community.aws.cloudfront_distribution – Create, update and delete AWS CloudFront distributions.¶
Note
This plugin is part of the community.aws collection (version 1.4.0).
To install it use: ansible-galaxy collection install community.aws
.
To use it in a playbook, specify: community.aws.cloudfront_distribution
.
New in version 1.0.0: of community.aws
Requirements¶
The below requirements are needed on the host that executes this module.
boto
boto3 >= 1.0.0
python >= 2.6
Parameters¶
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
alias
string
|
The name of an alias (CNAME) that is used in a distribution. This is used to effectively reference a distribution by its alias as an alias can only be used by one distribution per AWS account. This variable avoids having to provide the distribution_id as well as the e_tag, or caller_reference of an existing distribution.
|
||||
aliases
list
/ elements=string
|
A list of domain name aliases (CNAMEs) as strings to be used for the distribution.
Each alias must be unique across all distribution for the AWS account.
|
||||
aws_access_key
string
|
AWS access key. If not set then the value of the AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variable is used.
If profile is set this parameter is ignored.
Passing the aws_access_key and profile options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01.
aliases: ec2_access_key, access_key |
||||
aws_ca_bundle
path
|
The location of a CA Bundle to use when validating SSL certificates.
Only used for boto3 based modules.
Note: The CA Bundle is read 'module' side and may need to be explicitly copied from the controller if not run locally.
|
||||
aws_config
dictionary
|
A dictionary to modify the botocore configuration.
Parameters can be found at https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config.
Only the 'user_agent' key is used for boto modules. See http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto for more boto configuration.
|
||||
aws_secret_key
string
|
AWS secret key. If not set then the value of the AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variable is used.
If profile is set this parameter is ignored.
Passing the aws_secret_key and profile options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01.
aliases: ec2_secret_key, secret_key |
||||
cache_behaviors
list
/ elements=dictionary
|
A list of dictionaries describing the cache behaviors for the distribution.
The order of the list is preserved across runs unless purge_cache_behaviors is enabled.
|
||||
forwarded_values
dictionary
|
A dict that specifies how CloudFront handles query strings and cookies.
|
||||
allowed_methods
dictionary
|
A dict that controls which HTTP methods CloudFront processes and forwards.
|
||||
cached_methods
list
/ elements=string
|
A list of HTTP methods that you want CloudFront to apply caching to.
This can either be
[GET,HEAD] , or [GET,HEAD,OPTIONS] . |
||||
items
list
/ elements=string
|
A list of HTTP methods that you want CloudFront to process and forward.
|
||||
compress
boolean
|
|
Whether you want CloudFront to automatically compress files.
|
|||
cookies
dictionary
|
A dict that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones.
|
||||
forward
string
|
Specifies which cookies to forward to the origin for this cache behavior.
Valid values are
all , none , or whitelist . |
||||
whitelisted_names
list
/ elements=string
|
A list of cookies to forward to the origin for this cache behavior.
|
||||
default_ttl
integer
|
The default amount of time that you want objects to stay in CloudFront caches.
|
||||
field_level_encryption_id
string
|
The field-level encryption configuration that you want CloudFront to use for encrypting specific fields of data.
|
||||
headers
list
/ elements=string
|
A list of headers to forward to the origin for this cache behavior.
To forward all headers use a list containing a single element '*' (
['*'] ) |
||||
lambda_function_associations
list
/ elements=dictionary
|
A list of Lambda function associations to use for this cache behavior.
|
||||
event_type
string
|
Specifies the event type that triggers a Lambda function invocation.
This can be
viewer-request , origin-request , origin-response or viewer-response . |
||||
lambda_function_arn
string
|
The ARN of the Lambda function.
|
||||
max_ttl
integer
|
The maximum amount of time that you want objects to stay in CloudFront caches.
|
||||
min_ttl
integer
|
The minimum amount of time that you want objects to stay in CloudFront caches.
|
||||
query_string
boolean
|
|
Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior.
|
|||
query_string_cache_keys
list
/ elements=string
|
A list that contains the query string parameters you want CloudFront to use as a basis for caching for a cache behavior.
|
||||
smooth_streaming
boolean
|
|
Whether you want to distribute media files in the Microsoft Smooth Streaming format.
|
|||
trusted_signers
dictionary
|
A dict that specifies the AWS accounts that you want to allow to create signed URLs for private content.
|
||||
enabled
boolean
|
|
Whether you want to require viewers to use signed URLs to access the files specified by path_pattern and target_origin_id
|
|||
items
list
/ elements=string
|
A list of trusted signers for this cache behavior.
|
||||
viewer_protocol_policy
string
|
The protocol that viewers can use to access the files in the origin specified by target_origin_id when a request matches path_pattern.
