From 3f9cd543914cbcb8821e98e5c8b231a7bdfa5220 Mon Sep 17 00:00:00 2001 From: Mark Woolley Date: Mon, 31 Jan 2022 10:29:42 +0000 Subject: [PATCH] Fix cloudfront_distribution s3_origin_access_identity_enabled bug (#881) Fix cloudfront_distribution s3_origin_access_identity_enabled bug SUMMARY If s3_origin_access_identity_enabled is set to True but no s3_origin_config then a default origin config is applied however it also picks up s3_origin_access_identity_enabled as S3OriginAccessIdentityEnabled and passes it to the API request which is not a valid option to be passed and then fails validation. Fixes: #749 ISSUE TYPE Bugfix Pull Request COMPONENT NAME cloudfront_distribution ADDITIONAL INFORMATION The option mention is not valid for the API request: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudfront.html#CloudFront.Client.create_distribution Reviewed-by: Markus Bergholz Reviewed-by: Alina Buzachis (cherry picked from commit cecc9e8087ce0bd1eacebdd19b4c45a17070eafa) --- changelogs/fragments/881-cloudfront-bug.yml | 2 ++ plugins/modules/cloudfront_distribution.py | 14 +++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/881-cloudfront-bug.yml diff --git a/changelogs/fragments/881-cloudfront-bug.yml b/changelogs/fragments/881-cloudfront-bug.yml new file mode 100644 index 00000000000..106c9443723 --- /dev/null +++ b/changelogs/fragments/881-cloudfront-bug.yml @@ -0,0 +1,2 @@ +bugfixes: + - cloudfront_distribution - Dont pass ``s3_origin_access_identity_enabled`` to API request (https://github.com/ansible-collections/community.aws/pull/881). \ No newline at end of file diff --git a/plugins/modules/cloudfront_distribution.py b/plugins/modules/cloudfront_distribution.py index 80ac6dcec4b..946b93e2041 100644 --- a/plugins/modules/cloudfront_distribution.py +++ b/plugins/modules/cloudfront_distribution.py @@ -1686,9 +1686,6 @@ def validate_origins(self, client, config, origins, default_origin_domain_name, self.module.fail_json_aws(e, msg="Error validating distribution origins") def validate_s3_origin_configuration(self, client, existing_config, origin): - if not origin['s3_origin_access_identity_enabled']: - return None - if origin.get('s3_origin_config', {}).get('origin_access_identity'): return origin['s3_origin_config']['origin_access_identity'] @@ -1719,13 +1716,20 @@ def validate_origin(self, client, existing_config, origin, default_origin_path): origin['custom_headers'] = ansible_list_to_cloudfront_list() if self.__s3_bucket_domain_identifier in origin.get('domain_name').lower(): if origin.get("s3_origin_access_identity_enabled") is not None: - s3_origin_config = self.validate_s3_origin_configuration(client, existing_config, origin) + if origin['s3_origin_access_identity_enabled']: + s3_origin_config = self.validate_s3_origin_configuration(client, existing_config, origin) + else: + s3_origin_config = None + + del(origin["s3_origin_access_identity_enabled"]) + if s3_origin_config: oai = s3_origin_config else: oai = "" + origin["s3_origin_config"] = dict(origin_access_identity=oai) - del(origin["s3_origin_access_identity_enabled"]) + if 'custom_origin_config' in origin: self.module.fail_json(msg="s3_origin_access_identity_enabled and custom_origin_config are mutually exclusive") else: