSv1"]
+      origin_read_timeout      = 30
+      origin_keepalive_timeout = 5
+    }
+  }
+
   enabled             = true
   comment             = "Some comment"
   default_root_object = "index.html"
 
+  logging_config {
+    include_cookies = false
+    bucket          = "${aws_s3_bucket.s3_bucket_logs.id}.s3.amazonaws.com"
+    prefix          = "myprefix"
+  }
+
   default_cache_behavior {
     allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods   = ["GET", "HEAD"]
@@ -1428,6 +1479,7 @@ resource "aws_cloudfront_distribution" "custom_distribution" {
     smooth_streaming = false
 
 		origin_request_policy_id = aws_cloudfront_origin_request_policy.test_policy.id
+		cache_policy_id          = aws_cloudfront_cache_policy.example.id
 
     forwarded_values {
       query_string = false
@@ -1438,9 +1490,6 @@ resource "aws_cloudfront_distribution" "custom_distribution" {
     }
 
     viewer_protocol_policy = "allow-all"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
   }
 
   price_class = "PriceClass_200"
@@ -1455,10 +1504,8 @@ resource "aws_cloudfront_distribution" "custom_distribution" {
   viewer_certificate {
     cloudfront_default_certificate = true
   }
-
-  %[2]s
 }
-`, acctest.RandInt(), testAccAWSCloudFrontDistributionRetainConfig())
+`, acctest.RandInt(), logBucket, testAccAWSCloudFrontDistributionRetainConfig())
 
 var testAccAWSCloudFrontDistributionMultiOriginConfig = fmt.Sprintf(`
 variable rand_id {

From 2201670d8ef4e94622313009bcfbf8f9a667c3a9 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 28 Jan 2021 12:35:35 -0800
Subject: [PATCH 05/10] Fix formatting

---
 ...dfront_distribution_configuration_structure_test.go |  1 +
 aws/cloudfront_origin_request_policy_structure.go      | 10 +++-------
 aws/resource_aws_cloudfront_distribution_test.go       |  4 ++--
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/aws/cloudfront_distribution_configuration_structure_test.go b/aws/cloudfront_distribution_configuration_structure_test.go
index c3e38114616..61659ef7577 100644
--- a/aws/cloudfront_distribution_configuration_structure_test.go
+++ b/aws/cloudfront_distribution_configuration_structure_test.go
@@ -21,6 +21,7 @@ func defaultCacheBehaviorConf() map[string]interface{} {
 		"smooth_streaming":            false,
 		"default_ttl":                 86400,
 		"allowed_methods":             allowedMethodsConf(),
+		"origin_request_policy_id":    "ABCD1234",
 		"cached_methods":              cachedMethodsConf(),
 		"compress":                    true,
 		"field_level_encryption_id":   "",
diff --git a/aws/cloudfront_origin_request_policy_structure.go b/aws/cloudfront_origin_request_policy_structure.go
index 0c647dcada3..082656903b4 100644
--- a/aws/cloudfront_origin_request_policy_structure.go
+++ b/aws/cloudfront_origin_request_policy_structure.go
@@ -20,9 +20,7 @@ func expandCloudFrontOriginRequestPolicyCookieNames(cookieNamesFlat map[string]i
 }
 
 func expandCloudFrontOriginRequestPolicyCookiesConfig(cookiesConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyCookiesConfig {
-	cookies := &cloudfront.CookieNames{
-		Quantity: aws.Int64(int64(0)),
-	}
+	var cookies *cloudfront.CookieNames
 
 	if cookiesFlat, ok := cookiesConfigFlat["cookies"].([]interface{}); ok && len(cookiesFlat) == 1 {
 		cookies = expandCloudFrontOriginRequestPolicyCookieNames(cookiesFlat[0].(map[string]interface{}))
@@ -52,7 +50,7 @@ func expandCloudFrontOriginRequestPolicyHeaders(headerNamesFlat map[string]inter
 }
 
 func expandCloudFrontOriginRequestPolicyHeadersConfig(headersConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyHeadersConfig {
-	headers := &cloudfront.Headers{}
+	var headers *cloudfront.Headers
 
 	if headersFlat, ok := headersConfigFlat["headers"].([]interface{}); ok && len(headersFlat) == 1 && headersConfigFlat["header_behavior"] != "none" {
 		headers = expandCloudFrontOriginRequestPolicyHeaders(headersFlat[0].(map[string]interface{}))
@@ -82,9 +80,7 @@ func expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringNamesFlat ma
 }
 
 func expandCloudFrontOriginRequestPolicyQueryStringsConfig(queryStringConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyQueryStringsConfig {
-	queryStrings := &cloudfront.QueryStringNames{
-		Quantity: aws.Int64(int64(0)),
-	}
+	var queryStrings *cloudfront.QueryStringNames
 
 	if queryStringFlat, ok := queryStringConfigFlat["query_strings"].([]interface{}); ok && len(queryStringFlat) == 1 {
 		queryStrings = expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringFlat[0].(map[string]interface{}))
diff --git a/aws/resource_aws_cloudfront_distribution_test.go b/aws/resource_aws_cloudfront_distribution_test.go
index a90692322cb..29badfe2ce8 100644
--- a/aws/resource_aws_cloudfront_distribution_test.go
+++ b/aws/resource_aws_cloudfront_distribution_test.go
@@ -1478,8 +1478,8 @@ resource "aws_cloudfront_distribution" "custom_distribution" {
     target_origin_id = "myCustomOrigin"
     smooth_streaming = false
 
