diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index f342abece443..aa198c2b6fb2 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -364,6 +364,11 @@
 			"Comment": "v1.1.14",
 			"Rev": "6876e9922ff299adf36e43e04c94820077968b3b"
 		},
+		{
+			"ImportPath": "github.com/aws/aws-sdk-go/service/cloudfront",
+			"Comment": "v1.1.14",
+			"Rev": "6876e9922ff299adf36e43e04c94820077968b3b"
+		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/cloudtrail",
 			"Comment": "v1.1.14",
diff --git a/builtin/providers/aws/cloudfront_distribution_configuration_structure.go b/builtin/providers/aws/cloudfront_distribution_configuration_structure.go
new file mode 100644
index 000000000000..b6d3295a7f41
--- /dev/null
+++ b/builtin/providers/aws/cloudfront_distribution_configuration_structure.go
@@ -0,0 +1,942 @@
+// CloudFront DistributionConfig structure helpers.
+//
+// These functions assist in pulling in data from Terraform resource
+// configuration for the aws_cloudfront_distribution resource, as there are
+// several sub-fields that require their own data type, and do not necessarily
+// 1-1 translate to resource configuration.
+
+package aws
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+	"strconv"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform/flatmap"
+	"github.com/hashicorp/terraform/helper/hashcode"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+// Assemble the *cloudfront.DistributionConfig variable. Calls out to various
+// expander functions to convert attributes and sub-attributes to the various
+// complex structures which are necessary to properly build the
+// DistributionConfig structure.
+//
+// Used by the aws_cloudfront_distribution Create and Update functions.
+func expandDistributionConfig(d *schema.ResourceData) *cloudfront.DistributionConfig {
+	distributionConfig := &cloudfront.DistributionConfig{
+		CacheBehaviors:       expandCacheBehaviors(d.Get("cache_behavior").(*schema.Set)),
+		CustomErrorResponses: expandCustomErrorResponses(d.Get("custom_error_response").(*schema.Set)),
+		DefaultCacheBehavior: expandDefaultCacheBehavior(d.Get("default_cache_behavior").(*schema.Set).List()[0].(map[string]interface{})),
+		Enabled:              aws.Bool(d.Get("enabled").(bool)),
+		Origins:              expandOrigins(d.Get("origin").(*schema.Set)),
+		PriceClass:           aws.String(d.Get("price_class").(string)),
+	}
+	// This sets CallerReference if it's still pending computation (ie: new resource)
+	if v, ok := d.GetOk("caller_reference"); ok == false {
+		distributionConfig.CallerReference = aws.String(time.Now().Format(time.RFC3339Nano))
+	} else {
+		distributionConfig.CallerReference = aws.String(v.(string))
+	}
+	if v, ok := d.GetOk("comment"); ok {
+		distributionConfig.Comment = aws.String(v.(string))
+	} else {
+		distributionConfig.Comment = aws.String("")
+	}
+	if v, ok := d.GetOk("default_root_object"); ok {
+		distributionConfig.DefaultRootObject = aws.String(v.(string))
+	} else {
+		distributionConfig.DefaultRootObject = aws.String("")
+	}
+	if v, ok := d.GetOk("logging_config"); ok {
+		distributionConfig.Logging = expandLoggingConfig(v.(*schema.Set).List()[0].(map[string]interface{}))
+	} else {
+		distributionConfig.Logging = expandLoggingConfig(nil)
+	}
+	if v, ok := d.GetOk("aliases"); ok {
+		distributionConfig.Aliases = expandAliases(v.(*schema.Set))
+	} else {
+		distributionConfig.Aliases = expandAliases(schema.NewSet(aliasesHash, []interface{}{}))
+	}
+	if v, ok := d.GetOk("restrictions"); ok {
+		distributionConfig.Restrictions = expandRestrictions(v.(*schema.Set).List()[0].(map[string]interface{}))
+	}
+	if v, ok := d.GetOk("viewer_certificate"); ok {
+		distributionConfig.ViewerCertificate = expandViewerCertificate(v.(*schema.Set).List()[0].(map[string]interface{}))
+	}
+	if v, ok := d.GetOk("web_acl_id"); ok {
+		distributionConfig.WebACLId = aws.String(v.(string))
+	} else {
+		distributionConfig.WebACLId = aws.String("")
+	}
+	return distributionConfig
+}
+
+// Unpack the *cloudfront.DistributionConfig variable and set resource data.
+// Calls out to flatten functions to convert the DistributionConfig
+// sub-structures to their respective attributes in the
+// aws_cloudfront_distribution resource.
+//
+// Used by the aws_cloudfront_distribution Read function.
+func flattenDistributionConfig(d *schema.ResourceData, distributionConfig *cloudfront.DistributionConfig) {
+	d.Set("origins", flattenOrigins(distributionConfig.Origins))
+	d.Set("enabled", *distributionConfig.Enabled)
+	d.Set("default_cache_behavior", flattenDefaultCacheBehavior(distributionConfig.DefaultCacheBehavior))
+	d.Set("viewer_certificate", flattenViewerCertificate(distributionConfig.ViewerCertificate))
+	d.Set("price_class", *distributionConfig.PriceClass)
+
+	if distributionConfig.CallerReference != nil {
+		d.Set("caller_reference", *distributionConfig.CallerReference)
+	}
+	if distributionConfig.Comment != nil {
+		if *distributionConfig.Comment != "" {
+			d.Set("comment", *distributionConfig.Comment)
+		}
+	}
+	if distributionConfig.DefaultRootObject != nil {
+		d.Set("default_root_object", *distributionConfig.DefaultRootObject)
+	}
+	if distributionConfig.CustomErrorResponses != nil {
+		d.Set("custom_error_response", flattenCustomErrorResponses(distributionConfig.CustomErrorResponses))
+	}
+	if distributionConfig.CacheBehaviors != nil {
+		d.Set("cache_behavior", flattenCacheBehaviors(distributionConfig.CacheBehaviors))
+	}
+	if distributionConfig.Logging != nil && *distributionConfig.Logging.Enabled {
+		d.Set("logging_config", flattenLoggingConfig(distributionConfig.Logging))
+	}
+	if distributionConfig.Aliases != nil {
+		d.Set("aliases", flattenAliases(distributionConfig.Aliases))
+	}
+	if distributionConfig.Restrictions != nil {
+		d.Set("restrictions", flattenRestrictions(distributionConfig.Restrictions))
+	}
+	if distributionConfig.WebACLId != nil {
+		d.Set("web_acl_id", *distributionConfig.WebACLId)
+	}
+}
+
+func expandDefaultCacheBehavior(m map[string]interface{}) *cloudfront.DefaultCacheBehavior {
+	cb := expandCacheBehavior(m)
+	var dcb cloudfront.DefaultCacheBehavior
+
+	simpleCopyStruct(cb, &dcb)
+	return &dcb
+}
+
+func flattenDefaultCacheBehavior(dcb *cloudfront.DefaultCacheBehavior) *schema.Set {
+	m := make(map[string]interface{})
+	var cb cloudfront.CacheBehavior
+
+	simpleCopyStruct(dcb, &cb)
+	m = flattenCacheBehavior(&cb)
+	return schema.NewSet(defaultCacheBehaviorHash, []interface{}{m})
+}
+
+// Assemble the hash for the aws_cloudfront_distribution default_cache_behavior
+// TypeSet attribute.
