cloudfront_distribution: Always add field_level_encryption_id to cache behaviour (#61271)

* cloudfront_distribution: (integration tests) Migrate to using module_defaults * cloudfront_distribution: (integration tests) Use the ID rather than the alias Using aliases requires providing a valid SSL certificate, as such we're not longer able to test using an arbitrary hostname * cloudfront_distribution: (integration tests) Make sure we delete the test s3 bucket when tests fail * cloudfront_distribution: field_level_encryption_id is now a mandatory field always add it Setting the field to an empty string has the same effect as the original behaviour. * Copy & Paste fixup Co-Authored-By: Jill R <4121322+jillr@users.noreply.github.com> Co-authored-by: Jill R <4121322+jillr@users.noreply.github.com>
4 years ago · 3aae025cce
parent 052e8b7be4
commit 3aae025cce
4 changed files with 64 additions and 65 deletions
--- a/changelogs/fragments/61271-cloudfront_distribution-encryptionid.yml
+++ b/changelogs/fragments/61271-cloudfront_distribution-encryptionid.yml
@ -0,0 +1,2 @@
+bugfixes:
+- cloudfront_distribution - Always add field_level_encryption_id to cache behaviour to match AWS requirements
--- a/lib/ansible/modules/cloud/amazon/cloudfront_distribution.py
+++ b/lib/ansible/modules/cloud/amazon/cloudfront_distribution.py
@ -1859,11 +1859,12 @@ class CloudFrontValidationManager(object):
            self.module.fail_json_aws(e, msg="Error validating lambda function associations")

    def validate_field_level_encryption_id(self, config, field_level_encryption_id, cache_behavior):
-        # only set field_level_encryption_id if it's already set or if it was passed
        if field_level_encryption_id is not None:
            cache_behavior['field_level_encryption_id'] = field_level_encryption_id
        elif 'field_level_encryption_id' in config:
            cache_behavior['field_level_encryption_id'] = config.get('field_level_encryption_id')
+        else:
+            cache_behavior['field_level_encryption_id'] = ""
        return cache_behavior

    def validate_allowed_methods(self, config, allowed_methods, cache_behavior):
--- a/test/integration/targets/cloudfront_distribution/defaults/main.yml
+++ b/test/integration/targets/cloudfront_distribution/defaults/main.yml
@ -1,6 +1,14 @@
 cloudfront_hostname: "{{ resource_prefix }}01"
+
 # Use a domain that has a wildcard DNS
-cloudfront_alias: "{{ cloudfront_hostname }}.github.io"
+# Using an alias requires also having an SSL cert...
+#cloudfront_alias: "{{ cloudfront_hostname }}.github.io"
+#cloudfront_viewer_cert:
+#  acm_certificate_arn: ...
+#  certificate: ...
+#  certificate_source: ...
+#  minimum_protocol_version: ...
+#  ssl_support_method: ...

 cloudfront_test_cache_behaviors:
  - path_pattern: /test/path
--- a/test/integration/targets/cloudfront_distribution/tasks/main.yml
+++ b/test/integration/targets/cloudfront_distribution/tasks/main.yml
@ -1,15 +1,15 @@
- block:
-  - name: set yaml anchor
-    set_fact:
-      aws_connection_info: &aws_connection_info
-        aws_access_key: "{{ aws_access_key }}"
-        aws_secret_key: "{{ aws_secret_key }}"
-        security_token: "{{ security_token }}"
-    no_log: yes
+- module_defaults:
+    group/aws:
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token | default(omit) }}"
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias | default(omit) }}"
+      viewer_certificate: "{{ cloudfront_viewer_cert | default(omit) }}"
+  block:

  - name: create cloudfront distribution using defaults
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
      origins:
      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
        id: "{{ cloudfront_hostname }}-origin.example.com"
@ -17,15 +17,17 @@
        target_origin_id: "{{ cloudfront_hostname }}-origin.example.com"
      state: present
      purge_origins: yes
-      <<: *aws_connection_info
+    register: cf_distribution
+
+  - set_fact:
+      distribution_id: '{{ cf_distribution.id }}'