-		origin_request_policy_id = aws_cloudfront_origin_request_policy.test_policy.id
-		cache_policy_id          = aws_cloudfront_cache_policy.example.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.test_policy.id
+    cache_policy_id          = aws_cloudfront_cache_policy.example.id
 
     forwarded_values {
       query_string = false

From 0b986b4301fd862d94393252c3d09221e347d3d6 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 28 Jan 2021 12:40:56 -0800
Subject: [PATCH 06/10] Remove trailing whitespace

---
 website/docs/d/cloudfront_origin_request_policy.html.markdown | 2 +-
 website/docs/r/cloudfront_origin_request_policy.html.markdown | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/website/docs/d/cloudfront_origin_request_policy.html.markdown b/website/docs/d/cloudfront_origin_request_policy.html.markdown
index 0a152a1ca9f..5b6cfe1fece 100644
--- a/website/docs/d/cloudfront_origin_request_policy.html.markdown
+++ b/website/docs/d/cloudfront_origin_request_policy.html.markdown
@@ -24,7 +24,7 @@ data "aws_cloudfront_origin_request_policy" "example" {
 The following arguments are supported:
 
 * `name` - A unique name to identify the origin request policy.
-* `id` - The identifier for the origin request policy. 
+* `id` - The identifier for the origin request policy.
 
 ## Attributes Reference
 
diff --git a/website/docs/r/cloudfront_origin_request_policy.html.markdown b/website/docs/r/cloudfront_origin_request_policy.html.markdown
index bd7069cacbe..4e19f1ecbba 100644
--- a/website/docs/r/cloudfront_origin_request_policy.html.markdown
+++ b/website/docs/r/cloudfront_origin_request_policy.html.markdown
@@ -72,4 +72,4 @@ The following arguments are supported:
 In addition to all arguments above, the following attributes are exported:
 
 * `etag` - The current version of the origin request policy.
-* `id` - The identifier for the origin request policy. 
+* `id` - The identifier for the origin request policy.

From 767e5ef764b19efce4591fb56e2e8ecca732fe22 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Wed, 3 Feb 2021 15:32:12 -0800
Subject: [PATCH 07/10] Address issues from origin_policy code review

---
 ...udfront_origin_request_policy_structure.go | 135 ++++++++++--------
 ...ce_aws_cloudfront_origin_request_policy.go |  73 +++++-----
 ...ce_aws_cloudfront_origin_request_policy.go |  25 ++--
 ...dfront_origin_request_policy.html.markdown |  18 +--
 ...dfront_origin_request_policy.html.markdown |  18 +--
 5 files changed, 145 insertions(+), 124 deletions(-)

diff --git a/aws/cloudfront_origin_request_policy_structure.go b/aws/cloudfront_origin_request_policy_structure.go
index 082656903b4..7d6342aa704 100644
--- a/aws/cloudfront_origin_request_policy_structure.go
+++ b/aws/cloudfront_origin_request_policy_structure.go
@@ -6,99 +6,118 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-func expandCloudFrontOriginRequestPolicyCookieNames(cookieNamesFlat map[string]interface{}) *cloudfront.CookieNames {
-	cookieNames := &cloudfront.CookieNames{}
+func expandCloudFrontOriginRequestPolicyCookieNames(tfMap map[string]interface{}) *cloudfront.CookieNames {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &cloudfront.CookieNames{}
 
-	var newCookieItems []*string
-	for _, cookie := range cookieNamesFlat["items"].(*schema.Set).List() {
-		newCookieItems = append(newCookieItems, aws.String(cookie.(string)))
+	var items []*string
+	for _, item := range tfMap["items"].(*schema.Set).List() {
+		items = append(items, aws.String(item.(string)))
 	}
-	cookieNames.Items = newCookieItems
-	cookieNames.Quantity = aws.Int64(int64(len(newCookieItems)))
+	apiObject.Items = items
+	apiObject.Quantity = aws.Int64(int64(len(items)))
 
-	return cookieNames
+	return apiObject
 }
 
-func expandCloudFrontOriginRequestPolicyCookiesConfig(cookiesConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyCookiesConfig {
-	var cookies *cloudfront.CookieNames
+func expandCloudFrontOriginRequestPolicyCookiesConfig(tfMap map[string]interface{}) *cloudfront.OriginRequestPolicyCookiesConfig {
+	if tfMap == nil {
+		return nil
+	}
+
+	var itemsAPIObject *cloudfront.CookieNames
 
-	if cookiesFlat, ok := cookiesConfigFlat["cookies"].([]interface{}); ok && len(cookiesFlat) == 1 {
-		cookies = expandCloudFrontOriginRequestPolicyCookieNames(cookiesFlat[0].(map[string]interface{}))
+	if itemsFlat, ok := tfMap["cookies"].([]interface{}); ok && len(itemsFlat) == 1 {
+		itemsAPIObject = expandCloudFrontOriginRequestPolicyCookieNames(itemsFlat[0].(map[string]interface{}))
 	} else {
-		cookies = nil
+		itemsAPIObject = nil
 	}
 
