KeyGroup

The KeyGroup resource allows you to manage AWS CloudFront KeyGroups that specify a set of public keys used for signed URLs and signed cookies.

Minimal Example

Create a basic KeyGroup with required properties and an optional adoption setting.

import AWS from "alchemy/aws/control";

const keyGroup = await AWS.CloudFront.KeyGroup("myKeyGroup", {
  KeyGroupConfig: {
    Name: "MyKeyGroup",
    Items: [
      "arn:aws:iam::123456789012:server-certificate/my-public-key"
    ],
    Comment: "This key group contains my public keys."
  },
  adopt: false // Set to true to adopt existing resources
});

Advanced Configuration

Configure a KeyGroup with additional options such as a comment for better clarity.

const advancedKeyGroup = await AWS.CloudFront.KeyGroup("advancedKeyGroup", {
  KeyGroupConfig: {
    Name: "AdvancedKeyGroup",
    Items: [
      "arn:aws:iam::123456789012:server-certificate/my-public-key-1",
      "arn:aws:iam::123456789012:server-certificate/my-public-key-2"
    ],
    Comment: "KeyGroup for advanced features and multiple keys."
  },
  adopt: true // Adopt existing key group if it already exists
});

Use Case: Rotating Keys

Demonstrate how to create a KeyGroup that can be updated to rotate keys.

const keyGroupForRotation = await AWS.CloudFront.KeyGroup("keyGroupForRotation", {
  KeyGroupConfig: {
    Name: "KeyGroupForRotation",
    Items: [
      "arn:aws:iam::123456789012:server-certificate/my-old-public-key"
    ],
    Comment: "KeyGroup for rotating keys. Update this as keys change."
  }
});

// Later, update the KeyGroup to include a new key
await AWS.CloudFront.KeyGroup("keyGroupForRotation", {
  KeyGroupConfig: {
    Name: "KeyGroupForRotation",
    Items: [
      "arn:aws:iam::123456789012:server-certificate/my-old-public-key",
      "arn:aws:iam::123456789012:server-certificate/my-new-public-key"
    ],
    Comment: "Updated KeyGroup with a new public key."
  }
});