Remove multiple CloudFront distributions with “aws cli”

Romans Malinovskis
Jul 28, 2019 · 2 min read

If you are working with AWS CloudFront, you might have a large number of CloudFront distributions sitting there. I have over 100 from various tests and scripts.

It’s not easy to remove them. You have to disable each CloudFront distribution first, wait half a hour, then remove it. I decided to show you how to automate this process in a command line.

What will you need?

  • aws cli (fully configured for your account)
  • jq (version 1.5+ preferably)

I also recommend that you create a bash script and add relevant commands as you test — I will be using bash iteration.

List your distributions nicely

We will start by listing distributions:

aws cloudfront list-distributions | jq '.DistributionList.Items[]|[ .Id, .Status, .Origins.Items[0].DomainName, .Aliases.Items[0] ] | @tsv '  -r

Here is what happens:

  • “aws cloudfront list-distributions” — outputs all your distributions in JSON
  • “jq” will iterate over distributions looking at Id, Status and also DomainName of the origin and Alias.
  • “@tsv” will format output as tab-separated-values and -r is for raw output


E1036CN6S????? Deployed
EQS6J3M1?????? Deployed
E269QTGS?????? Deployed

You can add more columns to your list. Also see jq’s “select” command if you need to do some filtering.

Filtering the list

If you wish to further filter the list, you can use “awk”. Let’s filter all distributions associated with “bucket2” (I’m taking results from a file, but you can pipe output from the command above directly into awk):

cat results.txt | awk '$3=="" {print}'

If you wish to use variable substitution, it would be like this:

cat results.txt | awk '$3=="'$MYENVBUCKET'" {print}'

Disabling the distributions

In order to disable the distribution, you need to get current config, change “Enabled: false” then update it. Create file and start with this loop:

cat results.txt | while read id status origin cname; do   echo "About to disable $id (CNAME=$cname)"   # code for disabling goes heredone

The next chunk of code goes inside the loop, but you can test it:

tmpfile=$(mktemp /tmp/ms-infra-destroy.XXXXXX)
tmpfile2=$(mktemp /tmp/ms-infra-destroy.XXXXXX)
# Update JSON output by setting Enabled=Falseaws cloudfront get-distribution-config --id $id | jq .DistributionConfig.Enabled=false > $tmpfile# We only need "DistributionConfig"jq -r .DistributionConfig $tmpfile > $tmpfile2aws cloudfront update-distribution --id $id \
--if-match $(jq .ETag $tmpfile -r) \
--distribution-config file://$tmpfile2
rm $tmpfile $tmpfile2

It is more time-efficient to disable all your distribution first, then create another identical loop to delete all the same distribution. That’s why I am using “results.txt” file.

Delete disabled distributions

Start another loop:

cat results.txt | while read id status origin cname; do   echo "Waiting to delete $id (CNAME=$cname)"   aws cloudfront wait distribution-deployed --id $id   aws cloudfront delete-distribution --id $id --if-match \
$(aws cloudfront get-distribution-config --id $id | jq .ETag -r)

This loop will wait for distributions to be disabled. This currently takes 30+ minutes on my tests for the first wait, but all the consequent iterations of the loop would be relatively fast as all affected distributions would be ready by now.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store