-	cookiesConfig := &cloudfront.OriginRequestPolicyCookiesConfig{
-		CookieBehavior: aws.String(cookiesConfigFlat["cookie_behavior"].(string)),
-		Cookies:        cookies,
+	apiObject := &cloudfront.OriginRequestPolicyCookiesConfig{
+		CookieBehavior: aws.String(tfMap["cookie_behavior"].(string)),
+		Cookies:        itemsAPIObject,
 	}
 
-	return cookiesConfig
+	return apiObject
 }
 
-func expandCloudFrontOriginRequestPolicyHeaders(headerNamesFlat map[string]interface{}) *cloudfront.Headers {
-	headers := &cloudfront.Headers{}
+func expandCloudFrontOriginRequestPolicyHeaders(tfMap map[string]interface{}) *cloudfront.Headers {
+	if tfMap == nil {
+		return nil
+	}
+	apiObject := &cloudfront.Headers{}
 
-	var newHeaderItems []*string
-	for _, header := range headerNamesFlat["items"].(*schema.Set).List() {
-		newHeaderItems = append(newHeaderItems, aws.String(header.(string)))
+	var items []*string
+	for _, item := range tfMap["items"].(*schema.Set).List() {
+		items = append(items, aws.String(item.(string)))
 	}
-	headers.Items = newHeaderItems
-	headers.Quantity = aws.Int64(int64(len(newHeaderItems)))
+	apiObject.Items = items
+	apiObject.Quantity = aws.Int64(int64(len(items)))
 
-	return headers
+	return apiObject
 }
 
-func expandCloudFrontOriginRequestPolicyHeadersConfig(headersConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyHeadersConfig {
-	var headers *cloudfront.Headers
+func expandCloudFrontOriginRequestPolicyHeadersConfig(tfMap map[string]interface{}) *cloudfront.OriginRequestPolicyHeadersConfig {
+	if tfMap == nil {
+		return nil
+	}
+	var itemsAPIObject *cloudfront.Headers
 
-	if headersFlat, ok := headersConfigFlat["headers"].([]interface{}); ok && len(headersFlat) == 1 && headersConfigFlat["header_behavior"] != "none" {
-		headers = expandCloudFrontOriginRequestPolicyHeaders(headersFlat[0].(map[string]interface{}))
+	if itemsFlat, ok := tfMap["headers"].([]interface{}); ok && len(itemsFlat) == 1 && tfMap["header_behavior"] != "none" {
+		itemsAPIObject = expandCloudFrontOriginRequestPolicyHeaders(itemsFlat[0].(map[string]interface{}))
 	} else {
-		headers = nil
+		itemsAPIObject = nil
 	}
 
-	headersConfig := &cloudfront.OriginRequestPolicyHeadersConfig{
-		HeaderBehavior: aws.String(headersConfigFlat["header_behavior"].(string)),
-		Headers:        headers,
+	apiObject := &cloudfront.OriginRequestPolicyHeadersConfig{
+		HeaderBehavior: aws.String(tfMap["header_behavior"].(string)),
+		Headers:        itemsAPIObject,
 	}
 
-	return headersConfig
+	return apiObject
 }
 
-func expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringNamesFlat map[string]interface{}) *cloudfront.QueryStringNames {
-	queryStringNames := &cloudfront.QueryStringNames{}
+func expandCloudFrontOriginRequestPolicyQueryStringNames(tfMap map[string]interface{}) *cloudfront.QueryStringNames {
+	if tfMap == nil {
+		return nil
+	}
+	apiObject := &cloudfront.QueryStringNames{}
 
-	var newQueryStringItems []*string
-	for _, queryString := range queryStringNamesFlat["items"].(*schema.Set).List() {
-		newQueryStringItems = append(newQueryStringItems, aws.String(queryString.(string)))
+	var items []*string
+	for _, item := range tfMap["items"].(*schema.Set).List() {
+		items = append(items, aws.String(item.(string)))
 	}
-	queryStringNames.Items = newQueryStringItems
-	queryStringNames.Quantity = aws.Int64(int64(len(newQueryStringItems)))
+	apiObject.Items = items
+	apiObject.Quantity = aws.Int64(int64(len(items)))
 
-	return queryStringNames
+	return apiObject
 }
 
-func expandCloudFrontOriginRequestPolicyQueryStringsConfig(queryStringConfigFlat map[string]interface{}) *cloudfront.OriginRequestPolicyQueryStringsConfig {
-	var queryStrings *cloudfront.QueryStringNames
+func expandCloudFrontOriginRequestPolicyQueryStringsConfig(tfMap map[string]interface{}) *cloudfront.OriginRequestPolicyQueryStringsConfig {
+	if tfMap == nil {
+		return nil
+	}
+	var itemsAPIObject *cloudfront.QueryStringNames
 
-	if queryStringFlat, ok := queryStringConfigFlat["query_strings"].([]interface{}); ok && len(queryStringFlat) == 1 {
-		queryStrings = expandCloudFrontOriginRequestPolicyQueryStringNames(queryStringFlat[0].(map[string]interface{}))
+	if itemsFlat, ok := tfMap["query_strings"].([]interface{}); ok && len(itemsFlat) == 1 {
+		itemsAPIObject = expandCloudFrontOriginRequestPolicyQueryStringNames(itemsFlat[0].(map[string]interface{}))
 	} else {
-		queryStrings = nil
+		itemsAPIObject = nil
 	}
 