  - name: re-run cloudfront distribution with same defaults
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
      state: present
-      <<: *aws_connection_info
    register: cf_dist_no_update

  - name: ensure distribution was not updated
@ -35,10 +37,9 @@

  - name: re-run cloudfront distribution using distribution id
    cloudfront_distribution:
-      distribution_id: "{{ cf_dist_no_update.id }}"
+      distribution_id: "{{ distribution_id }}"
      purge_origins: no
      state: present
-      <<: *aws_connection_info
    register: cf_dist_with_id

  - name: ensure distribution was not updated
@ -48,13 +49,12 @@

  - name: update origin http port
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
        custom_origin_config:
          http_port: 8080
      state: present
-      <<: *aws_connection_info
    register: update_origin_http_port

  - name: ensure http port was updated
@ -64,14 +64,13 @@

  - name: update restrictions
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      restrictions:
        geo_restriction:
          restriction_type: "whitelist"
          items:
            - "US"
      state: present
-      <<: *aws_connection_info
    register: update_restrictions

  - name: ensure restrictions was updated
@ -85,10 +84,9 @@

  - name: update comment
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      comment: "{{ comment }}"
      state: present
-      <<: *aws_connection_info
    register: cf_comment

  - name: ensure comment was updated
@ -99,14 +97,13 @@

  - name: create second origin
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
        id: "{{ resource_prefix }}2.example.com"
      default_root_object: index.html
      state: present
      wait: yes
-      <<: *aws_connection_info
    register: cf_add_origin

  - name: ensure origin was added
@ -118,7 +115,7 @@

  - name: re-run second origin
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
        custom_origin_config:
@ -127,7 +124,6 @@
      default_root_object: index.html
      wait: yes
      state: present
-      <<: *aws_connection_info
    register: cf_rerun_second_origin

  - name: ensure nothing changed after re-run
@ -138,14 +134,13 @@

  - name: run with origins in reverse order
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
        custom_origin_config:
          http_port: 8080
      state: present
-      <<: *aws_connection_info
    register: cf_rerun_second_origin_reversed

  - name: ensure nothing changed after reversed re-run
@ -157,14 +152,13 @@

  - name: purge first origin
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      default_cache_behavior:
        target_origin_id: "{{ resource_prefix }}2.example.com"
      purge_origins: yes
      state: present
-      <<: *aws_connection_info
    register: cf_purge_origin

  - name: ensure origin was removed
@ -175,12 +169,11 @@

  - name: update default_root_object of existing distribution
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      default_root_object: index.php
      state: present
-      <<: *aws_connection_info
    register: cf_update_default_root_object

  - name: ensure origin was updated
@ -191,15 +184,14 @@

  - name: add tags to existing distribution
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      tags:
-        Name: "{{ cloudfront_alias }}"
+        ATag: tag1
        Another: tag
      default_root_object: index.php
      state: present
-      <<: *aws_connection_info
    register: cf_add_tags

  - name: ensure tags were added
@ -210,61 +202,61 @@

  - name: delete distribution
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      enabled: no
      wait: yes
      state: absent
-      <<: *aws_connection_info

  - name: create distribution with tags
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
        id: "{{ resource_prefix }}2.example.com"
      tags:
-        Name: "{{ cloudfront_alias }}"
+        ATag: tag1
        Another: tag
      state: present
-      <<: *aws_connection_info
    register: cf_second_distribution

+  - set_fact:
+      distribution_id: '{{ cf_second_distribution.id }}'
+
  - name: ensure tags were set on creation
    assert:
      that:
        - cf_second_distribution.changed
        - cf_second_distribution.tags|length == 2
-        - "'Name' in cf_second_distribution.tags"
+        - "'ATag' in cf_second_distribution.tags"
+        - "'Another' in cf_second_distribution.tags"

  - name: re-run create distribution with same tags and purge_tags
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
        id: "{{ resource_prefix }}2.example.com"
      tags:
-        Name: "{{ cloudfront_alias }}"
+        ATag: tag1
        Another: tag
      purge_tags: yes
      state: present
-      <<: *aws_connection_info
    register: rerun_with_purge_tags

  - name: ensure that re-running didn't change
    assert:
      that:
        - not rerun_with_purge_tags.changed
+        - rerun_with_purge_tags.tags|length == 2

  - name: add new tag to distribution
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      tags:
        Third: thing
      purge_tags: no
      state: present
-      <<: *aws_connection_info
    register: update_with_new_tag

  - name: ensure tags are correct
@ -273,25 +265,25 @@
        - update_with_new_tag.changed
        - "'Third' in update_with_new_tag.tags"
        - "'Another' in update_with_new_tag.tags"
+        - "'Atag' in update_with_new_tag.tags"
+        - update_with_new_tag.tags|length == 3

  - name: create some cache behaviors
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      cache_behaviors: "{{ cloudfront_test_cache_behaviors }}"
      state: present
-      <<: *aws_connection_info
    register: add_cache_behaviors

  - name: reverse some cache behaviors
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
      state: present
-      <<: *aws_connection_info
    register: reverse_cache_behaviors

  - name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
@ -302,13 +294,12 @@

  - name: reverse some cache behaviors properly
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}2.example.com"
      cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
      purge_cache_behaviors: yes
      state: present
-      <<: *aws_connection_info
    register: reverse_cache_behaviors_with_purge

  - name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
@ -319,13 +310,12 @@

  - name: update origin that changes target id (failure expected)
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}3.example.com"
        id: "{{ resource_prefix }}3.example.com"
      purge_origins: yes
      state: present
-      <<: *aws_connection_info
    register: remove_origin_in_use
    ignore_errors: yes

@ -338,7 +328,6 @@
  # not clear whether to hope they fix or prevent this issue from happening
  #- name: update origin and update cache behavior to point to new origin
  #  cloudfront_distribution:
-  #    alias: "{{ cloudfront_alias }}"
  #    origins:
  #    - domain_name: "{{ resource_prefix }}3.example.com"
  #      id: "{{ resource_prefix }}3.example.com"
@ -360,17 +349,15 @@
    aws_s3:
      bucket: "{{ resource_prefix }}-bucket"
      mode: create
-      <<: *aws_connection_info

  - name: update origin to point to the s3 bucket
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}-bucket.s3.amazonaws.com"
        id: "{{ resource_prefix }}3.example.com"
        s3_origin_access_identity_enabled: yes
      state: present
-      <<: *aws_connection_info
    register: update_origin_to_s3

  - name: check that s3 origin access is in result
@ -382,13 +369,12 @@

  - name: update origin to remove s3 origin access identity
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}-bucket.s3.amazonaws.com"
        id: "{{ resource_prefix }}3.example.com"
        s3_origin_access_identity_enabled: no
      state: present
-      <<: *aws_connection_info
    register: update_origin_to_s3_without_origin_access

  - name: check that s3 origin access is not in result
@ -402,11 +388,10 @@
    aws_s3:
      bucket: "{{ resource_prefix }}-bucket"
      mode: delete
-      <<: *aws_connection_info

  - name: check that custom_origin_config can't be used with origin_access_identity enabled
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      origins:
      - domain_name: "{{ resource_prefix }}-bucket.s3.amazonaws.com"
        id: "{{ resource_prefix }}3.example.com"
@ -414,7 +399,6 @@
        custom_origin_config:
          origin_protocol_policy: 'http-only'
      state: present
-      <<: *aws_connection_info
    register: update_origin_to_s3_with_origin_access_and_with_custom_origin_config
    ignore_errors: True

@ -425,10 +409,14 @@

  always:
  # TEARDOWN STARTS HERE
+  - name: delete the s3 bucket
+    aws_s3:
+      bucket: "{{ resource_prefix }}-bucket"
+      mode: delete
+
  - name: clean up cloudfront distribution
    cloudfront_distribution:
-      alias: "{{ cloudfront_alias }}"
+      distribution_id: "{{ distribution_id }}"
      enabled: no
      wait: yes
      state: absent
-      <<: *aws_connection_info