+func defaultCacheBehaviorHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%t-", m["compress"].(bool)))
+	buf.WriteString(fmt.Sprintf("%s-", m["viewer_protocol_policy"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["target_origin_id"].(string)))
+	buf.WriteString(fmt.Sprintf("%d-", forwardedValuesHash(m["forwarded_values"].(*schema.Set).List()[0].(map[string]interface{}))))
+	buf.WriteString(fmt.Sprintf("%d-", m["min_ttl"].(int)))
+	if d, ok := m["trusted_signers"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	if d, ok := m["max_ttl"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", d.(int)))
+	}
+	if d, ok := m["smooth_streaming"]; ok {
+		buf.WriteString(fmt.Sprintf("%t-", d.(bool)))
+	}
+	if d, ok := m["default_ttl"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", d.(int)))
+	}
+	if d, ok := m["allowed_methods"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	if d, ok := m["cached_methods"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandCacheBehaviors(s *schema.Set) *cloudfront.CacheBehaviors {
+	var qty int64
+	var items []*cloudfront.CacheBehavior
+	for _, v := range s.List() {
+		items = append(items, expandCacheBehavior(v.(map[string]interface{})))
+		qty++
+	}
+	return &cloudfront.CacheBehaviors{
+		Quantity: aws.Int64(qty),
+		Items:    items,
+	}
+}
+
+func flattenCacheBehaviors(cbs *cloudfront.CacheBehaviors) *schema.Set {
+	s := []interface{}{}
+	for _, v := range cbs.Items {
+		s = append(s, flattenCacheBehavior(v))
+	}
+	return schema.NewSet(cacheBehaviorHash, s)
+}
+
+func expandCacheBehavior(m map[string]interface{}) *cloudfront.CacheBehavior {
+	cb := &cloudfront.CacheBehavior{
+		Compress:             aws.Bool(m["compress"].(bool)),
+		ViewerProtocolPolicy: aws.String(m["viewer_protocol_policy"].(string)),
+		TargetOriginId:       aws.String(m["target_origin_id"].(string)),
+		ForwardedValues:      expandForwardedValues(m["forwarded_values"].(*schema.Set).List()[0].(map[string]interface{})),
+		MinTTL:               aws.Int64(int64(m["min_ttl"].(int))),
+		MaxTTL:               aws.Int64(int64(m["max_ttl"].(int))),
+		DefaultTTL:           aws.Int64(int64(m["default_ttl"].(int))),
+	}
+	if v, ok := m["trusted_signers"]; ok {
+		cb.TrustedSigners = expandTrustedSigners(v.([]interface{}))
+	} else {
+		cb.TrustedSigners = expandTrustedSigners([]interface{}{})
+	}
+	if v, ok := m["smooth_streaming"]; ok {
+		cb.SmoothStreaming = aws.Bool(v.(bool))
+	}
+	if v, ok := m["allowed_methods"]; ok {
+		cb.AllowedMethods = expandAllowedMethods(v.([]interface{}))
+	}
+	if v, ok := m["cached_methods"]; ok {
+		cb.AllowedMethods.CachedMethods = expandCachedMethods(v.([]interface{}))
+	}
+	if v, ok := m["path_pattern"]; ok {
+		cb.PathPattern = aws.String(v.(string))
+	}
+	return cb
+}
+
+func flattenCacheBehavior(cb *cloudfront.CacheBehavior) map[string]interface{} {
+	m := make(map[string]interface{})
+
+	m["compress"] = *cb.Compress
+	m["viewer_protocol_policy"] = *cb.ViewerProtocolPolicy
+	m["target_origin_id"] = *cb.TargetOriginId
+	m["forwarded_values"] = schema.NewSet(forwardedValuesHash, []interface{}{flattenForwardedValues(cb.ForwardedValues)})
+	m["min_ttl"] = int(*cb.MinTTL)
+
+	if len(cb.TrustedSigners.Items) > 0 {
+		m["trusted_signers"] = flattenTrustedSigners(cb.TrustedSigners)
+	}
+	if cb.MaxTTL != nil {
+		m["max_ttl"] = int(*cb.MaxTTL)
+	}
+	if cb.SmoothStreaming != nil {
+		m["smooth_streaming"] = *cb.SmoothStreaming
+	}
+	if cb.DefaultTTL != nil {
+		m["default_ttl"] = int(*cb.DefaultTTL)
+	}
+	if cb.AllowedMethods != nil {
+		m["allowed_methods"] = flattenAllowedMethods(cb.AllowedMethods)
+	}
+	if cb.AllowedMethods.CachedMethods != nil {
+		m["cached_methods"] = flattenCachedMethods(cb.AllowedMethods.CachedMethods)
+	}
+	if cb.PathPattern != nil {
+		m["path_pattern"] = *cb.PathPattern
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution cache_behavior
+// TypeSet attribute.
+func cacheBehaviorHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%t-", m["compress"].(bool)))
+	buf.WriteString(fmt.Sprintf("%s-", m["viewer_protocol_policy"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["target_origin_id"].(string)))
+	buf.WriteString(fmt.Sprintf("%d-", forwardedValuesHash(m["forwarded_values"].(*schema.Set).List()[0].(map[string]interface{}))))
+	buf.WriteString(fmt.Sprintf("%d-", m["min_ttl"].(int)))
+	if d, ok := m["trusted_signers"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	if d, ok := m["max_ttl"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", d.(int)))
+	}
+	if d, ok := m["smooth_streaming"]; ok {
+		buf.WriteString(fmt.Sprintf("%t-", d.(bool)))
+	}
+	if d, ok := m["default_ttl"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", d.(int)))
+	}
+	if d, ok := m["allowed_methods"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	if d, ok := m["cached_methods"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	if d, ok := m["path_pattern"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", d))
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandTrustedSigners(s []interface{}) *cloudfront.TrustedSigners {
+	var ts cloudfront.TrustedSigners
+	if len(s) > 0 {
+		ts.Quantity = aws.Int64(int64(len(s)))
+		ts.Items = expandStringList(s)
+		ts.Enabled = aws.Bool(true)
+	} else {
+		ts.Quantity = aws.Int64(0)
+		ts.Enabled = aws.Bool(false)
+	}
+	return &ts
+}
+
+func flattenTrustedSigners(ts *cloudfront.TrustedSigners) []interface{} {
+	if ts.Items != nil {
+		return flattenStringList(ts.Items)
+	}
+	return []interface{}{}
+}
+
+func expandForwardedValues(m map[string]interface{}) *cloudfront.ForwardedValues {
+	fv := &cloudfront.ForwardedValues{
+		QueryString: aws.Bool(m["query_string"].(bool)),
+	}
+	if v, ok := m["cookies"]; ok {
+		fv.Cookies = expandCookiePreference(v.(*schema.Set).List()[0].(map[string]interface{}))
+	}
+	if v, ok := m["headers"]; ok {
+		fv.Headers = expandHeaders(v.([]interface{}))
+	}
+	return fv
+}
+
+func flattenForwardedValues(fv *cloudfront.ForwardedValues) map[string]interface{} {
+	m := make(map[string]interface{})
+	m["query_string"] = *fv.QueryString
+	if fv.Cookies != nil {
+		m["cookies"] = schema.NewSet(cookiePreferenceHash, []interface{}{flattenCookiePreference(fv.Cookies)})
+	}
+	if fv.Headers != nil {
+		m["headers"] = flattenHeaders(fv.Headers)
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution forwarded_values
+// TypeSet attribute.
+func forwardedValuesHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%t-", m["query_string"].(bool)))
+	if d, ok := m["cookies"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", cookiePreferenceHash(d.(*schema.Set).List()[0].(map[string]interface{}))))
+	}
+	if d, ok := m["headers"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandHeaders(d []interface{}) *cloudfront.Headers {
+	return &cloudfront.Headers{
+		Quantity: aws.Int64(int64(len(d))),
+		Items:    expandStringList(d),
+	}
+}
+
+func flattenHeaders(h *cloudfront.Headers) []interface{} {
+	if h.Items != nil {
+		return flattenStringList(h.Items)
+	}
+	return []interface{}{}
+}
+
+func expandCookiePreference(m map[string]interface{}) *cloudfront.CookiePreference {
+	cp := &cloudfront.CookiePreference{
+		Forward: aws.String(m["forward"].(string)),
+	}
+	if v, ok := m["whitelisted_names"]; ok {
+		cp.WhitelistedNames = expandCookieNames(v.([]interface{}))
+	}
+	return cp
+}
+
+func flattenCookiePreference(cp *cloudfront.CookiePreference) map[string]interface{} {
+	m := make(map[string]interface{})
+	m["forward"] = *cp.Forward
+	if cp.WhitelistedNames != nil {
+		m["whitelisted_names"] = flattenCookieNames(cp.WhitelistedNames)
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution cookies
+// TypeSet attribute.
