[cloud] New module cloudfront_distribution (#31284)

* added cloudfont.py, modified cloudfront_facts.py class name and fixed a minor bug

* Improvements to cloudfront_distribution

* Reduce the scope of the cloudfront_distribution module
    * Remove presigning
    * Remove streaming distribution functionality
* Add full test suite for cloudfront distribution
* Meet Ansible AWS guidelines

* Make requested changes

Fix tests

Use built-in waiter

Update copyright

test/integration/targets/cloudfront_distribution/aliases

@@ -0,0 +1 @@
+cloud/aws

test/integration/targets/cloudfront_distribution/defaults/main.yml

@@ -0,0 +1,37 @@
+cloudfront_hostname: "{{ resource_prefix | lower }}01"
+# Use a domain that has a wildcard DNS
+cloudfront_alias: "{{ cloudfront_hostname | lower }}.github.io"
+
+cloudfront_test_cache_behaviors:
+  - path_pattern: /test/path
+    forwarded_values:
+      headers:
+        - Host
+    allowed_methods:
+      items:
+        - GET
+        - HEAD
+        - POST
+        - PATCH
+        - PUT
+        - OPTIONS
+        - DELETE
+      cached_methods:
+        - GET
+        - HEAD
+  - path_pattern: /another/path
+    forwarded_values:
+      cookies:
+        forward: whitelist
+        whitelisted_names:
+          - my_header
+      query_string: yes
+      query_string_cache_keys:
+        - whatever
+    allowed_methods:
+      items:
+        - GET
+        - HEAD
+      cached_methods:
+        - GET
+        - HEAD

test/integration/targets/cloudfront_distribution/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - prepare_tests
+  - setup_ec2

