cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[cloud] New module cloudfront_distribution (#31284)

Browse source 
* added cloudfont.py, modified cloudfront_facts.py class name and fixed a minor bug

* Improvements to cloudfront_distribution

* Reduce the scope of the cloudfront_distribution module
    * Remove presigning
    * Remove streaming distribution functionality
* Add full test suite for cloudfront distribution
* Meet Ansible AWS guidelines

* Make requested changes

Fix tests

Use built-in waiter

Update copyright
This commit is contained in:
Will Thames 2018-01-18 02:03:23 +10:00 committed by Ryan Brown
parent 53266e31df
commit 8d733dbdf0
9 changed files with 2663 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -88,6 +88,7 @@ Ansible Changes By Release
* aws_kms_facts
* aws_s3_cors
* aws_ssm_parameter_store
* cloudfront_distribution
* ec2_ami_facts
* ec2_asg_lifecycle_hook
* ec2_placement_group

28
hacking/aws_config/testing_policies/cloudfront-policy.json Normal file
View file

@ -0,0 +1,28 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudfrontUsage",
"Effect": "Allow",
"Action": [
"cloudfront:CreateDistribution",
"cloudfront:CreateDistributionWithTags",
"cloudfront:DeleteDistribution",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:GetInvalidation",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:ListInvalidations",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution"
],
"Resource": "*"
}
]
}