+func cookiePreferenceHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["forward"].(string)))
+	if d, ok := m["whitelisted_names"]; ok {
+		for _, e := range sortInterfaceSlice(d.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", e.(string)))
+		}
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandCookieNames(d []interface{}) *cloudfront.CookieNames {
+	return &cloudfront.CookieNames{
+		Quantity: aws.Int64(int64(len(d))),
+		Items:    expandStringList(d),
+	}
+}
+
+func flattenCookieNames(cn *cloudfront.CookieNames) []interface{} {
+	if cn.Items != nil {
+		return flattenStringList(cn.Items)
+	}
+	return []interface{}{}
+}
+
+func expandAllowedMethods(s []interface{}) *cloudfront.AllowedMethods {
+	return &cloudfront.AllowedMethods{
+		Quantity: aws.Int64(int64(len(s))),
+		Items:    expandStringList(s),
+	}
+}
+
+func flattenAllowedMethods(am *cloudfront.AllowedMethods) []interface{} {
+	if am.Items != nil {
+		return flattenStringList(am.Items)
+	}
+	return []interface{}{}
+}
+
+func expandCachedMethods(s []interface{}) *cloudfront.CachedMethods {
+	return &cloudfront.CachedMethods{
+		Quantity: aws.Int64(int64(len(s))),
+		Items:    expandStringList(s),
+	}
+}
+
+func flattenCachedMethods(cm *cloudfront.CachedMethods) []interface{} {
+	if cm.Items != nil {
+		return flattenStringList(cm.Items)
+	}
+	return []interface{}{}
+}
+
+func expandOrigins(s *schema.Set) *cloudfront.Origins {
+	qty := 0
+	items := []*cloudfront.Origin{}
+	for _, v := range s.List() {
+		items = append(items, expandOrigin(v.(map[string]interface{})))
+		qty++
+	}
+	return &cloudfront.Origins{
+		Quantity: aws.Int64(int64(qty)),
+		Items:    items,
+	}
+}
+
+func flattenOrigins(ors *cloudfront.Origins) *schema.Set {
+	s := []interface{}{}
+	for _, v := range ors.Items {
+		s = append(s, flattenOrigin(v))
+	}
+	return schema.NewSet(originHash, s)
+}
+
+func expandOrigin(m map[string]interface{}) *cloudfront.Origin {
+	origin := &cloudfront.Origin{
+		Id:         aws.String(m["origin_id"].(string)),
+		DomainName: aws.String(m["domain_name"].(string)),
+	}
+	if v, ok := m["custom_header"]; ok {
+		origin.CustomHeaders = expandCustomHeaders(v.(*schema.Set))
+	}
+	if v, ok := m["custom_origin_config"]; ok {
+		if s := v.(*schema.Set).List(); len(s) > 0 {
+			origin.CustomOriginConfig = expandCustomOriginConfig(s[0].(map[string]interface{}))
+		}
+	}
+	if v, ok := m["origin_path"]; ok {
+		origin.OriginPath = aws.String(v.(string))
+	}
+	if v, ok := m["s3_origin_config"]; ok {
+		if s := v.(*schema.Set).List(); len(s) > 0 {
+			origin.S3OriginConfig = expandS3OriginConfig(s[0].(map[string]interface{}))
+		}
+	}
+	return origin
+}
+
+func flattenOrigin(or *cloudfront.Origin) map[string]interface{} {
+	m := make(map[string]interface{})
+	m["origin_id"] = *or.Id
+	m["domain_name"] = *or.DomainName
+	if or.CustomHeaders != nil {
+		m["custom_header"] = flattenCustomHeaders(or.CustomHeaders)
+	}
+	if or.CustomOriginConfig != nil {
+		m["custom_origin_config"] = schema.NewSet(customOriginConfigHash, []interface{}{flattenCustomOriginConfig(or.CustomOriginConfig)})
+	}
+	if or.OriginPath != nil {
+		m["origin_path"] = *or.OriginPath
+	}
+	if or.S3OriginConfig != nil {
+		m["s3_origin_config"] = schema.NewSet(s3OriginConfigHash, []interface{}{flattenS3OriginConfig(or.S3OriginConfig)})
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution origin
+// TypeSet attribute.
+func originHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["origin_id"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["domain_name"].(string)))
+	if v, ok := m["custom_header"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", customHeadersHash(v.(*schema.Set))))
+	}
+	if v, ok := m["custom_origin_config"]; ok {
+		if s := v.(*schema.Set).List(); len(s) > 0 {
+			buf.WriteString(fmt.Sprintf("%d-", customOriginConfigHash((s[0].(map[string]interface{})))))
+		}
+	}
+	if v, ok := m["origin_path"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+	}
+	if v, ok := m["s3_origin_config"]; ok {
+		if s := v.(*schema.Set).List(); len(s) > 0 {
+			buf.WriteString(fmt.Sprintf("%d-", s3OriginConfigHash((s[0].(map[string]interface{})))))
+		}
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandCustomHeaders(s *schema.Set) *cloudfront.CustomHeaders {
+	qty := 0
+	items := []*cloudfront.OriginCustomHeader{}
+	for _, v := range s.List() {
+		items = append(items, expandOriginCustomHeader(v.(map[string]interface{})))
+		qty++
+	}
+	return &cloudfront.CustomHeaders{
+		Quantity: aws.Int64(int64(qty)),
+		Items:    items,
+	}
+}
+
+func flattenCustomHeaders(chs *cloudfront.CustomHeaders) *schema.Set {
+	s := []interface{}{}
+	for _, v := range chs.Items {
+		s = append(s, flattenOriginCustomHeader(v))
+	}
+	return schema.NewSet(originCustomHeaderHash, s)
+}
+
+func expandOriginCustomHeader(m map[string]interface{}) *cloudfront.OriginCustomHeader {
+	return &cloudfront.OriginCustomHeader{
+		HeaderName:  aws.String(m["name"].(string)),
+		HeaderValue: aws.String(m["value"].(string)),
+	}
+}
+
+func flattenOriginCustomHeader(och *cloudfront.OriginCustomHeader) map[string]interface{} {
+	return map[string]interface{}{
+		"name":  *och.HeaderName,
+		"value": *och.HeaderValue,
+	}
+}
+
+// Helper function used by originHash to get a composite hash for all
+// aws_cloudfront_distribution custom_header attributes.
+func customHeadersHash(s *schema.Set) int {
+	var buf bytes.Buffer
+	for _, v := range s.List() {
+		buf.WriteString(fmt.Sprintf("%d-", originCustomHeaderHash(v)))
+	}
+	return hashcode.String(buf.String())
+}
+
+// Assemble the hash for the aws_cloudfront_distribution custom_header
+// TypeSet attribute.
+func originCustomHeaderHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["name"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["value"].(string)))
+	return hashcode.String(buf.String())
+}
+
+func expandCustomOriginConfig(m map[string]interface{}) *cloudfront.CustomOriginConfig {
+	return &cloudfront.CustomOriginConfig{
+		OriginProtocolPolicy: aws.String(m["origin_protocol_policy"].(string)),
+		HTTPPort:             aws.Int64(int64(m["http_port"].(int))),
+		HTTPSPort:            aws.Int64(int64(m["https_port"].(int))),
+		OriginSslProtocols:   expandCustomOriginConfigSSL(m["origin_ssl_protocols"].([]interface{})),
+	}
+}
+
+func flattenCustomOriginConfig(cor *cloudfront.CustomOriginConfig) map[string]interface{} {
+	return map[string]interface{}{
+		"origin_protocol_policy": *cor.OriginProtocolPolicy,
+		"http_port":              int(*cor.HTTPPort),
+		"https_port":             int(*cor.HTTPSPort),
+		"origin_ssl_protocols":   flattenCustomOriginConfigSSL(cor.OriginSslProtocols),
+	}
+}
+
+// Assemble the hash for the aws_cloudfront_distribution custom_origin_config
+// TypeSet attribute.