test/integration/targets/cloudfront_distribution/tasks/main.yml

@@ -0,0 +1,386 @@
+- block:
+  - name: make sure resource prefix is lowercase
+    set_fact:
+      test_identifier: "{{ resource_prefix | lower }}"
+
+  - name: set yaml anchor
+    set_fact:
+      aws_connection_info: &aws_connection_info
+        aws_access_key: "{{ aws_access_key }}"
+        aws_secret_key: "{{ aws_secret_key }}"
+        security_token: "{{ security_token }}"
+    no_log: yes
+
+  - name: create cloudfront distribution using defaults
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        id: "{{ cloudfront_hostname }}-origin.example.com"
+      default_cache_behavior:
+        target_origin_id: "{{ cloudfront_hostname }}-origin.example.com"
+      state: present
+      purge_origins: yes
+      <<: *aws_connection_info
+
+  - name: re-run cloudfront distribution with same defaults
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+      state: present
+      <<: *aws_connection_info
+    register: cf_dist_no_update
+
+  - name: ensure distribution was not updated
+    assert:
+      that:
+        - not cf_dist_no_update.changed
+
+  - name: update origin http port
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+      state: present
+      <<: *aws_connection_info
+    register: update_origin_http_port
+
+  - name: ensure http port was updated
+    assert:
+      that:
+        - update_origin_http_port.changed
+
+  - name: set a random comment
+    set_fact:
+      comment: "{{'ABCDEFabcdef123456'|shuffle|join }}"
+
+  - name: update comment
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      comment: "{{ comment }}"
+      state: present
+      <<: *aws_connection_info
+    register: cf_comment
+
+  - name: ensure comment was updated
+    assert:
+      that:
+        - cf_comment.changed
+        - 'cf_comment.comment == comment'
+
+  - name: create second origin
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+        id: "{{ test_identifier }}2.example.com"
+      state: present
+      wait: yes
+      <<: *aws_connection_info
+    register: cf_add_origin
+
+  - name: ensure origin was added
+    assert:
+      that:
+        - cf_add_origin.origins.quantity == 2
+        - cf_add_origin.changed
+
+  - name: re-run second origin
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+      - domain_name: "{{ test_identifier }}2.example.com"
+      wait: yes
+      state: present
+      <<: *aws_connection_info
+    register: cf_rerun_second_origin
+
+  - name: ensure nothing changed after re-run
+    assert:
+      that:
+        - cf_rerun_second_origin.origins.quantity == 2
+        - not cf_rerun_second_origin.changed
+
+  - name: run with origins in reverse order
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+      state: present
+      <<: *aws_connection_info
+    register: cf_rerun_second_origin_reversed
+
+  - name: ensure nothing changed after reversed re-run
+    assert:
+      that:
+        - cf_rerun_second_origin_reversed.origins.quantity == 2
+        - not cf_rerun_second_origin_reversed.changed
+
+
+  - name: purge first origin
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      default_cache_behavior:
+        target_origin_id: "{{ test_identifier }}2.example.com"
+      purge_origins: yes
+      state: present
+      <<: *aws_connection_info
+    register: cf_purge_origin
+
+  - name: ensure origin was removed
+    assert:
+      that:
+        - cf_purge_origin.origins.quantity == 1
+        - cf_purge_origin.changed
+
+  - name: add tags to existing distribution
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      tags:
+        Name: "{{ cloudfront_alias }}"
+        Another: tag
+      state: present
+      <<: *aws_connection_info
+    register: cf_add_tags
+
+  - name: ensure tags were added
+    assert:
+      that:
+        - cf_add_tags.changed
+        - cf_add_tags.tags|length == 2
+
+  - name: delete distribution
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      enabled: no
+      wait: yes
+      state: absent
+      <<: *aws_connection_info
+
+  - name: create distribution with tags
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+        id: "{{ test_identifier }}2.example.com"
+      tags:
+        Name: "{{ cloudfront_alias }}"
+        Another: tag
+      state: present
+      <<: *aws_connection_info
+    register: cf_second_distribution
+
+  - name: ensure tags were set on creation
+    assert:
+      that:
+        - cf_second_distribution.changed
+        - cf_second_distribution.tags|length == 2
+        - "'Name' in cf_second_distribution.tags"
+
+  - name: re-run create distribution with same tags and purge_tags
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+        id: "{{ test_identifier }}2.example.com"
+      tags:
+        Name: "{{ cloudfront_alias }}"
+        Another: tag
+      purge_tags: yes
+      state: present
+      <<: *aws_connection_info
+    register: rerun_with_purge_tags
+
+  - name: ensure that re-running didn't change
+    assert:
+      that:
+        - not rerun_with_purge_tags.changed
+
+  - name: add new tag to distribution
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      tags:
+        Third: thing
+      purge_tags: no
+      state: present
+      <<: *aws_connection_info
