Add origin shield in cloudfront_distribution module

changelogs/fragments/1557-cloudfront-add-origin-shield.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - cloudfront_distribution - add `origin_shield` options (https://github.com/ansible-collections/community.aws/pull/1557).

plugins/modules/cloudfront_distribution.py

@@ -118,6 +118,17 @@
         origin_path:
           description: Tells CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin.
           type: str
+        origin_shield:
+          description: Specify origin shield options for the origin.
+          type: dict
+          suboptions:
+            enabled:
+              description: Indicate whether you want the origin to have Origin Shield enabled or not.
+              type: bool
+            origin_shield_region:
+              description: Specify which AWS region will be used for Origin Shield. Required if Origin Shield is enabled.
+              type: str
+          version_added: 5.1.0
         custom_headers:
           description:
             - Custom headers you wish to add to the request before passing it to the origin.
@@ -1296,6 +1307,22 @@
           returned: always
           type: int
           sample: 10
+        origin_shield:
+          description: Configuration of the origin Origin Shield.
+          returned: always
+          type: complex
+          contains:
+            enabled:
+              description: Whether Origin Shield is enabled or not.
+              returned: always
+              type: bool
+              sample: false
+            origin_shield_region:
+              description: Which region is used by Origin Shield.
+              returned: when enabled is true
+              type: str
+              sample: us-east-1
+          version_added: 5.1.0
         s3_origin_config:
           description: Origin access identity configuration for S3 Origin.
           returned: when s3_origin_access_identity_enabled is true
@@ -1730,6 +1757,15 @@ def validate_origin(self, client, existing_config, origin, default_origin_path):
                 origin['custom_headers'] = ansible_list_to_cloudfront_list(origin.get('custom_headers'))
             else:
                 origin['custom_headers'] = ansible_list_to_cloudfront_list()
+            if 'origin_shield' in origin:
+                origin_shield = origin.get('origin_shield')
+                if origin_shield.get('enabled'):
+                    origin_shield_region = origin_shield.get('origin_shield_region')
+                    if origin_shield_region is None:
+                        self.module.fail_json(msg="origins[].origin_shield.origin_shield_region must be specified"
+                                                  " when origins[].origin_shield.enabled is true.")
+                    else:
+                        origin_shield_region = origin_shield_region.lower()
             if self.__s3_bucket_domain_identifier in origin.get('domain_name').lower():
                 if origin.get("s3_origin_access_identity_enabled") is not None:
                     if origin['s3_origin_access_identity_enabled']:

tests/integration/targets/cloudfront_distribution/tasks/main.yml

@@ -126,6 +126,64 @@
       that:
         - update_origin_http_port.changed
 
+  - name: enable origin Origin Shield
+    cloudfront_distribution:
+      distribution_id: "{{ distribution_id }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+        origin_shield:
+          enabled: true
+          origin_shield_region: '{{ aws_region }}'
+      state: present
+    register: update_origin_origin_shield
+
+  - name: ensure origin Origin Shield was enabled
+    assert:
+      that:
+        - update_origin_origin_shield.changed
+        - update_origin_origin_shield.origins.items[0].origin_shield.enabled
+        - update_origin_origin_shield.origins.items[0].origin_shield.origin_shield_region == '{{ aws_region }}'
+
+  - name: enable origin Origin Shield again to test idempotency
+    cloudfront_distribution:
+      distribution_id: "{{ distribution_id }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+        origin_shield:
+          enabled: true
+          origin_shield_region: '{{ aws_region }}'
+      state: present
+    register: update_origin_origin_shield_idempotency
+
+  - name: test idempotency for Origin Shield
+    assert:
+      that:
+        - not update_origin_origin_shield_idempotency.changed
+        - update_origin_origin_shield_idempotency.origins.items[0].origin_shield.enabled
+        - update_origin_origin_shield_idempotency.origins.items[0].origin_shield.origin_shield_region == '{{ aws_region }}'
+
+  - name: disable origin Origin Shield
+    cloudfront_distribution:
+      distribution_id: "{{ distribution_id }}"
+      origins:
+      - domain_name: "{{ cloudfront_hostname }}-origin.example.com"
+        custom_origin_config:
+          http_port: 8080
+        origin_shield:
+          enabled: false
+      state: present
+    register: update_origin_origin_shield_disable
+
+  - name: ensure origin Origin Shield was disabled
+    assert:
+      that:
+        - update_origin_origin_shield_disable.changed
+        - not update_origin_origin_shield_disable.origins.items[0].origin_shield.enabled
+
   - name: update restrictions
     cloudfront_distribution:
       distribution_id: "{{ distribution_id }}"