Valid values are
allow-all , redirect-to-https and https-only . |
||||
path_pattern
string
|
The pattern that specifies which requests to apply the behavior to.
|
||||
target_origin_id
string
|
The ID of the origin that you want CloudFront to route requests to by default.
|
||||
caller_reference
string
|
A unique identifier for creating and updating CloudFront distributions.
Each caller reference must be unique across all distributions. e.g. a caller reference used in a web distribution cannot be reused in a streaming distribution. This parameter can be used instead of distribution_id to reference an existing distribution. If not specified, this defaults to a datetime stamp of the format
YYYY-MM-DDTHH:MM:SS.ffffff . |
||||
comment
string
|
A comment that describes the CloudFront distribution.
If not specified, it defaults to a generic message that it has been created with Ansible, and a datetime stamp.
|
||||
custom_error_responses
list
/ elements=dictionary
|
A config element that is a list[] of complex custom error responses to be specified for the distribution.
This attribute configures custom http error messages returned to the user.
|
||||
error_caching_min_ttl
integer
|
The length of time (in seconds) that CloudFront will cache status codes for.
|
||||
error_code
integer
|
The error code the custom error page is for.
|
||||
response_code
integer
|
The HTTP status code that CloudFront should return to a user when the origin returns the HTTP status code specified by error_code.
|
||||
response_page_path
string
|
The path to the custom error page that you want CloudFront to return to a viewer when your origin returns the HTTP status code specified by error_code.
|
||||
debug_botocore_endpoint_logs
boolean
|
|
Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used.
|
|||
default_cache_behavior
dictionary
|
A dict specifying the default cache behavior of the distribution.
If not specified, the target_origin_id is defined as the target_origin_id of the first valid cache_behavior in cache_behaviors with defaults.
|
||||
forwarded_values
dictionary
|
A dict that specifies how CloudFront handles query strings and cookies.
|
||||
allowed_methods
dictionary
|
A dict that controls which HTTP methods CloudFront processes and forwards.
|
||||
cached_methods
list
/ elements=string
|
A list of HTTP methods that you want CloudFront to apply caching to.
This can either be
[GET,HEAD] , or [GET,HEAD,OPTIONS] . |
||||
items
list
/ elements=string
|
A list of HTTP methods that you want CloudFront to process and forward.
|
||||
compress
boolean
|
|
Whether you want CloudFront to automatically compress files.
|
|||
cookies
dictionary
|
A dict that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones.
|
||||
forward
string
|
Specifies which cookies to forward to the origin for this cache behavior.
Valid values are
all , none , or whitelist . |
||||
whitelisted_names
list
/ elements=string
|
A list of cookies to forward to the origin for this cache behavior.
|
||||
default_ttl
integer
|
The default amount of time that you want objects to stay in CloudFront caches.
|
||||
field_level_encryption_id
string
|
The field-level encryption configuration that you want CloudFront to use for encrypting specific fields of data.
|
||||
headers
list
/ elements=string
|
A list of headers to forward to the origin for this cache behavior.
To forward all headers use a list containing a single element '*' (
['*'] ) |
||||
lambda_function_associations
list
/ elements=dictionary
|
A list of Lambda function associations to use for this cache behavior.
|
||||
event_type
string
|
Specifies the event type that triggers a Lambda function invocation.