+    register: update_with_new_tag
+
+  - name: ensure tags are correct
+    assert:
+      that:
+        - update_with_new_tag.changed
+        - "'Third' in update_with_new_tag.tags"
+        - "'Another' in update_with_new_tag.tags"
+
+  - name: create some cache behaviors
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      cache_behaviors: "{{ cloudfront_test_cache_behaviors }}"
+      state: present
+      <<: *aws_connection_info
+    register: add_cache_behaviors
+
+  - name: reverse some cache behaviors
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
+      state: present
+      <<: *aws_connection_info
+    register: reverse_cache_behaviors
+
+  - name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
+    assert:
+      that:
+        - not reverse_cache_behaviors.changed
+        - reverse_cache_behaviors.cache_behaviors|length == 2
+
+  - name: reverse some cache behaviors properly
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}2.example.com"
+      cache_behaviors: "{{ cloudfront_test_cache_behaviors|reverse|list }}"
+      purge_cache_behaviors: yes
+      state: present
+      <<: *aws_connection_info
+    register: reverse_cache_behaviors_with_purge
+
+  - name: check that reversing cache behaviors changes nothing when purge_cache_behaviors unset
+    assert:
+      that:
+        - reverse_cache_behaviors_with_purge.changed
+        - reverse_cache_behaviors_with_purge.cache_behaviors|length == 2
+
+  - name: update origin that changes target id (failure expected)
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}3.example.com"
+        id: "{{ test_identifier }}3.example.com"
+      purge_origins: yes
+      state: present
+      <<: *aws_connection_info
+    register: remove_origin_in_use
+    ignore_errors: yes
+
+  - name: check that removing in use origin fails
+    assert:
+      that:
+        - remove_origin_in_use.failed
+
+  # FIXME: This currently fails due to AWS side problems
+  # not clear whether to hope they fix or prevent this issue from happening
+  #- name: update origin and update cache behavior to point to new origin
+  #  cloudfront_distribution:
+  #    alias: "{{ cloudfront_alias }}"
+  #    origins:
+  #    - domain_name: "{{ test_identifier }}3.example.com"
+  #      id: "{{ test_identifier }}3.example.com"
+  #    cache_behaviors:
+  #      - path_pattern: /test/path
+  #        target_origin_id: "{{ test_identifier }}3.example.com"
+  #      - path_pattern: /another/path
+  #        target_origin_id: "{{ test_identifier }}3.example.com"
+  #    state: present
+  #    aws_access_key: "{{ aws_access_key|default(omit) }}"
+  #    aws_secret_key: "{{ aws_secret_key|default(omit) }}"
+  #    security_token: "{{ security_token|default(omit) }}"
+  #    profile: "{{ profile|default(omit) }}"
+  #  register: update_cache_behaviors in use
+
+  - name: create an s3 bucket for next test
+    aws_s3:
+      bucket: "{{ test_identifier }}-bucket"
+      mode: create
+      <<: *aws_connection_info
+
+  - name: update origin to point to the s3 bucket
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
+        id: "{{ test_identifier }}3.example.com"
+        s3_origin_access_identity_enabled: yes
+      state: present
+      <<: *aws_connection_info
+    register: update_origin_to_s3
+
+  - name: check that s3 origin access is in result
+    assert:
+      that:
+        - item.s3_origin_config.origin_access_identity.startswith('origin-access-identity/cloudfront/')
+    when: "'s3_origin_config' in item"
+    loop: "{{ update_origin_to_s3.origins['items'] }}"
+
+  - name: update origin to remove s3 origin access identity
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
+        id: "{{ test_identifier }}3.example.com"
+        s3_origin_access_identity_enabled: no
+      state: present
+      <<: *aws_connection_info
+    register: update_origin_to_s3_without_origin_access
+
+  - name: check that s3 origin access is not in result
+    assert:
+      that:
+        - not item.s3_origin_config.origin_access_identity
+    when: "'s3_origin_config' in item"
+    loop: "{{ update_origin_to_s3_without_origin_access.origins['items'] }}"
+
+  - name: delete the s3 bucket
+    aws_s3:
+      bucket: "{{ test_identifier }}-bucket"
+      mode: delete
+      <<: *aws_connection_info
+
+  - name: update origin to remove s3 origin access identity
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      origins:
+      - domain_name: "{{ test_identifier }}-bucket.{{ aws_region }}.s3.amazonaws.com"
+        id: "{{ test_identifier }}3.example.com"
+        s3_origin_access_identity_enabled: yes
+        custom_origin_config:
+          origin_protocol_policy: 'http-only'
+      state: present
+      <<: *aws_connection_info
+    register: update_origin_to_s3_with_origin_access_and_with_custom_origin_config
+    ignore_errors: True
+
+  - name: check that custom origin with origin access identity fails
+    assert:
+      that:
+        - update_origin_to_s3_with_origin_access_and_with_custom_origin_config.failed
+
+  always:
+  # TEARDOWN STARTS HERE
+  - name: clean up cloudfront distribution
+    cloudfront_distribution:
+      alias: "{{ cloudfront_alias }}"
+      enabled: no
+      wait: yes
+      state: absent
+      <<: *aws_connection_info