Skip to content

CloudFront: no direct way to detach/attach a continuous deployment policy on a primary distribution #10446

Description

@davidhfrost

Describe the feature

There's no concise way to detach a continuous deployment policy from a primary distribution, or to reattach one, while keeping the policy and staging distribution intact. To clear the association you have to pull the full distribution config, remove the ContinuousDeploymentPolicyId from it, and push the entire config back with update-distribution. Reattaching means doing the same round-trip in reverse with the policy ID added back. There's no command or flag that expresses "detach the continuous deployment policy from this distribution" or "attach this policy to it" directly.

Use Case

Making changes to the primary distribution that CloudFront rejects while a continuous deployment policy is attached. Two such updates are the viewer certificate and the minimum TLS protocol version. Both are rejected until the policy is detached.

Rotating a cert or raising the minimum TLS version are security operations that require caution. Making these changes on a distribution that has continuous deployment requires detaching the policy first, making the change, then reattaching. With the current flow that's two full config round-trips and preserving the policy ID, all in the middle of a security change. This requires any user to reinvent the wheel with their own scripts. There is also no way to do this detachment on the AWS console without deleting the staging distribution entirely.

Proposed Solution

A symmetric pair of convenience commands, each wrapping
the get-distribution-config/update round-trip internally:

  • detach-continuous-deployment-policy --distribution-id
    Clears the association on the primary distribution.
  • attach-continuous-deployment-policy --distribution-id
    --continuous-deployment-policy-id
    Sets the association.

UpdateDefaultRootObject in awscli/customizations/cloudfront.py is a close
precedent for the implementation: a CLI-side convenience that wraps the same
get-config-then-update pattern to change a single field. These commands would
follow that shape.

The CLI is mostly generated from the service model and there's no matching
attach/detach API operation, so these would be customizations rather than
generated commands. Noting that since it affects where they'd live.

Other Information

Current workaround (detach, then reattach):

  1. Get the primary distribution config and save TWO things: the ETag, and the current ContinuousDeploymentPolicyId value. The policy ID has to be stashed out of band — once it's removed from the config in the next step, nothing in the distribution references it anymore.

    aws cloudfront get-distribution-config --id <primary_id>

    Note: this returns a wrapper with both ETag and DistributionConfig. The update call below wants only the inner DistributionConfig object, so the file has to contain just that, not the whole response.

  2. Remove the ContinuousDeploymentPolicyId field from the config and push it back to detach:

    aws cloudfront update-distribution --id <primary_id> --if-match --distribution-config file://config.json

  3. Make the change that required detachment (e.g. cert rotation or raising the minimum TLS version).

  4. Reattach: get the config again to obtain the new ETag (the prior updates changed it), add the saved ContinuousDeploymentPolicyId back into the config, and push another update:

    aws cloudfront get-distribution-config --id <primary_id>
    aws cloudfront update-distribution --id <primary_id> --if-match <new_etag> --distribution-config file://config.json

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

2.35.11

Environment details (OS name and version, etc.)

macOS Sequoia 15.7.7

Metadata

Metadata

Assignees

Labels

cloudfrontfeature-requestA feature should be added or improved.investigatingThis issue is being investigated and/or work is in progress to resolve the issue.p3This is a minor priority issue

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions