Skip to content

[Enhancement] r/aws_cloudfront_distribution: Added SaaS Manager configuration support for distributions #44034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

[Enhancement] r/aws_cloudfront_distribution: Added SaaS Manager configuration support for distributions #44034

wants to merge 11 commits into from
+970 −65

Conversation

codyzhao2770
Copy link

@codyzhao2770 codyzhao2770 commented Aug 26, 2025
edited
Loading

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

N/A

Description

IMPORTANT: This PR is part of a set of PRs for AWS Cloudfront SaaS Manager support. Please merge this PR before #44181, #44183, #44184, and #44185 as those features rely on these changes.

This PR introduces support for AWS Cloudfront's latest SaaS Manager feature and allows users to now deploy Multi-Tenant Distributions using the new connection_mode and tenant_config arguments.

  • connection_mode is used to determine whether the deployed Distribution is direct or multi-tenant, by setting its value to direct or tenant-only respectively. If unspecified, direct is used
  • tenant_config is a multi-tenant only argument that allows tenants of a distribution to inherit specific configurations

Schema Additions:

"connection_mode": {
        Type:             schema.TypeString,
        Optional:         true,
        Default:          awstypes.ConnectionModeDirect,
        ValidateDiagFunc: enum.Validate[awstypes.ConnectionMode](),
"tenant_config": {
	Type:          schema.TypeList,
	MaxItems:      1,
	Optional:      true,
	Elem: &schema.Resource{
		Schema: map[string]*schema.Schema{
			"parameter_definitions": {
				Type:     schema.TypeList,
				Optional: true,
				Elem: &schema.Resource{
					Schema: map[string]*schema.Schema{
						"definition": {
							Type:     schema.TypeList,
							MaxItems: 1,
							Required: true,
							Elem: &schema.Resource{
								Schema: map[string]*schema.Schema{
									"string_schema": {
										Type:     schema.TypeList,
										MaxItems: 1,
										Optional: true,
										Elem: &schema.Resource{
											Schema: map[string]*schema.Schema{
												"comment": {
													Type:     schema.TypeString,
													Optional: true,
												},
												"default_value": {
													Type:     schema.TypeString,
													Optional: true,
												},
												"required": {
													Type:     schema.TypeBool,
													Required: true,
												},
											},
										},
									},
								},
							},
						},

Configuration Validation

Multi-tenant Distributions do not support many regular Distribution configurations. These are is_ipv6_enable, price_class, aliases, staging, continuous_deployment_policy_id, and cache behaviour related configurations for TTL, forwarded_values, smooth_streaming, and trusted_signers. In order to deploy a Multi-tenant Distribution, the AWS API expects these arguments to be completely absent from the plan (eg. aliases: nil or aliases: [] will return a configuration error, aliases: must not exist in the plan at all when it is passed to AWS). The current distribution implementation will populate the plan with these arguments even if the user did not specify them in their Terraform resource definition, meaning Multi-tenant Distribution deployment will fail regardless of whether the user configured their resource illegally.

To fix this, I've modified the expandDistributionConfig, expandCacheBehaviours, and expandDefaultCacheBehaviour to check what type of distribution is being created before generating the plan. If the user defines illegal arguments while creating a Multi-tenant Distribution, an error will be returned and creation will fail. If the user has not defined them, they won't be added to the plan even if Terraform assigns them default values. Refer to 4e025fb for full validation changes.

//example changes made in expandDistributionConfig
isMultiTenant := d.Get("connection_mode").(string) == string(awstypes.ConnectionModeTenantOnly)

if v, ok := d.GetOk("continuous_deployment_policy_id"); ok {
	if isMultiTenant {
		return nil, multiTenantConfigError("continuous_deployment_policy_id")
	}
	apiObject.ContinuousDeploymentPolicyId = aws.String(v.(string))
}

A small issue however, is that for arguments that are defined with default values in the distribution schema (eg. is_ipv6_enabled) or defined as Optional and not Computed (eg. smooth_streaming), there is no way to distinguish if the user did not set these arguments at all for the distribution so Terraform provided default values for them, or if the user themself set the arguments with default values (eg. user sets is_ipv6_enabled = false vs user leaves is_ipv6_enabled blank and Terraform sets it to false). As a result, the user will not receive an error when setting default values for an illegal argument with such properties. This does not impact actual distribution resource deployment but only user visibility. Fixing this issue would require changes on the AWS API side to accept blank illegal arguments, or changes to how or when Terraform sets default values.

Testing

To ensure the afore mentioned configuration checking changes did not cause any regressions or issues for regular Distribution deployments, I ran the existing acceptance tests to ensure they still passed and behaved as expected. I've also added 2 acceptance tests TestAccCloudFrontDistribution_multiTenantWithConfig and TestAccCloudFrontDistribution_minimalMultiTenant for multi-tenant deployments, and 9 TestAccCloudFrontDistribution_multiTenantValidation tests for illegal configuration validation.

