Manage CloudFront distributions
New in version 2018.3.0.
Create, update and destroy CloudFront distributions.
This module accepts explicit AWS credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.
If IAM roles are not used you need to specify them, either in a pillar file or in the minion's config file:
cloudfront.keyid: GKTADJGHEIQSXMKKRBJ08H cloudfront.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
It's also possible to specify
region via a profile,
either passed in as a dict, or a string to pull from pillars or minion config:
myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1
aws: region: us-east-1: profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1
distribution_absent(name, region=None, key=None, keyid=None, profile=None, **kwargs)¶
Ensure a distribution with the given Name tag does not exist.
Note that CloudFront does not allow directly deleting an enabled Distribution. If such is requested, Salt will attempt to first update the distribution's status to Disabled, and once that returns success, to then delete the resource. THIS CAN TAKE SOME TIME, so be patient :)
namewill be used as a default. The purpose of this parameter is only to resolve it to a Resource ID, so be aware that an explicit value for
Idbelow will override any value provided, or defaulted, here.
Ensure a distribution named my_distribution is gone: boto_cloudfront.distribution_absent: - Name: my_distribution
distribution_present(name, region=None, key=None, keyid=None, profile=None, **kwargs)¶
Ensure the given CloudFront distribution exists in the described state.
The implementation of this function, and all those following, is orthagonal
to that of
boto_cloudfront.present. Resources created with
will not be correctly managed by this function, as a different method is
used to store Salt's state signifier. This function and those following are
a suite, designed to work together. As an extra bonus, they correctly
process updates of the managed resources, so it is recommended to use them
in preference to
Note that the semantics of DistributionConfig (below) are rather arcane, and vary wildly depending on whether the distribution already exists or not (e.g. is being initially created, or being updated in place). Many more details can be found here.
namewill be used.
Configuration for the distribution.
Quantityelement, which simply COUNTS the number of items in the
Itemselement. This is bluntly stupid, so as a convenience, Salt will traverse the provided configuration, and add (or fix) a
Quantityelement for any
Itemselements of list-type it encounters. This adds a bit of sanity to an otherwise error-prone situation. Note that for this to work, zero-length lists must be inlined as
get_distribution()API call) is utilized to store the Salt state signifier, which is used to determine resource existence and state. That said, to enable some usability of this field, only the value up to the first colon character is taken as the signifier, with everything afterward free-form, and ignored (but preserved) by Salt.
plt-dev-spaapi-cf-dist-cf_dist-present: boto_cloudfront.distribution_present: - Name: plt-dev-spaapi-cf-dist - DistributionConfig: Comment: SPA Logging: Enabled: false Prefix: '' Bucket: '' IncludeCookies: false WebACLId: '' Origins: Items: - S3OriginConfig: OriginAccessIdentity: the-SPA-OAI OriginPath: '' CustomHeaders: Items:  Id: S3-hs-backend-srpms DomainName: hs-backend-srpms.s3.amazonaws.com PriceClass: PriceClass_All DefaultRootObject: '' Enabled: true DefaultCacheBehavior: ViewerProtocolPolicy: allow-all TrustedSigners: Items:  Enabled: false SmoothStreaming: false TargetOriginId: S3-hs-backend-srpms FieldLevelEncryptionId: '' ForwardedValues: Headers: Items:  Cookies: Forward: none QueryStringCacheKeys: Items:  QueryString: false MaxTTL: 31536000 LambdaFunctionAssociations: Items:  DefaultTTL: 86400 AllowedMethods: CachedMethods: Items: - HEAD - GET Items: - HEAD - GET MinTTL: 0 Compress: false IsIPV6Enabled: true ViewerCertificate: CloudFrontDefaultCertificate: true MinimumProtocolVersion: TLSv1 CertificateSource: cloudfront Aliases: Items: - bubba-hotep.bodhi-dev.io HttpVersion: http2 - Tags: Owner: dev_engrs
oai_bucket_policy_present(name, Bucket, OAI, Policy, region=None, key=None, keyid=None, profile=None)¶
Ensure the given policy exists on an S3 bucket, granting access for the given origin access identity to do the things specified in the policy.
Principalclause is not provided in the policy, one will be automatically added, and pointed at the correct value as dereferenced from the OAI provided above. If one IS provided, then this is not done, and you are responsible for providing the correct values.
my_oai_s3_policy: boto_cloudfront.oai_bucket_policy_present: - Bucket: the_bucket_for_my_distribution - OAI: the_OAI_I_just_created_and_attached_to_my_distribution - Policy: Version: 2012-10-17 Statement: - Effect: Allow Action: s3:GetObject Resource: arn:aws:s3:::the_bucket_for_my_distribution/*
origin_access_identity_absent(name, region=None, key=None, keyid=None, profile=None, **kwargs)¶
Ensure a given CloudFront Origin Access Identity is absent.
namewill be used.
Ensure an origin access identity named my_OAI is gone: boto_cloudfront.origin_access_identity_absent: - Name: my_distribution
origin_access_identity_present(name, region=None, key=None, keyid=None, profile=None, **kwargs)¶
Ensure a given CloudFront Origin Access Identity exists.
Due to the unavailibity of ANY other way to store stateful idempotency information about Origin Access Identities (including resource tags), the Comment attribute (as the only user-settable attribute without weird self-blocking semantics) is necessarily utilized to store the Salt state signifier, which is used to determine resource existence and state. That said, to enable SOME usability of this field, only the value up to the first colon character is taken as the signifier, while anything afterward is free-form and ignored by Salt.
my_OAI: boto_cloudfront.origin_access_identity_present: - Comment: Simply ensures an OAI named my_OAI exists
present(name, config, tags, region=None, key=None, keyid=None, profile=None)¶
Ensure the CloudFront distribution is present.
Manage my_distribution CloudFront distribution: boto_cloudfront.present: - name: my_distribution - config: Comment: 'partial config shown, most parameters elided' Enabled: True - tags: testing_key: testing_value
route53_alias_present(name, region=None, key=None, keyid=None, profile=None, **kwargs)¶
Ensure a Route53 Alias exists and is pointing at the given CloudFront
A record is always created, and if IPV6 is enabled on
the given distribution, an
AAAA record will be created as well. Also be
aware that Alias records for CloudFront distributions are only permitted in
nameif not provided.
A Route53 Record Set (with AliasTarget section, suitable for use as an
Alias record, if non-default settings are needed on the Alias)
which should be pointed at the provided CloudFront distribution. Note
that this MUST correlate with the Aliases set within the
DistributionConfig section of the distribution.
Some notes specifically about the
AliasTarget subsection of the
DNSNamesub-field will be populated by dereferencing
Distributionabove to the value of its
Lastly, note that if you set
name to the desired ResourceRecordSet
Name, you can entirely omit this parameter, as shown in the second
Add a Route53 Alias for my_distribution: boto_cloudfront.present: - Distribution: my_distribution - DomainName: saltstack.org. - ResourceRecordSet: Name: the-alias.saltstack.org. # This is even simpler - it uses the value of `name` for ResourceRecordSet.Name another-alias.saltstack.org.: boto_cloudfront.present: - Distribution: my_distribution - DomainName: saltstack.org.