+func customOriginConfigHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["origin_protocol_policy"].(string)))
+	buf.WriteString(fmt.Sprintf("%d-", m["http_port"].(int)))
+	buf.WriteString(fmt.Sprintf("%d-", m["https_port"].(int)))
+	for _, v := range sortInterfaceSlice(m["origin_ssl_protocols"].([]interface{})) {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandCustomOriginConfigSSL(s []interface{}) *cloudfront.OriginSslProtocols {
+	items := expandStringList(s)
+	return &cloudfront.OriginSslProtocols{
+		Quantity: aws.Int64(int64(len(items))),
+		Items:    items,
+	}
+}
+
+func flattenCustomOriginConfigSSL(osp *cloudfront.OriginSslProtocols) []interface{} {
+	return flattenStringList(osp.Items)
+}
+
+func expandS3OriginConfig(m map[string]interface{}) *cloudfront.S3OriginConfig {
+	return &cloudfront.S3OriginConfig{
+		OriginAccessIdentity: aws.String(m["origin_access_identity"].(string)),
+	}
+}
+
+func flattenS3OriginConfig(s3o *cloudfront.S3OriginConfig) map[string]interface{} {
+	return map[string]interface{}{
+		"origin_access_identity": *s3o.OriginAccessIdentity,
+	}
+}
+
+// Assemble the hash for the aws_cloudfront_distribution s3_origin_config
+// TypeSet attribute.
+func s3OriginConfigHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["origin_access_identity"].(string)))
+	return hashcode.String(buf.String())
+}
+
+func expandCustomErrorResponses(s *schema.Set) *cloudfront.CustomErrorResponses {
+	qty := 0
+	items := []*cloudfront.CustomErrorResponse{}
+	for _, v := range s.List() {
+		items = append(items, expandCustomErrorResponse(v.(map[string]interface{})))
+		qty++
+	}
+	return &cloudfront.CustomErrorResponses{
+		Quantity: aws.Int64(int64(qty)),
+		Items:    items,
+	}
+}
+
+func flattenCustomErrorResponses(ers *cloudfront.CustomErrorResponses) *schema.Set {
+	s := []interface{}{}
+	for _, v := range ers.Items {
+		s = append(s, flattenCustomErrorResponse(v))
+	}
+	return schema.NewSet(customErrorResponseHash, s)
+}
+
+func expandCustomErrorResponse(m map[string]interface{}) *cloudfront.CustomErrorResponse {
+	er := cloudfront.CustomErrorResponse{
+		ErrorCode: aws.Int64(int64(m["error_code"].(int))),
+	}
+	if v, ok := m["error_caching_min_ttl"]; ok {
+		er.ErrorCachingMinTTL = aws.Int64(int64(v.(int)))
+	}
+	if v, ok := m["response_code"]; ok {
+		er.ResponseCode = aws.String(strconv.Itoa(v.(int)))
+	}
+	if v, ok := m["response_page_path"]; ok {
+		er.ResponsePagePath = aws.String(v.(string))
+	}
+	return &er
+}
+
+func flattenCustomErrorResponse(er *cloudfront.CustomErrorResponse) map[string]interface{} {
+	m := make(map[string]interface{})
+	m["error_code"] = int(*er.ErrorCode)
+	if er.ErrorCachingMinTTL != nil {
+		m["error_caching_min_ttl"] = int(*er.ErrorCachingMinTTL)
+	}
+	if er.ResponseCode != nil {
+		m["response_code"], _ = strconv.Atoi(*er.ResponseCode)
+	}
+	if er.ResponsePagePath != nil {
+		m["response_page_path"] = *er.ResponsePagePath
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution custom_error_response
+// TypeSet attribute.
+func customErrorResponseHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%d-", m["error_code"].(int)))
+	if v, ok := m["error_caching_min_ttl"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", v.(int)))
+	}
+	if v, ok := m["response_code"]; ok {
+		buf.WriteString(fmt.Sprintf("%d-", v.(int)))
+	}
+	if v, ok := m["response_page_path"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandLoggingConfig(m map[string]interface{}) *cloudfront.LoggingConfig {
+	var lc cloudfront.LoggingConfig
+	if m != nil {
+		lc.Prefix = aws.String(m["prefix"].(string))
+		lc.Bucket = aws.String(m["bucket"].(string))
+		lc.IncludeCookies = aws.Bool(m["include_cookies"].(bool))
+		lc.Enabled = aws.Bool(true)
+	} else {
+		lc.Prefix = aws.String("")
+		lc.Bucket = aws.String("")
+		lc.IncludeCookies = aws.Bool(false)
+		lc.Enabled = aws.Bool(false)
+	}
+	return &lc
+}
+
+func flattenLoggingConfig(lc *cloudfront.LoggingConfig) *schema.Set {
+	m := make(map[string]interface{})
+	m["prefix"] = *lc.Prefix
+	m["bucket"] = *lc.Bucket
+	m["include_cookies"] = *lc.IncludeCookies
+	return schema.NewSet(loggingConfigHash, []interface{}{m})
+}
+
+// Assemble the hash for the aws_cloudfront_distribution logging_config
+// TypeSet attribute.
+func loggingConfigHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["prefix"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["bucket"].(string)))
+	buf.WriteString(fmt.Sprintf("%t-", m["include_cookies"].(bool)))
+	return hashcode.String(buf.String())
+}
+
+func expandAliases(as *schema.Set) *cloudfront.Aliases {
+	s := as.List()
+	var aliases cloudfront.Aliases
+	if len(s) > 0 {
+		aliases.Quantity = aws.Int64(int64(len(s)))
+		aliases.Items = expandStringList(s)
+	} else {
+		aliases.Quantity = aws.Int64(0)
+	}
+	return &aliases
+}
+
+func flattenAliases(aliases *cloudfront.Aliases) *schema.Set {
+	if aliases.Items != nil {
+		return schema.NewSet(aliasesHash, flattenStringList(aliases.Items))
+	}
+	return schema.NewSet(aliasesHash, []interface{}{})
+}
+
+// Assemble the hash for the aws_cloudfront_distribution aliases
+// TypeSet attribute.
+func aliasesHash(v interface{}) int {
+	return hashcode.String(v.(string))
+}
+
+func expandRestrictions(m map[string]interface{}) *cloudfront.Restrictions {
+	return &cloudfront.Restrictions{
+		GeoRestriction: expandGeoRestriction(m["geo_restriction"].(*schema.Set).List()[0].(map[string]interface{})),
+	}
+}
+
+func flattenRestrictions(r *cloudfront.Restrictions) *schema.Set {
+	m := make(map[string]interface{})
+	s := schema.NewSet(geoRestrictionHash, []interface{}{flattenGeoRestriction(r.GeoRestriction)})
+	m["geo_restriction"] = s
+	return schema.NewSet(restrictionsHash, []interface{}{m})
+}
+
+// Assemble the hash for the aws_cloudfront_distribution restrictions
+// TypeSet attribute.
+func restrictionsHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%d-", geoRestrictionHash(m["geo_restriction"].(*schema.Set).List()[0].(map[string]interface{}))))
+	return hashcode.String(buf.String())
+}
+
+func expandGeoRestriction(m map[string]interface{}) *cloudfront.GeoRestriction {
+	gr := cloudfront.GeoRestriction{
+		RestrictionType: aws.String(m["restriction_type"].(string)),
+	}
+	if v, ok := m["locations"]; ok {
+		gr.Quantity = aws.Int64(int64(len(v.([]interface{}))))
+		gr.Items = expandStringList(v.([]interface{}))
+	} else {
+		gr.Quantity = aws.Int64(0)
+	}
+	return &gr
+}
+
+func flattenGeoRestriction(gr *cloudfront.GeoRestriction) map[string]interface{} {
+	m := make(map[string]interface{})
+
+	m["restriction_type"] = *gr.RestrictionType
+	if gr.Items != nil {
+		m["locations"] = flattenStringList(gr.Items)
+	}
+	return m
+}
+
+// Assemble the hash for the aws_cloudfront_distribution geo_restriction
+// TypeSet attribute.
+func geoRestrictionHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	// All keys added in alphabetical order.