234
lib/ansible/module_utils/aws/cloudfront_facts.py Normal file
View file

@ -0,0 +1,234 @@
# -*- coding: utf-8 -*-
#
# Copyright (c) 2017 Willem van Ketwich
#
# This module is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this software. If not, see <http://www.gnu.org/licenses/>.
#
# Author:
# - Willem van Ketwich <willem@vanketwich.com.au>
#
# Common functionality to be used by the modules:
# - cloudfront_distribution
# - cloudfront_invalidation
# - cloudfront_origin_access_identity
"""
Common cloudfront facts shared between modules
"""
from ansible.module_utils.ec2 import get_aws_connection_info, boto3_conn
from ansible.module_utils.ec2 import boto3_tag_list_to_ansible_dict, camel_dict_to_snake_dict
try:
import botocore
except ImportError:
pass
class CloudFrontFactsServiceManager(object):
"""Handles CloudFront Facts Services"""
def __init__(self, module):
self.module = module
region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True)
self.client = boto3_conn(module, conn_type='client',
resource='cloudfront', region=region,
endpoint=ec2_url, **aws_connect_kwargs)
def get_distribution(self, distribution_id):
try:
return self.client.get_distribution(Id=distribution_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing distribution")
def get_distribution_config(self, distribution_id):
try:
return self.client.get_distribution_config(Id=distribution_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing distribution configuration")
def get_origin_access_identity(self, origin_access_identity_id):
try:
return self.client.get_cloud_front_origin_access_identity(Id=origin_access_identity_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing origin access identity")
def get_origin_access_identity_config(self, origin_access_identity_id):
try:
return self.client.get_cloud_front_origin_access_identity_config(Id=origin_access_identity_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing origin access identity configuration")
def get_invalidation(self, distribution_id, invalidation_id):
try:
return self.client.get_invalidation(DistributionId=distribution_id, Id=invalidation_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing invalidation")
def get_streaming_distribution(self, distribution_id):
try:
return self.client.get_streaming_distribution(Id=distribution_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing streaming distribution")
def get_streaming_distribution_config(self, distribution_id):
try:
return self.client.get_streaming_distribution_config(Id=distribution_id)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error describing streaming distribution")
def list_origin_access_identities(self):
try:
paginator = self.client.get_paginator('list_cloud_front_origin_access_identities')
result = paginator.paginate().build_full_result()['CloudFrontOriginAccessIdentityList']
return result.get('Items', [])
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error listing cloud front origin access identities")
def list_distributions(self, keyed=True):
try:
paginator = self.client.get_paginator('list_distributions')
result = paginator.paginate().build_full_result().get('DistributionList', {})
distribution_list = result.get('Items', [])
if not keyed:
return distribution_list
return self.keyed_list_helper(distribution_list)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error listing distributions")
def list_distributions_by_web_acl_id(self, web_acl_id):
try:
result = self.client.list_distributions_by_web_acl_id(WebAclId=web_acl_id)
distribution_list = result.get('DistributionList', {}).get('Items', [])
return self.keyed_list_helper(distribution_list)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error listing distributions by web acl id")
def list_invalidations(self, distribution_id):
try:
paginator = self.client.get_paginator('list_invalidations')
result = paginator.paginate(DistributionId=distribution_id).build_full_result()
return result.get('InvalidationList', {}).get('Items', [])
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error listing invalidations")
def list_streaming_distributions(self, keyed=True):
try:
paginator = self.client.get_paginator('list_streaming_distributions')
result = paginator.paginate().build_full_result()
streaming_distribution_list = result.get('StreamingDistributionList', {}).get('Items', [])
if not keyed:
return streaming_distribution_list
return self.keyed_list_helper(streaming_distribution_list)
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error listing streaming distributions")
def summary(self):
summary_dict = {}
summary_dict.update(self.summary_get_distribution_list(False))
summary_dict.update(self.summary_get_distribution_list(True))
summary_dict.update(self.summary_get_origin_access_identity_list())
return summary_dict
def summary_get_origin_access_identity_list(self):
try:
origin_access_identity_list = {'origin_access_identities': []}
origin_access_identities = self.list_origin_access_identities()
for origin_access_identity in origin_access_identities:
oai_id = origin_access_identity['Id']
oai_full_response = self.get_origin_access_identity(oai_id)
oai_summary = {'Id': oai_id, 'ETag': oai_full_response['ETag']}
origin_access_identity_list['origin_access_identities'].append(oai_summary)
return origin_access_identity_list
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error generating summary of origin access identities")
def summary_get_distribution_list(self, streaming=False):
try:
list_name = 'streaming_distributions' if streaming else 'distributions'
key_list = ['Id', 'ARN', 'Status', 'LastModifiedTime', 'DomainName', 'Comment', 'PriceClass', 'Enabled']
distribution_list = {list_name: []}
distributions = self.list_streaming_distributions(False) if streaming else self.list_distributions(False)
for dist in distributions:
temp_distribution = {}
for key_name in key_list:
temp_distribution[key_name] = dist[key_name]
temp_distribution['Aliases'] = [alias for alias in dist['Aliases'].get('Items', [])]
temp_distribution['ETag'] = self.get_etag_from_distribution_id(dist['Id'], streaming)
if not streaming:
temp_distribution['WebACLId'] = dist['WebACLId']
invalidation_ids = self.get_list_of_invalidation_ids_from_distribution_id(dist['Id'])
if invalidation_ids:
temp_distribution['Invalidations'] = invalidation_ids
resource_tags = self.client.list_tags_for_resource(Resource=dist['ARN'])
temp_distribution['Tags'] = boto3_tag_list_to_ansible_dict(resource_tags['Tags'].get('Items', []))
distribution_list[list_name].append(temp_distribution)
return distribution_list
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error generating summary of distributions")
except Exception as e:
self.module.fail_json_aws(e, msg="Error generating summary of distributions")
def get_etag_from_distribution_id(self, distribution_id, streaming):
distribution = {}
if not streaming:
distribution = self.get_distribution(distribution_id)
else:
distribution = self.get_streaming_distribution(distribution_id)
return distribution['ETag']
def get_list_of_invalidation_ids_from_distribution_id(self, distribution_id):
try:
invalidation_ids = []
invalidations = self.list_invalidations(distribution_id)
for invalidation in invalidations:
invalidation_ids.append(invalidation['Id'])
return invalidation_ids
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error getting list of invalidation ids")
def get_distribution_id_from_domain_name(self, domain_name):
try:
distribution_id = ""
distributions = self.list_distributions(False)
distributions += self.list_streaming_distributions(False)
for dist in distributions:
if 'Items' in dist['Aliases']:
for alias in dist['Aliases']['Items']:
if str(alias).lower() == domain_name.lower():
distribution_id = dist['Id']
break
return distribution_id
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error getting distribution id from domain name")
def get_aliases_from_distribution_id(self, distribution_id):
try:
distribution = self.get_distribution(distribution_id)
return distribution['DistributionConfig']['Aliases'].get('Items', [])
except botocore.exceptions.ClientError as e:
self.module.fail_json_aws(e, msg="Error getting list of aliases from distribution_id")
def keyed_list_helper(self, list_to_key):
keyed_list = dict()
for item in list_to_key:
distribution_id = item['Id']
if 'Items' in item['Aliases']:
aliases = item['Aliases']['Items']
for alias in aliases:
keyed_list.update({alias: item})
keyed_list.update({distribution_id: item})
return keyed_list

1972
lib/ansible/modules/cloud/amazon/cloudfront_distribution.py Normal file
View file

File diff suppressed because it is too large Load diff

1
lib/ansible/modules/cloud/amazon/cloudfront_facts.py
View file

@ -670,5 +670,6 @@ def main():
result['cloudfront'].update(facts)
module.exit_json(msg="Retrieved cloudfront facts.", ansible_facts=result)
if __name__ == '__main__':
main()

1
test/integration/targets/cloudfront_distribution/aliases Normal file
View file

@ -0,0 +1 @@
cloud/aws

37
test/integration/targets/cloudfront_distribution/defaults/main.yml Normal file
View file

