Terminator policies for CloudFront modules

aws/policy/paas.yaml

@@ -24,6 +24,14 @@ Statement:
   - Sid: AllowResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow
     Action:
+      - cloudfront:CreateDistribution
+      - cloudfront:CreateDistributionWithTags
+      - cloudfront:DeleteDistribution
+      - cloudfront:UpdateDistribution
+      - cloudfront:TagResource
+      - cloudfront:UntagResource
+      - cloudfront:ListTagsForResource
+      - cloudfront:DeleteStreamingDistribution
       - ecr:DeleteLifecyclePolicy
       - ecr:DeleteRepository
       - ecr:DeleteRepositoryPolicy
@@ -86,6 +94,7 @@ Statement:
       - lightsail:StopInstance
       - lightsail:ReleaseStaticIp
     Resource:
+      - 'arn:aws:cloudfront::{{ aws_account_id }}:distribution/*'
       - 'arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/*'
       - 'arn:aws:eks:{{ aws_region }}:{{ aws_account_id }}:cluster/*'
       - 'arn:aws:eks:{{ aws_region }}:{{ aws_account_id }}:fargateprofile/*/*/*'
@@ -115,6 +124,21 @@ Statement:
       - lambda:ListFunctions
       - lambda:ListLayers
       - lambda:ListVersionsByFunction
+      - cloudfront:GetDistribution
+      - cloudfront:GetDistributionConfig
+      - cloudfront:GetStreamingDistribution
+      - cloudfront:GetStreamingDistributionConfig
+      - cloudfront:ListCloudFrontOriginAccessIdentities
+      - cloudfront:ListDistributions
+      - cloudfront:ListDistributionsByWebACLId
+      - cloudfront:ListStreamingDistributions
+      - cloudfront:CreateCloudFrontOriginAccessIdentity
+      - cloudfront:DeleteCloudFrontOriginAccessIdentity
+      - cloudfront:GetCloudFrontOriginAccessIdentity
+      - cloudfront:GetCloudFrontOriginAccessIdentityConfig
+      - cloudfront:UpdateCloudFrontOriginAccessIdentity
+      - cloudfront:GetInvalidation
+      - cloudfront:CreateInvalidation
     Resource:
       - "*"
 

aws/terminator/application_services.py

@@ -367,3 +367,41 @@ def name(self):
 
     def terminate(self):
         self.client.delete_document(Name=self.name)
+
+
+class CloudFrontDistribution(Terminator):
+    @staticmethod
+    def create(credentials):
+        def paginate_distributions(client):
+            return client.get_paginator('list_distributions').paginate().build_full_result()['DistributionList']['Items']
+        return Terminator._create(credentials, CloudFrontDistribution, 'cloudfront', paginate_distributions)
+
+    @property
+    def created_time(self):
+        return self.instance['LastModifiedTime']
+
+    @property
+    def name(self):
+        return self.instance['DomainName']
+
+    def terminate(self):
+        self.client.delete_distribution(Id=self.instance['Id'])
+
+
+class CloudFrontStreamingDistribution(Terminator):
+    @staticmethod
+    def create(credentials):
+        def paginate_streaming_distributions(client):
+            return client.get_paginator('list_streaming_distributions').paginate().build_full_result()['StreamingDistributionList']['Items']
+        return Terminator._create(credentials, CloudFrontStreamingDistribution, 'cloudfront', paginate_streaming_distributions)
+
+    @property
+    def created_time(self):
+        return self.instance['LastModifiedTime']
+
+    @property
+    def name(self):
+        return self.instance['DomainName']
+
+    def terminate(self):
+        self.client.delete_streaming_distribution(Id=self.instance['Id'])