+	buf.WriteString(fmt.Sprintf("%s-", m["restriction_type"].(string)))
+	if v, ok := m["locations"]; ok {
+		for _, w := range sortInterfaceSlice(v.([]interface{})) {
+			buf.WriteString(fmt.Sprintf("%s-", w.(string)))
+		}
+	}
+	return hashcode.String(buf.String())
+}
+
+func expandViewerCertificate(m map[string]interface{}) *cloudfront.ViewerCertificate {
+	var vc cloudfront.ViewerCertificate
+	if v, ok := m["iam_certificate_id"]; ok && v != "" {
+		vc.IAMCertificateId = aws.String(v.(string))
+		vc.SSLSupportMethod = aws.String(m["ssl_support_method"].(string))
+	} else if v, ok := m["acm_certificate_arn"]; ok && v != "" {
+		vc.ACMCertificateArn = aws.String(v.(string))
+		vc.SSLSupportMethod = aws.String(m["ssl_support_method"].(string))
+	} else {
+		vc.CloudFrontDefaultCertificate = aws.Bool(m["cloudfront_default_certificate"].(bool))
+	}
+	if v, ok := m["minimum_protocol_version"]; ok && v != "" {
+		vc.MinimumProtocolVersion = aws.String(v.(string))
+	}
+	return &vc
+}
+
+func flattenViewerCertificate(vc *cloudfront.ViewerCertificate) *schema.Set {
+	m := make(map[string]interface{})
+
+	if vc.IAMCertificateId != nil {
+		m["iam_certificate_id"] = *vc.IAMCertificateId
+		m["ssl_support_method"] = *vc.SSLSupportMethod
+	} else if vc.ACMCertificateArn != nil {
+		m["acm_certificate_arn"] = *vc.ACMCertificateArn
+		m["ssl_support_method"] = *vc.SSLSupportMethod
+	} else {
+		m["cloudfront_default_certificate"] = *vc.CloudFrontDefaultCertificate
+	}
+	if vc.MinimumProtocolVersion != nil {
+		m["minimum_protocol_version"] = *vc.MinimumProtocolVersion
+	}
+	return schema.NewSet(viewerCertificateHash, []interface{}{m})
+}
+
+// Assemble the hash for the aws_cloudfront_distribution viewer_certificate
+// TypeSet attribute.
+func viewerCertificateHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	if v, ok := m["iam_certificate_id"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+		buf.WriteString(fmt.Sprintf("%s-", m["ssl_support_method"].(string)))
+	} else if v, ok := m["acm_certificate_arn"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+		buf.WriteString(fmt.Sprintf("%s-", m["ssl_support_method"].(string)))
+	} else {
+		buf.WriteString(fmt.Sprintf("%t-", m["cloudfront_default_certificate"].(bool)))
+	}
+	if v, ok := m["minimum_protocol_version"]; ok {
+		buf.WriteString(fmt.Sprintf("%s-", v.(string)))
+	}
+	return hashcode.String(buf.String())
+}
+
+// Do a top-level copy of struct fields from one struct to another. Used to
+// copy fields between CacheBehavior and DefaultCacheBehavior structs.
+func simpleCopyStruct(src, dst interface{}) {
+	s := reflect.ValueOf(src).Elem()
+	d := reflect.ValueOf(dst).Elem()
+
+	for i := 0; i < s.NumField(); i++ {
+		if s.Field(i).CanSet() == true {
+			if s.Field(i).Interface() != nil {
+				for j := 0; j < d.NumField(); j++ {
+					if d.Type().Field(j).Name == s.Type().Field(i).Name {
+						d.Field(j).Set(s.Field(i))
+					}
+				}
+			}
+		}
+	}
+}
+
+// Convert *cloudfront.ActiveTrustedSigners to a flatmap.Map type, which ensures
+// it can probably be inserted into the schema.TypeMap type used by the
+// active_trusted_signers attribute.
+func flattenActiveTrustedSigners(ats *cloudfront.ActiveTrustedSigners) flatmap.Map {
+	m := make(map[string]interface{})
+	s := []interface{}{}
+	m["enabled"] = *ats.Enabled
+
+	for _, v := range ats.Items {
+		signer := make(map[string]interface{})
+		signer["aws_account_number"] = *v.AwsAccountNumber
+		signer["key_pair_ids"] = aws.StringValueSlice(v.KeyPairIds.Items)
+		s = append(s, signer)
+	}
+	m["items"] = s
+	return flatmap.Flatten(m)
+}
diff --git a/builtin/providers/aws/cloudfront_distribution_configuration_structure_test.go b/builtin/providers/aws/cloudfront_distribution_configuration_structure_test.go
new file mode 100644
index 000000000000..792a926862b2
--- /dev/null
+++ b/builtin/providers/aws/cloudfront_distribution_configuration_structure_test.go
@@ -0,0 +1,989 @@
+package aws
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func defaultCacheBehaviorConf() map[string]interface{} {
+	return map[string]interface{}{
+		"viewer_protocol_policy": "allow-all",
+		"target_origin_id":       "myS3Origin",
+		"forwarded_values":       schema.NewSet(forwardedValuesHash, []interface{}{forwardedValuesConf()}),
+		"min_ttl":                86400,
+		"trusted_signers":        trustedSignersConf(),
+		"max_ttl":                365000000,
+		"smooth_streaming":       false,
+		"default_ttl":            86400,
+		"allowed_methods":        allowedMethodsConf(),
+		"cached_methods":         cachedMethodsConf(),
+		"compress":               true,
+	}
+}
+
+func cacheBehaviorConf1() map[string]interface{} {
+	cb := defaultCacheBehaviorConf()
+	cb["path_pattern"] = "/path1"
+	return cb
+}
+
+func cacheBehaviorConf2() map[string]interface{} {
+	cb := defaultCacheBehaviorConf()
+	cb["path_pattern"] = "/path2"
+	return cb
+}
+
+func cacheBehaviorsConf() *schema.Set {
+	return schema.NewSet(cacheBehaviorHash, []interface{}{cacheBehaviorConf1(), cacheBehaviorConf2()})
+}
+
+func trustedSignersConf() []interface{} {
+	return []interface{}{"1234567890EX", "1234567891EX"}
+}
+
+func forwardedValuesConf() map[string]interface{} {
+	return map[string]interface{}{
+		"query_string": true,
+		"cookies":      schema.NewSet(cookiePreferenceHash, []interface{}{cookiePreferenceConf()}),
+		"headers":      headersConf(),
+	}
+}
+
+func headersConf() []interface{} {
+	return []interface{}{"X-Example1", "X-Example2"}
+}
+
+func cookiePreferenceConf() map[string]interface{} {
+	return map[string]interface{}{
+		"forward":           "whitelist",
+		"whitelisted_names": cookieNamesConf(),
+	}
+}
+
+func cookieNamesConf() []interface{} {
+	return []interface{}{"Example1", "Example2"}
+}
+
+func allowedMethodsConf() []interface{} {
+	return []interface{}{"DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"}
+}
+
+func cachedMethodsConf() []interface{} {
+	return []interface{}{"GET", "HEAD", "OPTIONS"}
+}
+
+func originCustomHeadersConf() *schema.Set {
+	return schema.NewSet(originCustomHeaderHash, []interface{}{originCustomHeaderConf1(), originCustomHeaderConf2()})
+}
+
+func originCustomHeaderConf1() map[string]interface{} {
+	return map[string]interface{}{
+		"name":  "X-Custom-Header1",
+		"value": "samplevalue",
+	}
+}
+
+func originCustomHeaderConf2() map[string]interface{} {
+	return map[string]interface{}{
+		"name":  "X-Custom-Header2",
+		"value": "samplevalue",
+	}
+}
+
+func customOriginConf() map[string]interface{} {
+	return map[string]interface{}{
+		"origin_protocol_policy": "http-only",
+		"http_port":              80,
+		"https_port":             443,
+		"origin_ssl_protocols":   customOriginSslProtocolsConf(),
+	}
+}
+
+func customOriginSslProtocolsConf() []interface{} {
+	return []interface{}{"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}
