Describe the feature
There's no concise way to detach a continuous deployment policy from a primary distribution, or to reattach one, while keeping the policy and staging distribution intact. To clear the association you have to pull the full distribution config, remove the ContinuousDeploymentPolicyId from it, and push the entire config back with update-distribution. Reattaching means doing the same round-trip in reverse with the policy ID added back. There's no command or flag that expresses "detach the continuous deployment policy from this distribution" or "attach this policy to it" directly.
Use Case
Making changes to the primary distribution that CloudFront rejects while a continuous deployment policy is attached. Two such updates are the viewer certificate and the minimum TLS protocol version. Both are rejected until the policy is detached.
Rotating a cert or raising the minimum TLS version are security operations that require caution. Making these changes on a distribution that has continuous deployment requires detaching the policy first, making the change, then reattaching. With the current flow that's two full config round-trips and preserving the policy ID, all in the middle of a security change. This requires any user to reinvent the wheel with their own scripts. There is also no way to do this detachment on the AWS console without deleting the staging distribution entirely.
Proposed Solution
A symmetric pair of convenience commands, each wrapping
the get-distribution-config/update round-trip internally:
- detach-continuous-deployment-policy --distribution-id
Clears the association on the primary distribution.
- attach-continuous-deployment-policy --distribution-id
--continuous-deployment-policy-id
Sets the association.
UpdateDefaultRootObject in awscli/customizations/cloudfront.py is a close
precedent for the implementation: a CLI-side convenience that wraps the same
get-config-then-update pattern to change a single field. These commands would
follow that shape.
The CLI is mostly generated from the service model and there's no matching
attach/detach API operation, so these would be customizations rather than
generated commands. Noting that since it affects where they'd live.
Other Information
Current workaround (detach, then reattach):
-
Get the primary distribution config and save TWO things: the ETag, and the current ContinuousDeploymentPolicyId value. The policy ID has to be stashed out of band — once it's removed from the config in the next step, nothing in the distribution references it anymore.
aws cloudfront get-distribution-config --id <primary_id>
Note: this returns a wrapper with both ETag and DistributionConfig. The update call below wants only the inner DistributionConfig object, so the file has to contain just that, not the whole response.
-
Remove the ContinuousDeploymentPolicyId field from the config and push it back to detach:
aws cloudfront update-distribution --id <primary_id> --if-match --distribution-config file://config.json
-
Make the change that required detachment (e.g. cert rotation or raising the minimum TLS version).
-
Reattach: get the config again to obtain the new ETag (the prior updates changed it), add the saved ContinuousDeploymentPolicyId back into the config, and push another update:
aws cloudfront get-distribution-config --id <primary_id>
aws cloudfront update-distribution --id <primary_id> --if-match <new_etag> --distribution-config file://config.json
Acknowledgements
CLI version used
2.35.11
Environment details (OS name and version, etc.)
macOS Sequoia 15.7.7
Describe the feature
There's no concise way to detach a continuous deployment policy from a primary distribution, or to reattach one, while keeping the policy and staging distribution intact. To clear the association you have to pull the full distribution config, remove the
ContinuousDeploymentPolicyIdfrom it, and push the entire config back withupdate-distribution. Reattaching means doing the same round-trip in reverse with the policy ID added back. There's no command or flag that expresses "detach the continuous deployment policy from this distribution" or "attach this policy to it" directly.Use Case
Making changes to the primary distribution that CloudFront rejects while a continuous deployment policy is attached. Two such updates are the viewer certificate and the minimum TLS protocol version. Both are rejected until the policy is detached.
Rotating a cert or raising the minimum TLS version are security operations that require caution. Making these changes on a distribution that has continuous deployment requires detaching the policy first, making the change, then reattaching. With the current flow that's two full config round-trips and preserving the policy ID, all in the middle of a security change. This requires any user to reinvent the wheel with their own scripts. There is also no way to do this detachment on the AWS console without deleting the staging distribution entirely.
Proposed Solution
A symmetric pair of convenience commands, each wrapping
the get-distribution-config/update round-trip internally:
Clears the association on the primary distribution.
--continuous-deployment-policy-id
Sets the association.
UpdateDefaultRootObjectinawscli/customizations/cloudfront.pyis a closeprecedent for the implementation: a CLI-side convenience that wraps the same
get-config-then-update pattern to change a single field. These commands would
follow that shape.
The CLI is mostly generated from the service model and there's no matching
attach/detach API operation, so these would be customizations rather than
generated commands. Noting that since it affects where they'd live.
Other Information
Current workaround (detach, then reattach):
Get the primary distribution config and save TWO things: the
ETag, and the currentContinuousDeploymentPolicyIdvalue. The policy ID has to be stashed out of band — once it's removed from the config in the next step, nothing in the distribution references it anymore.aws cloudfront get-distribution-config --id <primary_id>
Note: this returns a wrapper with both
ETagandDistributionConfig. The update call below wants only the innerDistributionConfigobject, so the file has to contain just that, not the whole response.Remove the
ContinuousDeploymentPolicyIdfield from the config and push it back to detach:aws cloudfront update-distribution --id <primary_id> --if-match --distribution-config file://config.json
Make the change that required detachment (e.g. cert rotation or raising the minimum TLS version).
Reattach: get the config again to obtain the new
ETag(the prior updates changed it), add the savedContinuousDeploymentPolicyIdback into the config, and push another update:aws cloudfront get-distribution-config --id <primary_id>
aws cloudfront update-distribution --id <primary_id> --if-match <new_etag> --distribution-config file://config.json
Acknowledgements
CLI version used
2.35.11
Environment details (OS name and version, etc.)
macOS Sequoia 15.7.7