@ -0,0 +1,37 @@
cloudfront_hostname: "{{ resource_prefix | lower }}01"
# Use a domain that has a wildcard DNS
cloudfront_alias: "{{ cloudfront_hostname | lower }}.github.io"
cloudfront_test_cache_behaviors:
- path_pattern: /test/path
forwarded_values:
headers:
- Host
allowed_methods:
items:
- GET
- HEAD
- POST
- PATCH
- PUT
- OPTIONS
- DELETE
cached_methods:
- GET
- HEAD
- path_pattern: /another/path
forwarded_values:
cookies:
forward: whitelist
whitelisted_names:
- my_header
query_string: yes
query_string_cache_keys:
- whatever
allowed_methods:
items:
- GET
- HEAD
cached_methods:
- GET
- HEAD

3
test/integration/targets/cloudfront_distribution/meta/main.yml Normal file
View file

@ -0,0 +1,3 @@
dependencies:
- prepare_tests
- setup_ec2

386
test/integration/targets/cloudfront_distribution/tasks/main.yml Normal file
View file

@ -0,0 +1,386 @@
- block:
- name: make sure resource prefix is lowercase
set_fact:
test_identifier: "{{ resource_prefix | lower }}"
- name: set yaml anchor
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
no_log: yes
- name: create cloudfront distribution using defaults
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ cloudfront_hostname }}-origin.example.com"
id: "{{ cloudfront_hostname }}-origin.example.com"
default_cache_behavior:
target_origin_id: "{{ cloudfront_hostname }}-origin.example.com"
state: present
purge_origins: yes
<<: *aws_connection_info
- name: re-run cloudfront distribution with same defaults
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ cloudfront_hostname }}-origin.example.com"
state: present
<<: *aws_connection_info
register: cf_dist_no_update
- name: ensure distribution was not updated
assert:
that:
- not cf_dist_no_update.changed
- name: update origin http port
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ cloudfront_hostname }}-origin.example.com"
custom_origin_config:
http_port: 8080
state: present
<<: *aws_connection_info
register: update_origin_http_port
- name: ensure http port was updated
assert:
that:
- update_origin_http_port.changed
- name: set a random comment
set_fact:
comment: "{{'ABCDEFabcdef123456'|shuffle|join }}"
- name: update comment
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
comment: "{{ comment }}"
state: present
<<: *aws_connection_info
register: cf_comment
- name: ensure comment was updated
assert:
that:
- cf_comment.changed
- 'cf_comment.comment == comment'
- name: create second origin
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
id: "{{ test_identifier }}2.example.com"
state: present
wait: yes
<<: *aws_connection_info
register: cf_add_origin
- name: ensure origin was added
assert:
that:
- cf_add_origin.origins.quantity == 2
- cf_add_origin.changed
- name: re-run second origin
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ cloudfront_hostname }}-origin.example.com"
custom_origin_config:
http_port: 8080
- domain_name: "{{ test_identifier }}2.example.com"
wait: yes
state: present
<<: *aws_connection_info
register: cf_rerun_second_origin
- name: ensure nothing changed after re-run
assert:
that:
- cf_rerun_second_origin.origins.quantity == 2
- not cf_rerun_second_origin.changed
- name: run with origins in reverse order
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
- domain_name: "{{ cloudfront_hostname }}-origin.example.com"
custom_origin_config:
http_port: 8080
state: present
<<: *aws_connection_info
register: cf_rerun_second_origin_reversed
- name: ensure nothing changed after reversed re-run
assert:
that:
- cf_rerun_second_origin_reversed.origins.quantity == 2
- not cf_rerun_second_origin_reversed.changed
- name: purge first origin
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
default_cache_behavior:
target_origin_id: "{{ test_identifier }}2.example.com"
purge_origins: yes
state: present
<<: *aws_connection_info
register: cf_purge_origin
- name: ensure origin was removed
assert:
that:
- cf_purge_origin.origins.quantity == 1
- cf_purge_origin.changed
- name: add tags to existing distribution
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
tags:
Name: "{{ cloudfront_alias }}"
Another: tag
state: present
<<: *aws_connection_info
register: cf_add_tags
- name: ensure tags were added
assert:
that:
- cf_add_tags.changed
- cf_add_tags.tags|length == 2
- name: delete distribution
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
enabled: no
wait: yes
state: absent
<<: *aws_connection_info
- name: create distribution with tags
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
id: "{{ test_identifier }}2.example.com"
tags:
Name: "{{ cloudfront_alias }}"
Another: tag
state: present
<<: *aws_connection_info
register: cf_second_distribution
- name: ensure tags were set on creation
assert:
that:
- cf_second_distribution.changed
- cf_second_distribution.tags|length == 2
- "'Name' in cf_second_distribution.tags"
- name: re-run create distribution with same tags and purge_tags
