Original Author: Trevor Henning (hthennin)
Enhanced Version: Derived from Trevor's original work with additional features and improvements
This Python automation script significantly reduces downtime for CloudFront CNAME migrations by automatically updating DNS records the moment AWS Support completes a CNAME swap. The script monitors a CloudFront distribution for alias changes and automatically updates Route 53 DNS records with comprehensive IPv4 and IPv6 support.
Key Features:
- ✅ Minimized downtime - Eliminates manual coordination delays between CNAME swap and DNS updates
- ⚡ Instant response - Automated detection and DNS updates within seconds of alias availability
- 🔄 Continuous monitoring - Polls CloudFront distribution with API-friendly jitter
- 🛡️ TLS protection - Prevents certificate errors during transitions
- 🌐 IPv6 support - Automatically handles both A and AAAA records
- 🔍 Domain validation - Ensures provided domain matches actual CloudFront distribution
- 📊 Comprehensive validation - Input parameter validation and error handling
This script is specifically designed for scenarios where AWS Support is moving an alternate domain name between CloudFront distributions. According to AWS documentation, there are multiple options for moving alternate domain names, and this automation is useful when you need to contact AWS Support to perform the move.
Use this script when:
- You need AWS Support to move an alternate domain name between distributions
- The alternate domain name is currently in use and cannot be temporarily removed
- You want to minimize downtime during the migration process
- You want to automate the DNS update process after AWS Support completes the CNAME swap
For more details on when AWS Support assistance is required, see: Contact AWS Support to move an alternate domain name
When AWS Support performs a CNAME swap between CloudFront distributions, TLS connections break immediately after the swap until the customer updates their DNS record to point to the new distribution. This creates downtime that can be problematic for applications with strict uptime requirements.
This Python-powered automation simplfies CNAME migration, lowers the downtime and eliminates manual errors:
- Parameter Validation - Validates all required parameters exist and are non-empty
- Domain Verification - Confirms the provided CloudFront domain matches the actual distribution
- Real-time Monitoring - Continuously polls (with delay and jitter) the target CloudFront distribution for alias changes
- IPv6 Detection - Automatically detects if IPv6 is enabled on the distribution
- Instant Detection - Identifies the moment AWS Support completes the CNAME swap
- Automated DNS Updates - Immediately updates Route 53 records (A and/or AAAA) using UPSERT operations
- Python 3.x
- AWS SDK for Python (Boto3)
- Appropriate AWS credentials configured
- IAM permissions for CloudFront and Route 53 operations
pip install boto3Run the script from the command line with the following parameters:
python3 cloudfront_dns_automation.py <new-distribution-id> <route53-hosted-zone-id> <new-cloudfront-domain> <alias-alternate-name>new-distribution-id: CloudFront distribution ID to monitorroute53-hosted-zone-id: Route 53 hosted zone ID containing the DNS recordnew-cloudfront-domain: CloudFront domain name (e.g., d2mz62fpvuge8k.cloudfront.net)alias-alternate-name: DNS alias to update (e.g., www.example.com)
python3 cloudfront_dns_automation.py EZDLMTR1D3MHD Z00646902JW6C5QG3Q2NG d2mz62fpvuge8k.cloudfront.net. www.example.com- Checks that all required parameters are provided and non-empty
- Validates the CloudFront domain matches the actual distribution domain
- Displays IPv6 status of the distribution
- Polls the CloudFront distribution every 3-8 seconds (with random jitter)
- Waits for the specified alias to appear in the distribution's aliases
- Provides clear status messages during the wait
- Creates/updates DNS records using UPSERT operations
- Handles both IPv4 (A) and IPv6 (AAAA) records based on distribution configuration
- Provides confirmation of record types updated
The script automatically detects if IPv6 is enabled on the CloudFront distribution:
- IPv6 Disabled: Creates only A (IPv4) records
- IPv6 Enabled: Creates both A (IPv4) and AAAA (IPv6) records
Both record types point to the same CloudFront domain and use the CloudFront hosted zone ID (Z2FDTNDATAQYW2).
To protect the CloudFront API from rate limiting:
- Base delay of 3 seconds between API calls
- Random jitter of 0-5 seconds added to each delay
- Total delay ranges from 3-8 seconds between requests
- Prevents thundering herd problems when multiple instances run
The script includes commented examples for assuming IAM roles when CloudFront distributions or Route 53 hosted zones are in different AWS accounts. Uncomment and modify the role assumption code as needed.
- Parameter validation: Clear error messages for missing or invalid parameters
- Domain mismatch: Fails fast if provided domain doesn't match distribution
- API errors: Graceful handling of AWS API exceptions
- Missing aliases: Handles distributions without alias configuration
- Reduced Downtime: This automation significantly reduces downtime by eliminating manual coordination delays
- DNS Propagation: The primary remaining downtime is due to global DNS propagation (typically 1-2 minutes)
- Instant DNS Updates: The script updates DNS records within seconds of alias availability
- Maintenance Windows: Enables CNAME swaps with minimal downtime impact
- Continuous Operation: The script runs continuously until the swap is detected
- Production Ready: Designed for high-availability applications seeking to minimize downtime
- UPSERT Operations: Uses UPSERT instead of DELETE/CREATE for safer DNS updates
- Moving an alternate domain name to a different distribution
- Contact AWS Support to move an alternate domain name
- AWS IAM Role Switching
This script is provided as a reference implementation. Customers should test thoroughly in their environment and modify as needed for their specific use case.