How do I resolve the "One or more of your origins or origin groups do not exist" error in AWS CloudFormation?

Short description

This error occurs when the TargetOriginId property of CacheBehavior or DefaultCacheBehavior doesn't match a CloudFront origin or origin group ID. This ID is a user-defined string that uniquely identifies an origin or origin group. You must define the origin group in the template, and manage your resources through CloudFormation.

Tip: It's a best practice to avoid making changes to stack resources outside of CloudFormation. This can create a mismatch between your stack's template and the current state of your stack resources. When you update or delete the stack, the mismatch can cause errors.

Resolution

1.    Confirm that the TargetOriginId matches the ID of one of the defined origins or origin groups. Enter the correct origin ID as a parameter for DefaultCacheBehavior or CacheBehavior.

In the following example JSON and YAML template snippets, DefaultCacheBehavior defines and consumes a CloudFront distribution with a single origin. Also, the origin uses an origin access identity (OAI) for authentication. In the examples, the origin ID is set to my-s3-origin.

JSON:

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00.000Z",
  "Resources": {
    "cloudfrontdistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "DefaultCacheBehavior": {
            "ViewerProtocolPolicy": "https-only",
            "DefaultTTL": 3600,
            "ForwardedValues": {
              "Cookies": {
                "Forward": "none"
              },
              "QueryString": true
            },
            "TargetOriginId": "my-s3-origin"
          },
          "Enabled": true,
          "Origins": [
            {
              "DomainName": "my-s3-bucket.s3.amazonaws.com",
              "Id": "my-s3-origin",
              "S3OriginConfig": {
                "OriginAccessIdentity": {
                  "Fn::Sub": "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
                }
              },
              "OriginPath": "/my-content"
            }
          ]
        }
      }
    },
    "CloudFrontOriginAccessIdentity": {
      "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
      "Properties": {
        "CloudFrontOriginAccessIdentityConfig": {
          "Comment": {
            "Ref": "AWS::StackName"
          }
        }
      }
    }
  }
}

Note: Replace my-s3-origin with your origin ID, my-s3-bucket.s3.amazonaws.com with your domain name, and /my-content with your origin path.

YAML:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          ViewerProtocolPolicy: https-only
          DefaultTTL: 3600
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: true
          TargetOriginId: my-s3-origin
        Enabled: true
        Origins:
          - DomainName: 'my-s3-bucket.s3.amazonaws.com'
            Id: my-s3-origin
            S3OriginConfig:
              OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
            OriginPath: /my-content
          
  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub ${AWS::StackName}

2.    Test your CloudFront distribution to verify that your CloudFormation stack is created or updated.

Related information

Using various origins with CloudFront distributions

Creating a stack on the AWS CloudFormation console

AWS CloudFormation best practices