+}
+
+func s3OriginConf() map[string]interface{} {
+	return map[string]interface{}{
+		"origin_access_identity": "origin-access-identity/cloudfront/E127EXAMPLE51Z",
+	}
+}
+
+func originWithCustomConf() map[string]interface{} {
+	return map[string]interface{}{
+		"origin_id":            "CustomOrigin",
+		"domain_name":          "www.example.com",
+		"origin_path":          "/",
+		"custom_origin_config": schema.NewSet(customOriginConfigHash, []interface{}{customOriginConf()}),
+		"custom_header":        originCustomHeadersConf(),
+	}
+}
+func originWithS3Conf() map[string]interface{} {
+	return map[string]interface{}{
+		"origin_id":        "S3Origin",
+		"domain_name":      "s3.example.com",
+		"origin_path":      "/",
+		"s3_origin_config": schema.NewSet(s3OriginConfigHash, []interface{}{s3OriginConf()}),
+		"custom_header":    originCustomHeadersConf(),
+	}
+}
+
+func multiOriginConf() *schema.Set {
+	return schema.NewSet(originHash, []interface{}{originWithCustomConf(), originWithS3Conf()})
+}
+
+func geoRestrictionWhitelistConf() map[string]interface{} {
+	return map[string]interface{}{
+		"restriction_type": "whitelist",
+		"locations":        []interface{}{"CA", "GB", "US"},
+	}
+}
+
+func geoRestrictionsConf() map[string]interface{} {
+	return map[string]interface{}{
+		"geo_restriction": schema.NewSet(geoRestrictionHash, []interface{}{geoRestrictionWhitelistConf()}),
+	}
+}
+
+func geoRestrictionConfNoItems() map[string]interface{} {
+	return map[string]interface{}{
+		"restriction_type": "none",
+	}
+}
+
+func customErrorResponsesConf() []interface{} {
+	return []interface{}{
+		map[string]interface{}{
+			"error_code":            404,
+			"error_caching_min_ttl": 30,
+			"response_code":         200,
+			"response_page_path":    "/error-pages/404.html",
+		},
+		map[string]interface{}{
+			"error_code":            403,
+			"error_caching_min_ttl": 15,
+			"response_code":         404,
+			"response_page_path":    "/error-pages/404.html",
+		},
+	}
+}
+
+func aliasesConf() *schema.Set {
+	return schema.NewSet(aliasesHash, []interface{}{"example.com", "www.example.com"})
+}
+
+func loggingConfigConf() map[string]interface{} {
+	return map[string]interface{}{
+		"include_cookies": false,
+		"bucket":          "mylogs.s3.amazonaws.com",
+		"prefix":          "myprefix",
+	}
+}
+
+func customErrorResponsesConfSet() *schema.Set {
+	return schema.NewSet(customErrorResponseHash, customErrorResponsesConf())
+}
+
+func customErrorResponsesConfFirst() map[string]interface{} {
+	return customErrorResponsesConf()[0].(map[string]interface{})
+}
+
+func viewerCertificateConfSetCloudFrontDefault() map[string]interface{} {
+	return map[string]interface{}{
+		"cloudfront_default_certificate": true,
+	}
+}
+
+func viewerCertificateConfSetIAM() map[string]interface{} {
+	return map[string]interface{}{
+		"iam_certificate_id":       "iamcert-01234567",
+		"ssl_support_method":       "vip",
+		"minimum_protocol_version": "TLSv1",
+	}
+}
+
+func viewerCertificateConfSetACM() map[string]interface{} {
+	return map[string]interface{}{
+		"acm_certificate_arn":      "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
+		"ssl_support_method":       "sni-only",
+		"minimum_protocol_version": "TLSv1",
+	}
+}
+
+func TestCloudFrontStructure_expandDefaultCacheBehavior(t *testing.T) {
+	data := defaultCacheBehaviorConf()
+	dcb := expandDefaultCacheBehavior(data)
+	if *dcb.Compress != true {
+		t.Fatalf("Expected Compress to be true, got %v", *dcb.Compress)
+	}
+	if *dcb.ViewerProtocolPolicy != "allow-all" {
+		t.Fatalf("Expected ViewerProtocolPolicy to be allow-all, got %v", *dcb.ViewerProtocolPolicy)
+	}
+	if *dcb.TargetOriginId != "myS3Origin" {
+		t.Fatalf("Expected TargetOriginId to be allow-all, got %v", *dcb.TargetOriginId)
+	}
+	if reflect.DeepEqual(dcb.ForwardedValues.Headers.Items, expandStringList(headersConf())) != true {
+		t.Fatalf("Expected Items to be %v, got %v", headersConf(), dcb.ForwardedValues.Headers.Items)
+	}
+	if *dcb.MinTTL != 86400 {
+		t.Fatalf("Expected MinTTL to be 86400, got %v", *dcb.MinTTL)
+	}
+	if reflect.DeepEqual(dcb.TrustedSigners.Items, expandStringList(trustedSignersConf())) != true {
+		t.Fatalf("Expected TrustedSigners.Items to be %v, got %v", trustedSignersConf(), dcb.TrustedSigners.Items)
+	}
+	if *dcb.MaxTTL != 365000000 {
+		t.Fatalf("Expected MaxTTL to be 86400, got %v", *dcb.MaxTTL)
+	}
+	if *dcb.SmoothStreaming != false {
+		t.Fatalf("Expected SmoothStreaming to be false, got %v", *dcb.SmoothStreaming)
+	}
+	if *dcb.DefaultTTL != 86400 {
+		t.Fatalf("Expected DefaultTTL to be 86400, got %v", *dcb.DefaultTTL)
+	}
+	if reflect.DeepEqual(dcb.AllowedMethods.Items, expandStringList(allowedMethodsConf())) != true {
+		t.Fatalf("Expected TrustedSigners.Items to be %v, got %v", allowedMethodsConf(), dcb.AllowedMethods.Items)
+	}
+	if reflect.DeepEqual(dcb.AllowedMethods.CachedMethods.Items, expandStringList(cachedMethodsConf())) != true {
+		t.Fatalf("Expected TrustedSigners.Items to be %v, got %v", cachedMethodsConf(), dcb.AllowedMethods.CachedMethods.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenDefaultCacheBehavior(t *testing.T) {
+	in := defaultCacheBehaviorConf()
+	dcb := expandDefaultCacheBehavior(in)
+	out := flattenDefaultCacheBehavior(dcb)
+	diff := schema.NewSet(defaultCacheBehaviorHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandCacheBehavior(t *testing.T) {
+	data := cacheBehaviorConf1()
+	cb := expandCacheBehavior(data)
+	if *cb.Compress != true {
+		t.Fatalf("Expected Compress to be true, got %v", *cb.Compress)
+	}
+	if *cb.ViewerProtocolPolicy != "allow-all" {
+		t.Fatalf("Expected ViewerProtocolPolicy to be allow-all, got %v", *cb.ViewerProtocolPolicy)
+	}
+	if *cb.TargetOriginId != "myS3Origin" {
+		t.Fatalf("Expected TargetOriginId to be myS3Origin, got %v", *cb.TargetOriginId)
+	}
+	if reflect.DeepEqual(cb.ForwardedValues.Headers.Items, expandStringList(headersConf())) != true {
+		t.Fatalf("Expected Items to be %v, got %v", headersConf(), cb.ForwardedValues.Headers.Items)
+	}
+	if *cb.MinTTL != 86400 {
+		t.Fatalf("Expected MinTTL to be 86400, got %v", *cb.MinTTL)
+	}
+	if reflect.DeepEqual(cb.TrustedSigners.Items, expandStringList(trustedSignersConf())) != true {
+		t.Fatalf("Expected TrustedSigners.Items to be %v, got %v", trustedSignersConf(), cb.TrustedSigners.Items)
+	}
+	if *cb.MaxTTL != 365000000 {
+		t.Fatalf("Expected MaxTTL to be 365000000, got %v", *cb.MaxTTL)
+	}
+	if *cb.SmoothStreaming != false {
+		t.Fatalf("Expected SmoothStreaming to be false, got %v", *cb.SmoothStreaming)
+	}
+	if *cb.DefaultTTL != 86400 {
+		t.Fatalf("Expected DefaultTTL to be 86400, got %v", *cb.DefaultTTL)
+	}
+	if reflect.DeepEqual(cb.AllowedMethods.Items, expandStringList(allowedMethodsConf())) != true {