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
id: "{{ test_identifier }}2.example.com"
tags:
Name: "{{ cloudfront_alias }}"
Another: tag
purge_tags: yes
state: present
<<: *aws_connection_info
register: rerun_with_purge_tags
- name: ensure that re-running didn't change
assert:
that:
- not rerun_with_purge_tags.changed
- name: add new tag to distribution
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
tags:
Third: thing
purge_tags: no
state: present
<<: *aws_connection_info
register: update_with_new_tag
- name: ensure tags are correct
assert:
that:
- update_with_new_tag.changed
- "'Third' in update_with_new_tag.tags"
- "'Another' in update_with_new_tag.tags"
- name: create some cache behaviors
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
cache_behaviors: "{{ cloudfront_test_cache_behaviors }}"
state: present
<<: *aws_connection_info
register: add_cache_behaviors
- name: reverse some cache behaviors
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
state: present
<<: *aws_connection_info
register: reverse_cache_behaviors
- name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
assert:
that:
- not reverse_cache_behaviors.changed
- reverse_cache_behaviors.cache_behaviors|length == 2
- name: reverse some cache behaviors properly
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}2.example.com"
cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
purge_cache_behaviors: yes
state: present
<<: *aws_connection_info
register: reverse_cache_behaviors_with_purge
- name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
assert:
that:
- reverse_cache_behaviors_with_purge.changed
- reverse_cache_behaviors_with_purge.cache_behaviors|length == 2
- name: update origin that changes target id (failure expected)
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}3.example.com"
id: "{{ test_identifier }}3.example.com"
purge_origins: yes
state: present
<<: *aws_connection_info
register: remove_origin_in_use
ignore_errors: yes
- name: check that removing in use origin fails
assert:
that:
- remove_origin_in_use.failed
# FIXME: This currently fails due to AWS side problems
# not clear whether to hope they fix or prevent this issue from happening
#- name: update origin and update cache behavior to point to new origin
# cloudfront_distribution:
# alias: "{{ cloudfront_alias }}"
# origins:
# - domain_name: "{{ test_identifier }}3.example.com"
# id: "{{ test_identifier }}3.example.com"
# cache_behaviors:
# - path_pattern: /test/path
# target_origin_id: "{{ test_identifier }}3.example.com"
# - path_pattern: /another/path
# target_origin_id: "{{ test_identifier }}3.example.com"
# state: present
# aws_access_key: "{{ aws_access_key|default(omit) }}"
# aws_secret_key: "{{ aws_secret_key|default(omit) }}"
# security_token: "{{ security_token|default(omit) }}"
# profile: "{{ profile|default(omit) }}"
# register: update_cache_behaviors in use
- name: create an s3 bucket for next test
aws_s3:
bucket: "{{ test_identifier }}-bucket"
mode: create
<<: *aws_connection_info
- name: update origin to point to the s3 bucket
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
id: "{{ test_identifier }}3.example.com"
s3_origin_access_identity_enabled: yes
state: present
<<: *aws_connection_info
register: update_origin_to_s3
- name: check that s3 origin access is in result
assert:
that:
- item.s3_origin_config.origin_access_identity.startswith('origin-access-identity/cloudfront/')
when: "'s3_origin_config' in item"
loop: "{{ update_origin_to_s3.origins['items'] }}"
- name: update origin to remove s3 origin access identity
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
id: "{{ test_identifier }}3.example.com"
s3_origin_access_identity_enabled: no
state: present
<<: *aws_connection_info
register: update_origin_to_s3_without_origin_access
- name: check that s3 origin access is not in result
assert:
that:
- not item.s3_origin_config.origin_access_identity
when: "'s3_origin_config' in item"
loop: "{{ update_origin_to_s3_without_origin_access.origins['items'] }}"
- name: delete the s3 bucket
aws_s3:
bucket: "{{ test_identifier }}-bucket"
mode: delete
<<: *aws_connection_info
- name: update origin to remove s3 origin access identity
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
origins:
- domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
id: "{{ test_identifier }}3.example.com"
s3_origin_access_identity_enabled: yes
custom_origin_config:
origin_protocol_policy: 'http-only'
state: present
<<: *aws_connection_info
register: update_origin_to_s3_with_origin_access_and_with_custom_origin_config
ignore_errors: True
- name: check that custom origin with origin access identity fails
assert:
that:
- update_origin_to_s3_with_origin_access_and_with_custom_origin_config.failed
always:
# TEARDOWN STARTS HERE
- name: clean up cloudfront distribution
cloudfront_distribution:
alias: "{{ cloudfront_alias }}"
enabled: no
wait: yes
state: absent
<<: *aws_connection_info