This can be
viewer-request , origin-request , origin-response or viewer-response . |
||||
lambda_function_arn
string
|
The ARN of the Lambda function.
|
||||
max_ttl
integer
|
The maximum amount of time that you want objects to stay in CloudFront caches.
|
||||
min_ttl
integer
|
The minimum amount of time that you want objects to stay in CloudFront caches.
|
||||
query_string
boolean
|
|
Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior.
|
|||
query_string_cache_keys
list
/ elements=string
|
A list that contains the query string parameters you want CloudFront to use as a basis for caching for a cache behavior.
|
||||
smooth_streaming
boolean
|
|
Whether you want to distribute media files in the Microsoft Smooth Streaming format.
|
|||
trusted_signers
dictionary
|
A dict that specifies the AWS accounts that you want to allow to create signed URLs for private content.
|
||||
enabled
boolean
|
|
Whether you want to require viewers to use signed URLs to access the files specified by target_origin_id
|
|||
items
list
/ elements=string
|
A list of trusted signers for this cache behavior.
|
||||
viewer_protocol_policy
string
|
The protocol that viewers can use to access the files in the origin specified by target_origin_id.
Valid values are
allow-all , redirect-to-https and https-only . |
||||
target_origin_id
string
|
The ID of the origin that you want CloudFront to route requests to by default.
|
||||
default_origin_domain_name
string
|
The domain name to use for an origin if no origins have been specified.
Should only be used on a first run of generating a distribution and not on subsequent runs.
Should not be used in conjunction with distribution_id, caller_reference or alias.
|
||||
default_origin_path
string
|
The default origin path to specify for an origin if no origins have been specified. Defaults to empty if not specified.
|
||||
default_root_object
string
|
A config element that specifies the path to request when the user requests the origin.
e.g. if specified as 'index.html', this maps to www.example.com/index.html when www.example.com is called by the user.
This prevents the entire distribution origin from being exposed at the root.
|
||||
distribution_id
string
|
The ID of the CloudFront distribution.
This parameter can be exchanged with alias or caller_reference and is used in conjunction with e_tag.
|
||||
e_tag
string
|
A unique identifier of a modified or existing distribution. Used in conjunction with distribution_id.
Is determined automatically if not specified.
|
||||
ec2_url
string
|
Url to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used.
aliases: aws_endpoint_url, endpoint_url |
||||
enabled
boolean
|
|
A boolean value that specifies whether the distribution is enabled or disabled.
Defaults to
false . |
|||
http_version
string
|
The version of the http protocol to use for the distribution.
AWS defaults this to
http2 .Valid values are
http1.1 and http2 . |
||||
ipv6_enabled
boolean
|
|
Determines whether IPv6 support is enabled or not.
Defaults to
false . |
|||
logging
dictionary
|
A config element that is a complex object that defines logging for the distribution.
|
||||
bucket
string
|
The S3 bucket to store the log in.
|
||||
enabled
boolean
|
|
When enabled=true CloudFront will log access to an S3 bucket.
|
|||
include_cookies
boolean
|
|
When include_cookies=true CloudFront will include cookies in the logs.
|
|||
prefix
string
|
A prefix to include in the S3 object names.
|
||||
origins
list
/ elements=dictionary
|
A config element that is a list of complex origin objects to be specified for the distribution. Used for creating and updating distributions.
|
||||
custom_headers
list
/ elements=dictionary
|
Custom headers you wish to add to the request before passing it to the origin.
For more information see the CloudFront documentation at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html.
|
||||
header_name
string
|
The name of a header that you want CloudFront to forward to your origin.
|
||||
header_value
string
|
The value for the header that you specified in the header_name field.
|
||||
custom_origin_config
dictionary
|
Connection information about the origin.
|
||||
http_port
integer
|
The HTTP port the custom origin listens on.
|
||||
https_port
integer
|
The HTTPS port the custom origin listens on.
|
||||
origin_keepalive_timeout
integer
|
A keep-alive timeout (in seconds).
|
||||
origin_protocol_policy
string
|
The origin protocol policy to apply to your origin.
|
||||
origin_read_timeout
integer
|
A timeout (in seconds) when reading from your origin.
|
||||
origin_ssl_protocols
list
/ elements=string
|
A list of SSL/TLS protocols that you want CloudFront to use when communicating to the origin over HTTPS.
|
||||
domain_name
string
|
The domain name which CloudFront will query as the origin.
