Support the use of CloudFront Trusted Key Group as a signer

[briananstett]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS CloudFront now supports the ability to create public keys and a Trust Key Group which can be used as a signer for CloudFront signed URLs and cookies. Historically you had to use a key pair that was created by the root account user.

The current AWS terraform provider appears to support the creation of a CloudFront Public Key but does not appear to have support for creating the Trusted Key Group nor support for using that Trusted Key Group in the distribution.

New or Affected Resource(s)

• A new resource for a Trusted Key Group may need to be created.
• The existing aws_cloudfront_distribution resource may need to be updated to support the use of a Trust Key Group as a signer.

References

• https://aws.amazon.com/about-aws/whats-new/2020/10/cloudfront-iam-signed-url/
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html

[schollii]

Seems this would need a new resource type aws_cloudfront_key_group that refers to a aws_cloudfront_public_key (that type of resource already exists), and a new field in aws_cloudfront_distribution to refer to the key group. Been using tf for 3 years but never created a new resource type so I have no idea how hard this is, is this something I could take on?

[shuheiktgw]

I've started working on this issue 👍

[shuheiktgw]

As a first step, I've added aws_cloudfront_key_group resource, so please upvote the PR for a faster review 🙏

• resource/aws_cloudfront_key_group - new resource #17041

Once the PR is merged, I'm going to modify aws_cloudfront_distribution to support the key group.

[shuheiktgw]

I've started working on adding trusted_key_groups argument since the previous PR has been merged

[shuheiktgw]

It's now ready for review!
#18644

[takayamaki]

I used this resource in work. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!