-	queryStringConfig := &cloudfront.OriginRequestPolicyQueryStringsConfig{
-		QueryStringBehavior: aws.String(queryStringConfigFlat["query_string_behavior"].(string)),
-		QueryStrings:        queryStrings,
+	apiObject := &cloudfront.OriginRequestPolicyQueryStringsConfig{
+		QueryStringBehavior: aws.String(tfMap["query_string_behavior"].(string)),
+		QueryStrings:        itemsAPIObject,
 	}
 
-	return queryStringConfig
+	return apiObject
 }
 
 func expandCloudFrontOriginRequestPolicyConfig(d *schema.ResourceData) *cloudfront.OriginRequestPolicyConfig {
-
-	originRequestPolicy := &cloudfront.OriginRequestPolicyConfig{
+	apiObject := &cloudfront.OriginRequestPolicyConfig{
 		Comment:            aws.String(d.Get("comment").(string)),
 		Name:               aws.String(d.Get("name").(string)),
 		CookiesConfig:      expandCloudFrontOriginRequestPolicyCookiesConfig(d.Get("cookies_config").([]interface{})[0].(map[string]interface{})),
@@ -106,7 +125,7 @@ func expandCloudFrontOriginRequestPolicyConfig(d *schema.ResourceData) *cloudfro
 		QueryStringsConfig: expandCloudFrontOriginRequestPolicyQueryStringsConfig(d.Get("query_strings_config").([]interface{})[0].(map[string]interface{})),
 	}
 
-	return originRequestPolicy
+	return apiObject
 }
 
 func flattenCloudFrontOriginRequestPolicyCookiesConfig(cookiesConfig *cloudfront.OriginRequestPolicyCookiesConfig) []map[string]interface{} {
@@ -168,11 +187,3 @@ func flattenCloudFrontOriginRequestPolicyQueryStringsConfig(queryStringsConfig *
 		queryStringsConfigFlat,
 	}
 }
-
-func flattenCloudFrontOriginRequestPolicy(d *schema.ResourceData, originRequestPolicy *cloudfront.OriginRequestPolicyConfig) {
-	d.Set("comment", aws.StringValue(originRequestPolicy.Comment))
-	d.Set("name", aws.StringValue(originRequestPolicy.Name))
-	d.Set("cookies_config", flattenCloudFrontOriginRequestPolicyCookiesConfig(originRequestPolicy.CookiesConfig))
-	d.Set("headers_config", flattenCloudFrontOriginRequestPolicyHeadersConfig(originRequestPolicy.HeadersConfig))
-	d.Set("query_strings_config", flattenCloudFrontOriginRequestPolicyQueryStringsConfig(originRequestPolicy.QueryStringsConfig))
-}
diff --git a/aws/data_source_aws_cloudfront_origin_request_policy.go b/aws/data_source_aws_cloudfront_origin_request_policy.go
index 0e2a4366076..ce05f2a6183 100644
--- a/aws/data_source_aws_cloudfront_origin_request_policy.go
+++ b/aws/data_source_aws_cloudfront_origin_request_policy.go
@@ -11,22 +11,10 @@ func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 		Read: dataSourceAwsCloudFrontOriginRequestPolicyRead,
 
 		Schema: map[string]*schema.Schema{
-			"name": {
-				Type:     schema.TypeString,
-				Optional: true,
-			},
-			"id": {
-				Type:     schema.TypeString,
-				Optional: true,
-			},
 			"comment": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"etag": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
 			"cookies_config": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -52,6 +40,10 @@ func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 					},
 				},
 			},
+			"etag": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"headers_config": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -77,6 +69,14 @@ func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 					},
 				},
 			},
+			"id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"query_strings_config": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -106,27 +106,6 @@ func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 	}
 }
 
-func dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d *schema.ResourceData, conn *cloudfront.CloudFront) error {
-	var originRequestPolicy *cloudfront.OriginRequestPolicy
-	request := &cloudfront.ListOriginRequestPoliciesInput{}
-	resp, err := conn.ListOriginRequestPolicies(request)
-	if err != nil {
-		return err
-	}
-
-	for _, policySummary := range resp.OriginRequestPolicyList.Items {
-		if *policySummary.OriginRequestPolicy.OriginRequestPolicyConfig.Name == d.Get("name").(string) {
-			originRequestPolicy = policySummary.OriginRequestPolicy
-			break
-		}
-	}
-
-	if originRequestPolicy != nil {
-		d.SetId(aws.StringValue(originRequestPolicy.Id))
-	}
-	return nil
-}
-
 func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).cloudfrontconn
 
@@ -147,8 +126,34 @@ func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta
 		}
 		d.Set("etag", aws.StringValue(resp.ETag))
 