For more information see the CloudFront documentation at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesDomainName
|
||||
id
string
|
A unique identifier for the origin or origin group. id must be unique within the distribution.
|
||||
origin_path
string
|
Tells CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin.
|
||||
s3_origin_access_identity_enabled
boolean
|
|
Use an origin access identity to configure the origin so that viewers can only access objects in an Amazon S3 bucket through CloudFront.
Will automatically create an Identity for you.
|
|||
price_class
string
|
A string that specifies the pricing class of the distribution. As per https://aws.amazon.com/cloudfront/pricing/
price_class=PriceClass_100 consists of the areas United States, Canada and Europe.
price_class=PriceClass_200 consists of the areas United States, Canada, Europe, Japan, India, Hong Kong, Philippines, S. Korea, Singapore & Taiwan.
price_class=PriceClass_All consists of the areas United States, Canada, Europe, Japan, India, South America, Australia, Hong Kong, Philippines, S. Korea, Singapore & Taiwan.
AWS defaults this to
PriceClass_All .Valid values are
PriceClass_100 , PriceClass_200 and PriceClass_All |
||||
profile
string
|
Uses a boto profile. Only works with boto >= 2.24.0.
Using profile will override aws_access_key, aws_secret_key and security_token and support for passing them at the same time as profile has been deprecated.
aws_access_key, aws_secret_key and security_token will be made mutually exclusive with profile after 2022-06-01.
aliases: aws_profile |
||||
purge_aliases
boolean
|
|
Specifies whether existing aliases will be removed before adding new aliases.
When purge_aliases=yes, existing aliases are removed and aliases are added.
|
|||
purge_cache_behaviors
boolean
|
|
Whether to remove any cache behaviors that aren't listed in cache_behaviors.
This switch also allows the reordering of cache_behaviors.
|
|||
purge_custom_error_responses
boolean
|
|
Whether to remove any custom error responses that aren't listed in custom_error_responses.
|
|||
purge_origins
boolean
|
|
Whether to remove any origins that aren't listed in origins.
|
|||
purge_tags
boolean
|
|
Specifies whether existing tags will be removed before adding new tags.
When purge_tags=yes, existing tags are removed and tags are added, if specified. If no tags are specified, it removes all existing tags for the distribution.
When purge_tags=no, existing tags are kept and tags are added, if specified.
|
|||
region
string
|
The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region
aliases: aws_region, ec2_region |
||||
restrictions
dictionary
|
A config element that is a complex object that describes how a distribution should restrict it's content.
|
||||
geo_restriction
dictionary
|
Apply a restriction based on the location of the requester.
|
||||
items
list
/ elements=string
|
A list of ISO 3166-1 two letter (Alpha 2) country codes that the restriction should apply to.
See the ISO website for a full list of codes https://www.iso.org/obp/ui/#search/code/.
|
||||
restriction_type
string
|
The method that you want to use to restrict distribution of your content by country.
Valid values are
none , whitelist , blacklist . |
||||
security_token
string
|
AWS STS security token. If not set then the value of the AWS_SECURITY_TOKEN or EC2_SECURITY_TOKEN environment variable is used.
If profile is set this parameter is ignored.
Passing the security_token and profile options at the same time has been deprecated and the options will be made mutually exclusive after 2022-06-01.
aliases: aws_security_token, access_token |
||||
state
string
|
|
The desired state of the distribution.
state=present creates a new distribution or updates an existing distribution.
state=absent deletes an existing distribution.
|
|||
tags
dictionary
|
Should be input as a dict of key-value pairs.
Note that numeric keys or values must be wrapped in quotes. e.g.
Priority: '1' |
||||
validate_certs
boolean
|
|
When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0.
|
|||
viewer_certificate
dictionary
|
A dict that specifies the encryption details of the distribution.
|
||||
acm_certificate_arn
string
|
The ID of a certificate stored in ACM to use for HTTPS connections.
If acm_certificate_id is set then you must also specify ssl_support_method.
|
||||
cloudfront_default_certificate
boolean
|
|
If you're using the CloudFront domain name for your distribution, such as
123456789abcde.cloudfront.net you should set cloudfront_default_certificate=true.If cloudfront_default_certificate=true do not set ssl_support_method.
|
|||
iam_certificate_id
string
|
The ID of a certificate stored in IAM to use for HTTPS connections.
