deploy: Create AWS session for CloudFront invalidation via Go CDK

This allows the AWS credentials to be picked up from the configured
target URL (like blob does) rather than the current behaviour of only
relying on the defaults.

Relying on the defaults here means having to specify credentials twice
(once in the URL for the blob, once in the environment for this code
path) when non-default AWS credentials are in used (e.g. via a profile).

deploy/cloudfront.go

@@ -18,6 +18,7 @@ package deploy
 
 import (
 	"context"
+	"net/url"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -26,14 +27,18 @@ import (
 )
 
 // InvalidateCloudFront invalidates the CloudFront cache for distributionID.
-// It uses the default AWS credentials from the environment.
-func InvalidateCloudFront(ctx context.Context, distributionID string) error {
-	sess, err := gcaws.NewDefaultSession()
+// Uses AWS credentials config from the bucket URL.
+func InvalidateCloudFront(ctx context.Context, target *Target) error {
+	u, err := url.Parse(target.URL)
+	if err != nil {
+		return err
+	}
+	sess, _, err := gcaws.NewSessionFromURLParams(u.Query())
 	if err != nil {
 		return err
 	}
 	req := &cloudfront.CreateInvalidationInput{
-		DistributionId: aws.String(distributionID),
+		DistributionId: aws.String(target.CloudFrontDistributionID),
 		InvalidationBatch: &cloudfront.InvalidationBatch{
 			CallerReference: aws.String(time.Now().Format("20060102150405")),
 			Paths: &cloudfront.Paths{

deploy/deploy.go

@@ -271,7 +271,7 @@ func (d *Deployer) Deploy(ctx context.Context) error {
 				}
 			} else {
 				d.logger.Println("Invalidating CloudFront CDN...")
-				if err := InvalidateCloudFront(ctx, d.target.CloudFrontDistributionID); err != nil {
+				if err := InvalidateCloudFront(ctx, d.target); err != nil {
 					d.logger.Printf("Failed to invalidate CloudFront CDN: %v\n", err)
 					return err
 				}