How to copy a working AWS CloudFront configuration and then update it

Setting up AWS CloudFront can be time consuming, particulary if there is some complexity in behaviours. I find I often wish to use the conguration I have in one account in another account, and so would like to export a working configuration, update it for the target account, and then upload it to the target account. Unfortunaetley AWS don't allow you to do this via the AWS Console.

This post will show you how to export a working CloudFront configuration, upload it to another account, and will then go on to demonstrat how to update an existing configuration.

The following examples require you to have installed the AWS CLI on your local machine.

Download a working CloudFront distribution

The following command downloads a CloudFront configuration from your sourse AWS account to your local computer:

aws --profile SRC_AWS_PROFILE cloudfront get-distribution --id CF_DISTRIBUTION_ID > src-example.cloudfront.json

The source account is defined by SRC_AWS_PROFILE  in your AWS credentials file ~/.aws/credentials , and CF_DISTRIBUTION_ID  is the distribution ID of the CloudFront distribution you wish to download. The resulting configuration file is downloaded to a file called src-example.cloudfront.json.

Process downloaded configuration

Unfortunately the downloaded CloudFront configuration file can't be directly uploaded to the target account. There are two areas we need to clean up/remove from the configuration: 1) we need to make the value of the DistributionConfig attribute sit at the root level i.e. remove everything outside of this attribute; and 2) remove any of the downloaded distribution properties that aren't relevent to the destination account.

This makes sense if you think about it: 1) we just want to upload the distribution configuration; and 2) thing like the WAF, SSL certificate, and CNAME might not be appropriate to the new account.

Below I show the resulting file diff between the configuration I downloaded and the one I will upload:

0a1
> 
2,3d2
<     "ETag": "AAAAAAAAAAAAAA", 
<     "DistributionConfig": {
237d235
<         "WebACLId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", 
324,330d321
<         "ViewerCertificate": {
<             "SSLSupportMethod": "sni-only", 
<             "ACMCertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/bbbbbbbb-bbbb-bbbb-bbdb-bbbbbbbbbbbb", 
<             "MinimumProtocolVersion": "TLSv1.1_2016", 
<             "Certificate": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/bbbbbbbb-bbbb-bbbb-bbdb-bbbbbbbbbbbb", 
<             "CertificateSource": "acm"
<         }, 
351,356d341
<         }, 
<         "Aliases": {
<             "Items": [
<                 "example-domain.com"
<             ], 
<             "Quantity": 1
358d342
<     }
359a344
> 

Upload the processed configuration file

The processed configuration file can be uploaded with the following command:

aws --profile SRC_AWS_PROFILE cloudfront create-distribution 
--distribution-config file://src-example-PROCESSED.cloudfront.json

You should now be able to see the newly created distribution in the AWS Console > CloudFront.

Updating an existing CloudFront distribution

To update an existing CloudFront distribution the configuration should be downloaded an processed in a similar way to as detailed above i.e. the value of the DistributionConfig attribute should sit at the root level, and everything outside of this should be removed. Properties should the be edited appropriately.

The resulting confuguration file can then be used to update the existing distribution using the command:

aws --profile SRC_AWS_PROFILE cloudfront update-distribution --distribution-config file://src-example-PROCESSED.cloudfront.json --id CF_DISTRIBUTION_ID --if-match LATEST_ETAG

The LATEST_ETAG is contained in the configuration file you download (it was in the portion you deleted whilst processing the configuration file. You can only use this LATEST_ETAG once, but you can obtain a new one by downloading the configuration again.

Reference

• AWS CLI instalation instructions: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html
• CloudFront documentation: https://docs.aws.amazon.com/cli/latest/reference/cloudfront/index.html
• Helpful posts 1: https://github.com/aws/aws-cli/issues/1342
• Helpful posts 2: https://github.com/aws/aws-cli/issues/2479
• Helpful posts 3: https://stackoverflow.com/questions/42624579/update-cloudfront-configuration-using-awscli?rq=1