Setup push invalidation for AWS Cloudfront

Push invalidation automatically purges content on the customer's production CDN (e.g., whenever an author publishes content changes.

Content is purged by url and by cache tag/key.

Push invalidation is enabled by adding specific properties to the project's configuration (an Excel workbook named .helix/config.xlsx in Sharepoint or a Google Sheet named .helix/config in Google Drive).

NB: CloudFront does NOT support purging by cache tag/key. Purge by cache tag/key always triggers a purge all.

Configuration properties:

key value comment <Production Host> Host name of production site, e.g. cloudfront <Cloudfront Distribution ID> <AWS Access key ID> AWS credentials <AWS Secret access key> AWS credentials

To create the AWS credentials:

In the AWS Console, open the IAM dashboard:

Select Policies -> Create policy:

Select “CloudFront” as Service, “CreateInvalidation” as Action, then click on “Add ARN”:

Enter you Distribution Id and click on “Add”:

Proceed to “Next: Tags” and then “Next: Review”.

Enter a name for the new policy, e.g. “Invalidate<Your Distribution Id>”, and click on “Create policy”:

In the IAM dashboard, select Users -> Add users:

Enter a user name (e.g. “Invalidator”) and click on Next:

On the “Set permissions” pane, select “Attach policies directly” and select the newly created policy (“Invalidate<Your Distribution Id>” in our example):

Proceed to the next step, click on “Create user” end then “View user”:

Select the “Security credentials” tab and click on “Create access key”:

Select “Third-party service”, click the checkbox and proceed to “Next”:

Finally, copy the Access key ID and Secret access key values:

You can validate the credentials with this tool.