+		t.Fatalf("Expected AllowedMethods.Items to be %v, got %v", allowedMethodsConf(), cb.AllowedMethods.Items)
+	}
+	if reflect.DeepEqual(cb.AllowedMethods.CachedMethods.Items, expandStringList(cachedMethodsConf())) != true {
+		t.Fatalf("Expected AllowedMethods.CachedMethods.Items to be %v, got %v", cachedMethodsConf(), cb.AllowedMethods.CachedMethods.Items)
+	}
+	if *cb.PathPattern != "/path1" {
+		t.Fatalf("Expected PathPattern to be /path1, got %v", *cb.PathPattern)
+	}
+}
+
+func TestCloudFrontStructure_flattenCacheBehavior(t *testing.T) {
+	in := cacheBehaviorConf1()
+	cb := expandCacheBehavior(in)
+	out := flattenCacheBehavior(cb)
+	var diff *schema.Set
+	if out["compress"] != true {
+		t.Fatalf("Expected out[compress] to be true, got %v", out["compress"])
+	}
+	if out["viewer_protocol_policy"] != "allow-all" {
+		t.Fatalf("Expected out[viewer_protocol_policy] to be allow-all, got %v", out["viewer_protocol_policy"])
+	}
+	if out["target_origin_id"] != "myS3Origin" {
+		t.Fatalf("Expected out[target_origin_id] to be myS3Origin, got %v", out["target_origin_id"])
+	}
+	diff = out["forwarded_values"].(*schema.Set).Difference(in["forwarded_values"].(*schema.Set))
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out[forwarded_values] to be %v, got %v, diff: %v", out["forwarded_values"], in["forwarded_values"], diff)
+	}
+	if out["min_ttl"] != int(86400) {
+		t.Fatalf("Expected out[min_ttl] to be 86400 (int), got %v", out["forwarded_values"])
+	}
+	if reflect.DeepEqual(out["trusted_signers"], in["trusted_signers"]) != true {
+		t.Fatalf("Expected out[trusted_signers] to be %v, got %v", in["trusted_signers"], out["trusted_signers"])
+	}
+	if out["max_ttl"] != int(365000000) {
+		t.Fatalf("Expected out[max_ttl] to be 365000000 (int), got %v", out["max_ttl"])
+	}
+	if out["smooth_streaming"] != false {
+		t.Fatalf("Expected out[smooth_streaming] to be false, got %v", out["smooth_streaming"])
+	}
+	if out["default_ttl"] != int(86400) {
+		t.Fatalf("Expected out[default_ttl] to be 86400 (int), got %v", out["default_ttl"])
+	}
+	if reflect.DeepEqual(out["allowed_methods"], in["allowed_methods"]) != true {
+		t.Fatalf("Expected out[allowed_methods] to be %v, got %v", in["allowed_methods"], out["allowed_methods"])
+	}
+	if reflect.DeepEqual(out["cached_methods"], in["cached_methods"]) != true {
+		t.Fatalf("Expected out[cached_methods] to be %v, got %v", in["cached_methods"], out["cached_methods"])
+	}
+	if out["path_pattern"] != "/path1" {
+		t.Fatalf("Expected out[path_pattern] to be /path1, got %v", out["path_pattern"])
+	}
+}
+
+func TestCloudFrontStructure_expandCacheBehaviors(t *testing.T) {
+	data := cacheBehaviorsConf()
+	cbs := expandCacheBehaviors(data)
+	if *cbs.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *cbs.Quantity)
+	}
+	if *cbs.Items[0].TargetOriginId != "myS3Origin" {
+		t.Fatalf("Expected first Item's TargetOriginId to be 	myS3Origin, got %v", *cbs.Items[0].TargetOriginId)
+	}
+}
+
+func TestCloudFrontStructure_flattenCacheBehaviors(t *testing.T) {
+	in := cacheBehaviorsConf()
+	cbs := expandCacheBehaviors(in)
+	out := flattenCacheBehaviors(cbs)
+	diff := in.Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandTrustedSigners(t *testing.T) {
+	data := trustedSignersConf()
+	ts := expandTrustedSigners(data)
+	if *ts.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *ts.Quantity)
+	}
+	if *ts.Enabled != true {
+		t.Fatalf("Expected Enabled to be true, got %v", *ts.Enabled)
+	}
+	if reflect.DeepEqual(ts.Items, expandStringList(data)) != true {
+		t.Fatalf("Expected Items to be %v, got %v", data, ts.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenTrustedSigners(t *testing.T) {
+	in := trustedSignersConf()
+	ts := expandTrustedSigners(in)
+	out := flattenTrustedSigners(ts)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandTrustedSigners_empty(t *testing.T) {
+	data := []interface{}{}
+	ts := expandTrustedSigners(data)
+	if *ts.Quantity != 0 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *ts.Quantity)
+	}
+	if *ts.Enabled != false {
+		t.Fatalf("Expected Enabled to be true, got %v", *ts.Enabled)
+	}
+	if ts.Items != nil {
+		t.Fatalf("Expected Items to be nil, got %v", ts.Items)
+	}
+}
+
+func TestCloudFrontStructure_expandForwardedValues(t *testing.T) {
+	data := forwardedValuesConf()
+	fv := expandForwardedValues(data)
+	if *fv.QueryString != true {
+		t.Fatalf("Expected QueryString to be true, got %v", *fv.QueryString)
+	}
+	if reflect.DeepEqual(fv.Cookies.WhitelistedNames.Items, expandStringList(cookieNamesConf())) != true {
+		t.Fatalf("Expected Cookies.WhitelistedNames.Items to be %v, got %v", cookieNamesConf(), fv.Cookies.WhitelistedNames.Items)
+	}
+	if reflect.DeepEqual(fv.Headers.Items, expandStringList(headersConf())) != true {
+		t.Fatalf("Expected Headers.Items to be %v, got %v", headersConf(), fv.Headers.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenForwardedValues(t *testing.T) {
+	in := forwardedValuesConf()
+	fv := expandForwardedValues(in)
+	out := flattenForwardedValues(fv)
+
+	if out["query_string"] != true {
+		t.Fatalf("Expected out[query_string] to be true, got %v", out["query_string"])
+	}
+	if out["cookies"].(*schema.Set).Equal(in["cookies"].(*schema.Set)) != true {
+		t.Fatalf("Expected out[cookies] to be %v, got %v", in["cookies"], out["cookies"])
+	}
+	if reflect.DeepEqual(out["headers"], in["headers"]) != true {
+		t.Fatalf("Expected out[headers] to be %v, got %v", in["headers"], out["headers"])
+	}
+}
+
+func TestCloudFrontStructure_expandHeaders(t *testing.T) {
+	data := headersConf()
+	h := expandHeaders(data)
+	if *h.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *h.Quantity)
+	}
+	if reflect.DeepEqual(h.Items, expandStringList(data)) != true {
+		t.Fatalf("Expected Items to be %v, got %v", data, h.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenHeaders(t *testing.T) {
+	in := headersConf()
+	h := expandHeaders(in)
+	out := flattenHeaders(h)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCookiePreference(t *testing.T) {
+	data := cookiePreferenceConf()
+	cp := expandCookiePreference(data)
+	if *cp.Forward != "whitelist" {
+		t.Fatalf("Expected Forward to be whitelist, got %v", *cp.Forward)
+	}
+	if reflect.DeepEqual(cp.WhitelistedNames.Items, expandStringList(cookieNamesConf())) != true {
+		t.Fatalf("Expected WhitelistedNames.Items to be %v, got %v", cookieNamesConf(), cp.WhitelistedNames.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenCookiePreference(t *testing.T) {
+	in := cookiePreferenceConf()
+	cp := expandCookiePreference(in)
+	out := flattenCookiePreference(cp)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCookieNames(t *testing.T) {
+	data := cookieNamesConf()
+	cn := expandCookieNames(data)
+	if *cn.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *cn.Quantity)
+	}
+	if reflect.DeepEqual(cn.Items, expandStringList(data)) != true {
