cloudfront_distribution: s3_origin_access_identity_enabled

[nick-zh]

Summary

Doc states that s3_origin_access_identity_enabled is a bool
A bool results for me in the following error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Unknown parameter in DistributionConfig.Origins.Items[0]: "S3OriginAccessIdentityEnabled", must be one of: Id, DomainName, OriginPath, CustomHeaders, S3OriginConfig, CustomOriginConfig, ConnectionAttempts, ConnectionTimeout, OriginShield
fatal: [localhost]: FAILED! => {"boto3_version": "1.18.47", "botocore_version": "1.21.47", "changed": false, "msg": "Error creating distribution: Parameter validation failed:\nUnknown parameter in DistributionConfig.Origins.Items[0]: \"S3OriginAccessIdentityEnabled\", must be one of: Id, DomainName, OriginPath, CustomHeaders, S3OriginConfig, CustomOriginConfig, ConnectionAttempts, ConnectionTimeout, OriginShield"}

I also tried creating an oai with community.aws.cloudfront_origin_access_identity and adding an id, same result.

Issue Type

Bug Report

Component Name

cloudfront_distribution

Ansible Version

$ ansible --version
ansible 2.10.8
  config file = <myProjectPath>/ansible.cfg
  configured module search path = ['<myHome>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.7 (default, Sep 24 2021, 09:43:00) [GCC 10.3.0]

Collection Versions

$ ansible-galaxy collection list
Collection    Version
------------- -------
amazon.aws    1.5.0  
community.aws 1.5.0  

# /usr/lib/python3/dist-packages/ansible_collections
Collection                Version
------------------------- -------
amazon.aws                1.4.0  
ansible.netcommon         1.5.0  
ansible.posix             1.1.1  
ansible.windows           1.4.0  
arista.eos                1.3.0  
awx.awx                   14.1.0 
azure.azcollection        1.4.0  
check_point.mgmt          1.0.6  
chocolatey.chocolatey     1.0.2  
cisco.aci                 1.1.1  
cisco.asa                 1.0.4  
cisco.intersight          1.0.10 
cisco.ios                 1.3.0  
cisco.iosxr               1.2.1  
cisco.meraki              2.2.0  
cisco.mso                 1.1.0  
cisco.nso                 1.0.3  
cisco.nxos                1.4.0  
cisco.ucs                 1.6.0  
cloudscale_ch.cloud       1.3.1  
community.aws             1.3.0  
community.azure           1.0.0  
community.crypto          1.4.0  
community.digitalocean    1.0.0  
community.docker          1.2.2  
community.fortios         1.0.0  
community.general         1.3.6  
community.google          1.0.0  
community.grafana         1.1.0  
community.hashi_vault     1.1.0  
community.hrobot          1.1.0  
community.kubernetes      1.1.1  
community.kubevirt        1.0.0  
community.libvirt         1.0.0  
community.mongodb         1.2.0  
community.mysql           1.2.0  
community.network         1.3.2  
community.okd             1.0.0  
community.postgresql      1.1.1  
community.proxysql        1.0.0  
community.rabbitmq        1.0.1  
community.routeros        1.1.0  
community.skydive         1.0.0  
community.vmware          1.7.0  
community.windows         1.3.0  
community.zabbix          1.2.0  
containers.podman         1.4.1  
cyberark.conjur           1.1.0  
cyberark.pas              1.0.5  
dellemc.os10              1.0.2  
dellemc.os6               1.0.6  
dellemc.os9               1.0.3  
f5networks.f5_modules     1.7.1  
fortinet.fortimanager     1.0.5  
fortinet.fortios          1.1.8  
frr.frr                   1.0.3  
gluster.gluster           1.0.1  
google.cloud              1.0.2  
hetzner.hcloud            1.2.1  
ibm.qradar                1.0.3  
infinidat.infinibox       1.2.4  
junipernetworks.junos     1.3.0  
mellanox.onyx             1.0.0  
netapp.aws                20.9.0 
netapp.elementsw          20.11.0
netapp.ontap              20.12.0
netapp_eseries.santricity 1.1.0  
netbox.netbox             1.2.1  
ngine_io.cloudstack       1.2.0  
ngine_io.exoscale         1.0.0  
ngine_io.vultr            1.1.0  
openstack.cloud           1.2.1  
openvswitch.openvswitch   1.1.0  
ovirt.ovirt               1.3.0  
purestorage.flasharray    1.6.2  
purestorage.flashblade    1.4.0  
servicenow.servicenow     1.0.4  
splunk.es                 1.0.2  
theforeman.foreman        1.5.1  
vyos.vyos                 1.1.1  
wti.remote                1.0.1  

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.18.47
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: <myHome>/.local/lib/python3.9/site-packages
Requires: botocore, s3transfer, jmespath
Required-by: 
---
Name: botocore
Version: 1.21.47
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: <myHome>/.local/lib/python3.9/site-packages
Requires: urllib3, jmespath, python-dateutil
Required-by: s3transfer, boto3

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Steps to Reproduce

- name: create a basic distribution with defaults and tags
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    origins:
      - id: 'my test origin-000111'
        domain_name: example.com
        s3_origin_access_identity_enabled: true

Expected Results

A created cloudfront disribution

Actual Results

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• [plugins/modules/cloudfront_distribution.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/cloudfront_distribution.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @markuman @s-hertel @tremble @wilvk @wimnat
click here for bot help

[marknet15]

@nick-zh I may be wrong but I think based on what I can tell s3_origin_access_identity_enabled is intended for use in the module logic only as a flag:

Use an origin access identity to configure the origin so that viewers can only access objects in an Amazon S3 bucket > through CloudFront.
Will automatically create an Identity for you if no s3_origin_config is specified.

If you use that option then I think you also need to set:
https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-origins/s3_origin_config

Without setting it, then it looks like that flag is passed in the API request to AWS, which is then causing that error. So I think it's partially a case of missing config in your task and partially a bug.

[nick-zh]

@marknet15 many thanks for looking into it. I guess this was an oversight no my part 👍
with the next case i have i'll check if that works, but i am pretty sure it will 😄

[nick-zh]

@marknet15 took me a while to setup a new project using this, so it seems i might be reading the doc wrong again, i tried the following:

- name: create a basic distribution with defaults and tags
  community.aws.cloudfront_distribution:
    state: present
    comment: example.com
    aliases:
      - example.com
    origins:
      - id: 'S3-example.com'
        domain_name: example.com.s3.eu-west-1.amazonaws.com
        origin_path: /index.html
        s3_origin_access_identity_enabled: true
        s3_origin_config:
          origin_access_identity: origin-access-identity/cloudfront/<myOAI-id>

but i get:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Unknown parameter in DistributionConfig.Origins.Items[0]: "S3OriginAccessIdentityEnabled", must be one of: Id, DomainName, OriginPath, CustomHeaders, S3OriginConfig, CustomOriginConfig, ConnectionAttempts, ConnectionTimeout, OriginShield
fatal: [localhost]: FAILED! => {"boto3_version": "1.18.47", "botocore_version": "1.21.47", "changed": false, "msg": "Error creating distribution: Parameter validation failed:\nUnknown parameter in DistributionConfig.Origins.Items[0]: \"S3OriginAccessIdentityEnabled\", must be one of: Id, DomainName, OriginPath, CustomHeaders, S3OriginConfig, CustomOriginConfig, ConnectionAttempts, ConnectionTimeout, OriginShield"}

Thanks in advance for helping me figure this out 🙏