-		flattenCloudFrontOriginRequestPolicy(d, resp.OriginRequestPolicy.OriginRequestPolicyConfig)
+		originRequestPolicy := *resp.OriginRequestPolicy.OriginRequestPolicyConfig
+		d.Set("comment", aws.StringValue(originRequestPolicy.Comment))
+		d.Set("name", aws.StringValue(originRequestPolicy.Name))
+		d.Set("cookies_config", flattenCloudFrontOriginRequestPolicyCookiesConfig(originRequestPolicy.CookiesConfig))
+		d.Set("headers_config", flattenCloudFrontOriginRequestPolicyHeadersConfig(originRequestPolicy.HeadersConfig))
+		d.Set("query_strings_config", flattenCloudFrontOriginRequestPolicyQueryStringsConfig(originRequestPolicy.QueryStringsConfig))
 	}
 
 	return nil
 }
+
+func dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d *schema.ResourceData, conn *cloudfront.CloudFront) error {
+	var originRequestPolicy *cloudfront.OriginRequestPolicy
+	request := &cloudfront.ListOriginRequestPoliciesInput{}
+	resp, err := conn.ListOriginRequestPolicies(request)
+	if err != nil {
+		return err
+	}
+
+	for _, policySummary := range resp.OriginRequestPolicyList.Items {
+		if *policySummary.OriginRequestPolicy.OriginRequestPolicyConfig.Name == d.Get("name").(string) {
+			originRequestPolicy = policySummary.OriginRequestPolicy
+			break
+		}
+	}
+
+	if originRequestPolicy != nil {
+		d.SetId(aws.StringValue(originRequestPolicy.Id))
+	}
+	return nil
+}
diff --git a/aws/resource_aws_cloudfront_origin_request_policy.go b/aws/resource_aws_cloudfront_origin_request_policy.go
index b97ffd8cf63..a9563b25eb9 100644
--- a/aws/resource_aws_cloudfront_origin_request_policy.go
+++ b/aws/resource_aws_cloudfront_origin_request_policy.go
@@ -22,15 +22,6 @@ func resourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
-			"name": {
-				Type:     schema.TypeString,
-				Required: true,
-			},
-			"etag": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
 			"cookies_config": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -59,6 +50,11 @@ func resourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 					},
 				},
 			},
+			"etag": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"headers_config": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -87,6 +83,10 @@ func resourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 					},
 				},
 			},
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
 			"query_strings_config": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -149,7 +149,12 @@ func resourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta i
 	}
 	d.Set("etag", aws.StringValue(resp.ETag))
 
-	flattenCloudFrontOriginRequestPolicy(d, resp.OriginRequestPolicy.OriginRequestPolicyConfig)
+	originRequestPolicy := *resp.OriginRequestPolicy.OriginRequestPolicyConfig
+	d.Set("comment", aws.StringValue(originRequestPolicy.Comment))
+	d.Set("name", aws.StringValue(originRequestPolicy.Name))
+	d.Set("cookies_config", flattenCloudFrontOriginRequestPolicyCookiesConfig(originRequestPolicy.CookiesConfig))
+	d.Set("headers_config", flattenCloudFrontOriginRequestPolicyHeadersConfig(originRequestPolicy.HeadersConfig))
+	d.Set("query_strings_config", flattenCloudFrontOriginRequestPolicyQueryStringsConfig(originRequestPolicy.QueryStringsConfig))
 
 	return nil
 }
diff --git a/website/docs/d/cloudfront_origin_request_policy.html.markdown b/website/docs/d/cloudfront_origin_request_policy.html.markdown
index 5b6cfe1fece..4e25a4ea5a1 100644
--- a/website/docs/d/cloudfront_origin_request_policy.html.markdown
+++ b/website/docs/d/cloudfront_origin_request_policy.html.markdown
@@ -23,32 +23,32 @@ data "aws_cloudfront_origin_request_policy" "example" {
 
 The following arguments are supported:
 
-* `name` - A unique name to identify the origin request policy.
+* `name` - Unique name to identify the origin request policy.
 * `id` - The identifier for the origin request policy.
 
 ## Attributes Reference
 
-* `comment` - A comment to describe the origin request policy.
-* `cookies_config` - An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
+* `comment` - Comment to describe the origin request policy.
+* `cookies_config` - Object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
 * `etag` - The current version of the origin request policy.
-* `headers_config` - An object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
-* `query_strings_config` - An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
+* `headers_config` - Object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
+* `query_strings_config` - Object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
 
 ### Cookies Config
 
 `cookie_behavior` - Determines whether any cookies in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist` `all`.
-`cookies` - An object that contains a list of cookie names. See [Items](#items) for more information.
+`cookies` - Object that contains a list of cookie names. See [Items](#items) for more information.
 
 ### Headers Config
 
 `header_behavior` - Determines whether any HTTP headers are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `allViewer`, `allViewerAndWhitelistCloudFront`.
-`headers` - An object that contains a list of header names. See [Items](#items) for more information.
+`headers` - Object that contains a list of header names. See [Items](#items) for more information.
 
 ### Query String Config
 
 `query_string_behavior` - Determines whether any URL query strings in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `all`.
-`query_strings` - An object that contains a list of query string names. See [Items](#items) for more information.
+`query_strings` - Object that contains a list of query string names. See [Items](#items) for more information.
 
 ### Items
 
-`items` - A list of item names (cookies, headers, or query strings).
+`items` - List of item names (cookies, headers, or query strings).
diff --git a/website/docs/r/cloudfront_origin_request_policy.html.markdown b/website/docs/r/cloudfront_origin_request_policy.html.markdown
index 4e19f1ecbba..e92e370dcd2 100644
--- a/website/docs/r/cloudfront_origin_request_policy.html.markdown
+++ b/website/docs/r/cloudfront_origin_request_policy.html.markdown
@@ -42,30 +42,30 @@ resource "aws_cloudfront_origin_request_policy" "example" {
 
 The following arguments are supported:
 
-* `name` - (Required) A unique name to identify the origin request policy.
-* `comment` - (Optional) A comment to describe the origin request policy.
-* `cookies_config` - (Required) An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
-* `headers_config` - (Required) An object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
-* `query_strings_config` - (Required) An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
+* `name` - (Required) Unique name to identify the origin request policy.
+* `comment` - (Optional) Comment to describe the origin request policy.
+* `cookies_config` - (Required) Object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Cookies Config](#cookies-config) for more information.
+* `headers_config` - (Required) Object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Headers Config](#headers-config) for more information.
+* `query_strings_config` - (Required) Object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See [Query Strings Config](#query-strings-config) for more information.
 
 ### Cookies Config
 
 `cookie_behavior` - (Required) Determines whether any cookies in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist` `all`.
-`cookies` - (Optional) An object that contains a list of cookie names. See [Items](#items) for more information.
+`cookies` - (Optional) Object that contains a list of cookie names. See [Items](#items) for more information.
 
 ### Headers Config
 
 `header_behavior` - (Required) Determines whether any HTTP headers are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `allViewer`, `allViewerAndWhitelistCloudFront`.
-`headers` - (Optional) An object that contains a list of header names. See [Items](#items) for more information.
+`headers` - (Optional) Object that contains a list of header names. See [Items](#items) for more information.
 
 ### Query String Config
 
 `query_string_behavior` - (Required) Determines whether any URL query strings in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. Valid values are `none`, `whitelist`, `all`.
-`query_strings` - (Optional) An object that contains a list of query string names. See [Items](#items) for more information.
+`query_strings` - (Optional) Object that contains a list of query string names. See [Items](#items) for more information.
 
 ### Items
 
-`items` - (Required) A list of item names (cookies, headers, or query strings).
+`items` - (Required) List of item names (cookies, headers, or query strings).
 
 ## Attributes Reference
 

From e11003e7058fe4fbb4dad74f4f3d602d67e3b3bc Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Wed, 3 Feb 2021 16:33:15 -0800
Subject: [PATCH 08/10] Address feedback from cache policy review

---
 ...udfront_origin_request_policy_structure.go | 53 ++++++++----------
 ...ce_aws_cloudfront_origin_request_policy.go |  6 +-
 ...s_cloudfront_origin_request_policy_test.go | 15 ++---
 ...s_cloudfront_origin_request_policy_test.go | 55 ++++++++++---------
 4 files changed, 63 insertions(+), 66 deletions(-)

diff --git a/aws/cloudfront_origin_request_policy_structure.go b/aws/cloudfront_origin_request_policy_structure.go
index 7d6342aa704..f6faf8176a3 100644
--- a/aws/cloudfront_origin_request_policy_structure.go
+++ b/aws/cloudfront_origin_request_policy_structure.go
@@ -28,17 +28,12 @@ func expandCloudFrontOriginRequestPolicyCookiesConfig(tfMap map[string]interface
 		return nil
 	}
 
-	var itemsAPIObject *cloudfront.CookieNames
-
-	if itemsFlat, ok := tfMap["cookies"].([]interface{}); ok && len(itemsFlat) == 1 {
-		itemsAPIObject = expandCloudFrontOriginRequestPolicyCookieNames(itemsFlat[0].(map[string]interface{}))
-	} else {
-		itemsAPIObject = nil
-	}
-
 	apiObject := &cloudfront.OriginRequestPolicyCookiesConfig{
 		CookieBehavior: aws.String(tfMap["cookie_behavior"].(string)),
-		Cookies:        itemsAPIObject,
+	}
+
+	if items, ok := tfMap["cookies"].([]interface{}); ok && len(items) == 1 {
+		apiObject.Cookies = expandCloudFrontOriginRequestPolicyCookieNames(items[0].(map[string]interface{}))
 	}
 
 	return apiObject
@@ -48,14 +43,16 @@ func expandCloudFrontOriginRequestPolicyHeaders(tfMap map[string]interface{}) *c
 	if tfMap == nil {
 		return nil
 	}
-	apiObject := &cloudfront.Headers{}
 
 	var items []*string
 	for _, item := range tfMap["items"].(*schema.Set).List() {
 		items = append(items, aws.String(item.(string)))
 	}
-	apiObject.Items = items
-	apiObject.Quantity = aws.Int64(int64(len(items)))
+
+	apiObject := &cloudfront.Headers{
+		Items:    items,
+		Quantity: aws.Int64(int64(len(items))),
+	}
 
 	return apiObject
 }
@@ -64,17 +61,13 @@ func expandCloudFrontOriginRequestPolicyHeadersConfig(tfMap map[string]interface
 	if tfMap == nil {
 		return nil
 	}
-	var itemsAPIObject *cloudfront.Headers
-
-	if itemsFlat, ok := tfMap["headers"].([]interface{}); ok && len(itemsFlat) == 1 && tfMap["header_behavior"] != "none" {
-		itemsAPIObject = expandCloudFrontOriginRequestPolicyHeaders(itemsFlat[0].(map[string]interface{}))
-	} else {
-		itemsAPIObject = nil
-	}
 
 	apiObject := &cloudfront.OriginRequestPolicyHeadersConfig{
 		HeaderBehavior: aws.String(tfMap["header_behavior"].(string)),
-		Headers:        itemsAPIObject,
+	}
+
+	if items, ok := tfMap["headers"].([]interface{}); ok && len(items) == 1 && tfMap["header_behavior"] != "none" {
+		apiObject.Headers = expandCloudFrontOriginRequestPolicyHeaders(items[0].(map[string]interface{}))
 	}
 
 	return apiObject
@@ -84,14 +77,16 @@ func expandCloudFrontOriginRequestPolicyQueryStringNames(tfMap map[string]interf
 	if tfMap == nil {
 		return nil
 	}
-	apiObject := &cloudfront.QueryStringNames{}
 
 	var items []*string
 	for _, item := range tfMap["items"].(*schema.Set).List() {
 		items = append(items, aws.String(item.(string)))
 	}
-	apiObject.Items = items
-	apiObject.Quantity = aws.Int64(int64(len(items)))
+
+	apiObject := &cloudfront.QueryStringNames{
+		Items:    items,
+		Quantity: aws.Int64(int64(len(items))),
+	}
 
 	return apiObject
 }
@@ -100,17 +95,13 @@ func expandCloudFrontOriginRequestPolicyQueryStringsConfig(tfMap map[string]inte
 	if tfMap == nil {
 		return nil
 	}
-	var itemsAPIObject *cloudfront.QueryStringNames
-
-	if itemsFlat, ok := tfMap["query_strings"].([]interface{}); ok && len(itemsFlat) == 1 {
-		itemsAPIObject = expandCloudFrontOriginRequestPolicyQueryStringNames(itemsFlat[0].(map[string]interface{}))
-	} else {
-		itemsAPIObject = nil
-	}
 
 	apiObject := &cloudfront.OriginRequestPolicyQueryStringsConfig{
 		QueryStringBehavior: aws.String(tfMap["query_string_behavior"].(string)),
-		QueryStrings:        itemsAPIObject,
+	}
+
+	if items, ok := tfMap["query_strings"].([]interface{}); ok && len(items) == 1 {
+		apiObject.QueryStrings = expandCloudFrontOriginRequestPolicyQueryStringNames(items[0].(map[string]interface{}))
 	}
 
 	return apiObject
diff --git a/aws/data_source_aws_cloudfront_origin_request_policy.go b/aws/data_source_aws_cloudfront_origin_request_policy.go
index ce05f2a6183..042bfa37755 100644
--- a/aws/data_source_aws_cloudfront_origin_request_policy.go
+++ b/aws/data_source_aws_cloudfront_origin_request_policy.go
@@ -1,6 +1,8 @@
 package aws
 
 import (
+	"fmt"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cloudfront"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -111,7 +113,7 @@ func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta
 
 	if d.Id() == "" {
 		if err := dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d, conn); err != nil {
-			return err
+			return fmt.Errorf("Unable to find origin request policy by name: %s", err.Error())
 		}
 	}
 
@@ -122,7 +124,7 @@ func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta
 
 		resp, err := conn.GetOriginRequestPolicy(request)
 		if err != nil {
-			return err
+			return fmt.Errorf("Unable to retrieve origin request policy with ID %s: %s", d.Id(), err.Error())
 		}
 		d.Set("etag", aws.StringValue(resp.ETag))
 
diff --git a/aws/data_source_aws_cloudfront_origin_request_policy_test.go b/aws/data_source_aws_cloudfront_origin_request_policy_test.go
index 1ca5a7cc9cc..10b55921ba3 100644
--- a/aws/data_source_aws_cloudfront_origin_request_policy_test.go
+++ b/aws/data_source_aws_cloudfront_origin_request_policy_test.go
@@ -11,6 +11,7 @@ import (
 
 func TestAccAWSCloudFrontDataSourceOriginRequestPolicy_basic(t *testing.T) {
 	rInt := acctest.RandInt()
+	dataSourceName := "data.aws_cloudfront_origin_request_policy.example"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
@@ -20,13 +21,13 @@ func TestAccAWSCloudFrontDataSourceOriginRequestPolicy_basic(t *testing.T) {
 			{
 				Config: testAccAWSCloudFrontDataSourceOriginRequestPolicyConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("data.aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+					resource.TestCheckResourceAttr(dataSourceName, "comment", "test comment"),
+					resource.TestCheckResourceAttr(dataSourceName, "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(dataSourceName, "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr(dataSourceName, "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(dataSourceName, "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr(dataSourceName, "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(dataSourceName, "query_strings_config.0.query_strings.0.items.0", "test"),
 				),
 			},
 		},
diff --git a/aws/resource_aws_cloudfront_origin_request_policy_test.go b/aws/resource_aws_cloudfront_origin_request_policy_test.go
index 1822f324413..e9bf7d1619f 100644
--- a/aws/resource_aws_cloudfront_origin_request_policy_test.go
+++ b/aws/resource_aws_cloudfront_origin_request_policy_test.go
@@ -11,6 +11,7 @@ import (
 