Relations

Updates aws_cloudfront_distribution as requested by #42409

References

General SaaS information
SaaS unsupported features

Output from Acceptance Testing

% make testacc TESTS=TestAccCloudFrontDistribution PKG=cloudfront 
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.6 test ./internal/service/cloudfront/... -v -count 1 -parallel 20 -run='TestAccCloudFrontDistribution'  -timeout 360m -vet=off
2025/08/26 10:22:17 Creating Terraform AWS Provider (SDKv2-style)...
2025/08/26 10:22:17 Initializing Terraform AWS Provider (SDKv2-style)...        
--- PASS: TestAccCloudFrontDistribution_s3Origin (515.41s)
--- PASS: TestAccCloudFrontDistribution_Origin_connectionAttempts (507.09s)
--- PASS: TestAccCloudFrontDistribution_ViewerCertificateACMCertificateARN_conflictsWithCloudFrontDefaultCertificate (327.65s)
--- PASS: TestAccCloudFrontDistribution_noCustomErrorResponse (461.97s)
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehaviorResponseHeadersPolicy (494.69s)
--- PASS: TestAccCloudFrontDistribution_http11 (485.81s)
--- PASS: TestAccCloudFrontDistribution_disappears (269.51s)
--- PASS: TestAccCloudFrontDistribution_basic (270.86s)
--- PASS: TestAccCloudFrontDistribution_isIPV6Enabled (572.06s)
--- PASS: TestAccCloudFrontDistribution_waitForDeployment (580.28s)
--- PASS: TestAccCloudFrontDistribution_tags (303.26s)
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehavior (520.11s)
--- PASS: TestAccCloudFrontDistribution_minimalMultiTenant (492.77s)
--- PASS: TestAccCloudFrontDistribution_multiTenantWithConfig (499.31s)
--- PASS: TestAccCloudFrontDistribution_noOptionalItems (540.33s)
--- PASS: TestAccCloudFrontDistribution_orderedCacheBehaviorCachePolicy (531.73s)
--- PASS: TestAccCloudFrontDistribution_enabled (821.89s)
--- PASS: TestAccCloudFrontDistribution_forwardedValuesToCachePolicy (609.34s)
--- PASS: TestAccCloudFrontDistribution_vpcOriginConfig (1225.58s)
PASS
ok    github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront 1226.874s

% make testacc TESTS=TestAccCloudFrontDistribution_multiTenantValidation PKG=cloudfront                
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.6 test ./internal/service/cloudfront/... -v -count 1 -parallel 20 -run='TestAccCloudFrontDistribution_multiTenantValidation'  -timeout 360m -vet=off
2025/09/14 08:20:20 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/14 08:20:20 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_aliases
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_aliases
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_continuousDeploymentPolicyId
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_continuousDeploymentPolicyId
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_isIpv6Enabled
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_isIpv6Enabled
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_priceClass
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_priceClass
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_staging
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_staging
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_forwardedValues
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_forwardedValues
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_trustedSigners
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_trustedSigners
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_smoothStreaming
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_smoothStreaming
=== RUN   TestAccCloudFrontDistribution_multiTenantValidation_ttlFields
=== PAUSE TestAccCloudFrontDistribution_multiTenantValidation_ttlFields
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_aliases
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_forwardedValues
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_smoothStreaming
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_isIpv6Enabled
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_priceClass
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_trustedSigners
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_staging
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_continuousDeploymentPolicyId
=== CONT  TestAccCloudFrontDistribution_multiTenantValidation_ttlFields
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_smoothStreaming (11.75s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_forwardedValues (12.06s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_ttlFields (12.08s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_trustedSigners (12.10s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_continuousDeploymentPolicyId (13.99s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_priceClass (14.39s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_staging (14.48s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_isIpv6Enabled (14.64s)
--- PASS: TestAccCloudFrontDistribution_multiTenantValidation_aliases (14.71s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront 14.882s
...

@codyzhao2770 codyzhao2770 requested a review from a team as a code owner August 26, 2025 11:01
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 26, 2025
edited
Loading

✅ Thank you for correcting the previously detected issues! The maintainers appreciate your efforts to make the review process as smooth as possible.

@github-actions GitHub Actions
Copy link
Contributor

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/cloudfront Issues and PRs that pertain to the cloudfront service. provider Pertains to the provider itself, rather than any interaction with AWS. size/XL Managed by automation to categorize the size of a PR. labels Aug 26, 2025
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Aug 26, 2025
@codyzhao2770 codyzhao2770 changed the title [Enhancement] [WIP] r/aws_cloudfront_distribution: Added SaaS Manager configuration support for distributions [Enhancement] r/aws_cloudfront_distribution: Added SaaS Manager configuration support for distributions Aug 27, 2025
@ewbankkit ewbankkit added the partner Contribution from a partner. label Aug 27, 2025
@codyzhao2770
Copy link
Author

codyzhao2770 commented Sep 5, 2025
edited
Loading

@ewbankkit @justinretzolk Hi I'm current working on another new resource that is part of Cloudfront's SaaS manager, but acceptance testing it requires the changes in this PR. My team suggested I write tests for the new resource using pre-deployed resources on my own AWS account so I can meet the deadline to publish the PR for that, but I understand its bad practice. Will this get merged soon? Or I was thinking I could write the tests normally and make it clear in my PR that this PR should be merged first.

@github-actions github-actions bot added the external-maintainer Contribution from a trusted external contributor. label Sep 7, 2025
@codyzhao2770 codyzhao2770 mentioned this pull request Sep 8, 2025
Open
@justinretzolk justinretzolk removed the external-maintainer Contribution from a trusted external contributor. label Sep 9, 2025
@codyzhao2770 codyzhao2770 mentioned this pull request Sep 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. partner Contribution from a partner. provider Pertains to the provider itself, rather than any interaction with AWS. service/cloudfront Issues and PRs that pertain to the cloudfront service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@codyzhao2770 @ewbankkit @justinretzolk