If iam_certificate_id is set then you must also specify ssl_support_method.
|
||||
minimum_protocol_version
string
|
The security policy that you want CloudFront to use for HTTPS connections.
See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html for supported security policies.
|
||||
ssl_support_method
string
|
How CloudFront should serve SSL certificates.
Valid values are
sni-only for SNI, and vip if CloudFront is configured to use a dedicated IP for your content. |
||||
wait
boolean
|
|
Specifies whether the module waits until the distribution has completed processing the creation or update.
|
|||
wait_timeout
integer
|
Default: 1800
|
Specifies the duration in seconds to wait for a timeout of a cloudfront create or update.
|
|||
web_acl_id
string
|
The ID of a Web Application Firewall (WAF) Access Control List (ACL).
|
Notes¶
Note
If parameters are not set within the module, the following environment variables can be used in decreasing order of precedence
AWS_URL
orEC2_URL
,AWS_PROFILE
orAWS_DEFAULT_PROFILE
,AWS_ACCESS_KEY_ID
orAWS_ACCESS_KEY
orEC2_ACCESS_KEY
,AWS_SECRET_ACCESS_KEY
orAWS_SECRET_KEY
orEC2_SECRET_KEY
,AWS_SECURITY_TOKEN
orEC2_SECURITY_TOKEN
,AWS_REGION
orEC2_REGION
,AWS_CA_BUNDLE
Ansible uses the boto configuration file (typically ~/.boto) if no credentials are provided. See https://boto.readthedocs.io/en/latest/boto_config_tut.html
AWS_REGION
orEC2_REGION
can be typically be used to specify the AWS region, when required, but this can also be configured in the boto config file
Examples¶
- name: create a basic distribution with defaults and tags
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
tags:
Name: example distribution
Project: example project
Priority: '1'
- name: update a distribution comment by distribution_id
community.aws.cloudfront_distribution:
state: present
distribution_id: E1RP5A2MJ8073O
comment: modified by ansible cloudfront.py
- name: update a distribution comment by caller_reference
community.aws.cloudfront_distribution:
state: present
caller_reference: my cloudfront distribution 001
comment: modified by ansible cloudfront.py
- name: update a distribution's aliases and comment using the distribution_id as a reference
community.aws.cloudfront_distribution:
state: present
distribution_id: E1RP5A2MJ8073O
comment: modified by cloudfront.py again
aliases: [ 'www.my-distribution-source.com', 'zzz.aaa.io' ]
- name: update a distribution's aliases and comment using an alias as a reference
community.aws.cloudfront_distribution:
state: present
caller_reference: my test distribution
comment: modified by cloudfront.py again
aliases:
- www.my-distribution-source.com
- zzz.aaa.io
- name: update a distribution's comment and aliases and tags and remove existing tags
community.aws.cloudfront_distribution:
state: present
distribution_id: E15BU8SDCGSG57
comment: modified by cloudfront.py again
aliases:
- tested.com
tags:
Project: distribution 1.2
purge_tags: yes
- name: create a distribution with an origin, logging and default cache behavior
community.aws.cloudfront_distribution:
state: present
caller_reference: unique test distribution ID
origins:
- id: 'my test origin-000111'
domain_name: www.example.com
origin_path: /production
custom_headers:
- header_name: MyCustomHeaderName
header_value: MyCustomHeaderValue
default_cache_behavior:
target_origin_id: 'my test origin-000111'
forwarded_values:
query_string: true
cookies:
forward: all
headers:
- '*'
viewer_protocol_policy: allow-all
smooth_streaming: true
compress: true
allowed_methods:
items:
- GET
- HEAD
cached_methods:
- GET
- HEAD
logging:
enabled: true
include_cookies: false
bucket: mylogbucket.s3.amazonaws.com
prefix: myprefix/
enabled: false
comment: this is a CloudFront distribution with logging
- name: delete a distribution
community.aws.cloudfront_distribution:
state: absent
caller_reference: replaceable distribution
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Authors¶
Willem van Ketwich (@wilvk)
Will Thames (@willthames)