 func TestAccAWSCloudFrontOriginRequestPolicy_basic(t *testing.T) {
 	rInt := acctest.RandInt()
+	resourceName := "aws_cloudfront_origin_request_policy.example"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
@@ -20,13 +21,13 @@ func TestAccAWSCloudFrontOriginRequestPolicy_basic(t *testing.T) {
 			{
 				Config: testAccAWSCloudFrontOriginRequestPolicyConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "comment", "test comment"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_strings.0.items.0", "test"),
 				),
 			},
 			{
@@ -41,6 +42,7 @@ func TestAccAWSCloudFrontOriginRequestPolicy_basic(t *testing.T) {
 
 func TestAccAWSCloudFrontOriginRequestPolicy_update(t *testing.T) {
 	rInt := acctest.RandInt()
+	resourceName := "aws_cloudfront_origin_request_policy.example"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
@@ -50,23 +52,23 @@ func TestAccAWSCloudFrontOriginRequestPolicy_update(t *testing.T) {
 			{
 				Config: testAccAWSCloudFrontOriginRequestPolicyConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.0.items.0", "test"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "whitelist"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "comment", "test comment"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookie_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookies.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.header_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.headers.0.items.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_string_behavior", "whitelist"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_strings.0.items.0", "test"),
 				),
 			},
 			{
 				Config: testAccAWSCloudFrontOriginRequestPolicyConfigUpdate(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment updated"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.0.items.0", "test2"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "none"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.#", "0"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.0.items.0", "test2"),
+					resource.TestCheckResourceAttr(resourceName, "comment", "test comment updated"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookies.0.items.0", "test2"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.header_behavior", "none"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.headers.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_strings.0.items.0", "test2"),
 				),
 			},
 			{
@@ -81,6 +83,7 @@ func TestAccAWSCloudFrontOriginRequestPolicy_update(t *testing.T) {
 
 func TestAccAWSCloudFrontOriginRequestPolicy_noneBehavior(t *testing.T) {
 	rInt := acctest.RandInt()
+	resourceName := "aws_cloudfront_origin_request_policy.example"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(cloudfront.EndpointsID, t) },
@@ -90,13 +93,13 @@ func TestAccAWSCloudFrontOriginRequestPolicy_noneBehavior(t *testing.T) {
 			{
 				Config: testAccAWSCloudFrontOriginRequestPolicyConfigNoneBehavior(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "comment", "test comment"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookie_behavior", "none"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "cookies_config.0.cookies.#", "0"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.header_behavior", "none"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "headers_config.0.headers.#", "0"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_string_behavior", "none"),
-					resource.TestCheckResourceAttr("aws_cloudfront_origin_request_policy.example", "query_strings_config.0.query_strings.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "comment", "test comment"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookie_behavior", "none"),
+					resource.TestCheckResourceAttr(resourceName, "cookies_config.0.cookies.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.header_behavior", "none"),
+					resource.TestCheckResourceAttr(resourceName, "headers_config.0.headers.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_string_behavior", "none"),
+					resource.TestCheckResourceAttr(resourceName, "query_strings_config.0.query_strings.#", "0"),
 				),
 			},
 			{

From c387d87ae71b4abd6d557851a1485b451137be98 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Wed, 3 Feb 2021 17:17:31 -0800
Subject: [PATCH 09/10] Fix data source name lookup behavior

---
 aws/data_source_aws_cloudfront_origin_request_policy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws/data_source_aws_cloudfront_origin_request_policy.go b/aws/data_source_aws_cloudfront_origin_request_policy.go
index 042bfa37755..2656c832b0d 100644
--- a/aws/data_source_aws_cloudfront_origin_request_policy.go
+++ b/aws/data_source_aws_cloudfront_origin_request_policy.go
@@ -111,7 +111,7 @@ func dataSourceAwsCloudFrontOriginRequestPolicy() *schema.Resource {
 func dataSourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).cloudfrontconn
 
-	if d.Id() == "" {
+	if d.Get("id").(string) == "" {
 		if err := dataSourceAwsCloudFrontOriginRequestPolicyFindByName(d, conn); err != nil {
 			return fmt.Errorf("Unable to find origin request policy by name: %s", err.Error())
 		}

From 72bab54528e7f7af9c882747d462e57bed5aa951 Mon Sep 17 00:00:00 2001
From: bill-rich <bill.rich@gmail.com>
Date: Thu, 4 Feb 2021 10:05:24 -0800
Subject: [PATCH 10/10] Add IsNewResource check on read

---
 aws/resource_aws_cloudfront_origin_request_policy.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/aws/resource_aws_cloudfront_origin_request_policy.go b/aws/resource_aws_cloudfront_origin_request_policy.go
index a9563b25eb9..0b5b295302a 100644
--- a/aws/resource_aws_cloudfront_origin_request_policy.go
+++ b/aws/resource_aws_cloudfront_origin_request_policy.go
@@ -1,8 +1,11 @@
 package aws
 
 import (
+	"log"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
@@ -144,6 +147,12 @@ func resourceAwsCloudFrontOriginRequestPolicyRead(d *schema.ResourceData, meta i
 	}
 
 	resp, err := conn.GetOriginRequestPolicy(request)
+	if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, "ResourceNotFoundException") {
+		log.Printf("[WARN] CloudFront Origin Request Policy (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
 	if err != nil {
 		return err
 	}