+		t.Fatalf("Expected Items to be %v, got %v", data, cn.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenCookieNames(t *testing.T) {
+	in := cookieNamesConf()
+	cn := expandCookieNames(in)
+	out := flattenCookieNames(cn)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandAllowedMethods(t *testing.T) {
+	data := allowedMethodsConf()
+	am := expandAllowedMethods(data)
+	if *am.Quantity != 7 {
+		t.Fatalf("Expected Quantity to be 3, got %v", *am.Quantity)
+	}
+	if reflect.DeepEqual(am.Items, expandStringList(data)) != true {
+		t.Fatalf("Expected Items to be %v, got %v", data, am.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenAllowedMethods(t *testing.T) {
+	in := allowedMethodsConf()
+	am := expandAllowedMethods(in)
+	out := flattenAllowedMethods(am)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCachedMethods(t *testing.T) {
+	data := cachedMethodsConf()
+	cm := expandCachedMethods(data)
+	if *cm.Quantity != 3 {
+		t.Fatalf("Expected Quantity to be 3, got %v", *cm.Quantity)
+	}
+	if reflect.DeepEqual(cm.Items, expandStringList(data)) != true {
+		t.Fatalf("Expected Items to be %v, got %v", data, cm.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenCachedMethods(t *testing.T) {
+	in := cachedMethodsConf()
+	cm := expandCachedMethods(in)
+	out := flattenCachedMethods(cm)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandOrigins(t *testing.T) {
+	data := multiOriginConf()
+	origins := expandOrigins(data)
+	if *origins.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *origins.Quantity)
+	}
+	if *origins.Items[0].OriginPath != "/" {
+		t.Fatalf("Expected first Item's OriginPath to be /, got %v", *origins.Items[0].OriginPath)
+	}
+}
+
+func TestCloudFrontStructure_flattenOrigins(t *testing.T) {
+	in := multiOriginConf()
+	origins := expandOrigins(in)
+	out := flattenOrigins(origins)
+	diff := in.Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandOrigin(t *testing.T) {
+	data := originWithCustomConf()
+	or := expandOrigin(data)
+	if *or.Id != "CustomOrigin" {
+		t.Fatalf("Expected Id to be CustomOrigin, got %v", *or.Id)
+	}
+	if *or.DomainName != "www.example.com" {
+		t.Fatalf("Expected DomainName to be www.example.com, got %v", *or.DomainName)
+	}
+	if *or.OriginPath != "/" {
+		t.Fatalf("Expected OriginPath to be /, got %v", *or.OriginPath)
+	}
+	if *or.CustomOriginConfig.OriginProtocolPolicy != "http-only" {
+		t.Fatalf("Expected CustomOriginConfig.OriginProtocolPolicy to be http-only, got %v", *or.CustomOriginConfig.OriginProtocolPolicy)
+	}
+	if *or.CustomHeaders.Items[0].HeaderValue != "samplevalue" {
+		t.Fatalf("Expected CustomHeaders.Items[0].HeaderValue to be samplevalue, got %v", *or.CustomHeaders.Items[0].HeaderValue)
+	}
+}
+
+func TestCloudFrontStructure_flattenOrigin(t *testing.T) {
+	in := originWithCustomConf()
+	or := expandOrigin(in)
+	out := flattenOrigin(or)
+
+	if out["origin_id"] != "CustomOrigin" {
+		t.Fatalf("Expected out[origin_id] to be CustomOrigin, got %v", out["origin_id"])
+	}
+	if out["domain_name"] != "www.example.com" {
+		t.Fatalf("Expected out[domain_name] to be www.example.com, got %v", out["domain_name"])
+	}
+	if out["origin_path"] != "/" {
+		t.Fatalf("Expected out[origin_path] to be /, got %v", out["origin_path"])
+	}
+	if out["custom_origin_config"].(*schema.Set).Equal(in["custom_origin_config"].(*schema.Set)) != true {
+		t.Fatalf("Expected out[custom_origin_config] to be %v, got %v", in["custom_origin_config"], out["custom_origin_config"])
+	}
+}
+
+func TestCloudFrontStructure_expandCustomHeaders(t *testing.T) {
+	in := originCustomHeadersConf()
+	chs := expandCustomHeaders(in)
+	if *chs.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *chs.Quantity)
+	}
+	if *chs.Items[0].HeaderValue != "samplevalue" {
+		t.Fatalf("Expected first Item's HeaderValue to be samplevalue, got %v", *chs.Items[0].HeaderValue)
+	}
+}
+
+func TestCloudFrontStructure_flattenCustomHeaders(t *testing.T) {
+	in := originCustomHeadersConf()
+	chs := expandCustomHeaders(in)
+	out := flattenCustomHeaders(chs)
+	diff := in.Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_flattenOriginCustomHeader(t *testing.T) {
+	in := originCustomHeaderConf1()
+	och := expandOriginCustomHeader(in)
+	out := flattenOriginCustomHeader(och)
+
+	if out["name"] != "X-Custom-Header1" {
+		t.Fatalf("Expected out[name] to be X-Custom-Header1, got %v", out["name"])
+	}
+	if out["value"] != "samplevalue" {
+		t.Fatalf("Expected out[value] to be samplevalue, got %v", out["value"])
+	}
+}
+
+func TestCloudFrontStructure_expandOriginCustomHeader(t *testing.T) {
+	in := originCustomHeaderConf1()
+	och := expandOriginCustomHeader(in)
+
+	if *och.HeaderName != "X-Custom-Header1" {
+		t.Fatalf("Expected HeaderName to be X-Custom-Header1, got %v", *och.HeaderName)
+	}
+	if *och.HeaderValue != "samplevalue" {
+		t.Fatalf("Expected HeaderValue to be samplevalue, got %v", *och.HeaderValue)
+	}
+}
+
+func TestCloudFrontStructure_expandCustomOriginConfig(t *testing.T) {
+	data := customOriginConf()
+	co := expandCustomOriginConfig(data)
+	if *co.OriginProtocolPolicy != "http-only" {
+		t.Fatalf("Expected OriginProtocolPolicy to be http-only, got %v", *co.OriginProtocolPolicy)
+	}
+	if *co.HTTPPort != 80 {
+		t.Fatalf("Expected HTTPPort to be 80, got %v", *co.HTTPPort)
+	}
+	if *co.HTTPSPort != 443 {
+		t.Fatalf("Expected HTTPSPort to be 443, got %v", *co.HTTPSPort)
+	}
+}
+
+func TestCloudFrontStructure_flattenCustomOriginConfig(t *testing.T) {
+	in := customOriginConf()
+	co := expandCustomOriginConfig(in)
+	out := flattenCustomOriginConfig(co)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCustomOriginConfigSSL(t *testing.T) {
+	in := customOriginSslProtocolsConf()
+	ocs := expandCustomOriginConfigSSL(in)
+	if *ocs.Quantity != 4 {
+		t.Fatalf("Expected Quantity to be 4, got %v", *ocs.Quantity)
+	}
+	if *ocs.Items[0] != "SSLv3" {
+		t.Fatalf("Expected first Item to be SSLv3, got %v", *ocs.Items[0])
+	}
+}
+
+func TestCloudFrontStructure_flattenCustomOriginConfigSSL(t *testing.T) {
+	in := customOriginSslProtocolsConf()
+	ocs := expandCustomOriginConfigSSL(in)
+	out := flattenCustomOriginConfigSSL(ocs)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandS3OriginConfig(t *testing.T) {
+	data := s3OriginConf()
+	s3o := expandS3OriginConfig(data)
+	if *s3o.OriginAccessIdentity != "origin-access-identity/cloudfront/E127EXAMPLE51Z" {
+		t.Fatalf("Expected OriginAccessIdentity to be origin-access-identity/cloudfront/E127EXAMPLE51Z, got %v", *s3o.OriginAccessIdentity)
+	}
+}
+
+func TestCloudFrontStructure_flattenS3OriginConfig(t *testing.T) {
+	in := s3OriginConf()
+	s3o := expandS3OriginConfig(in)
+	out := flattenS3OriginConfig(s3o)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCustomErrorResponses(t *testing.T) {
+	data := customErrorResponsesConfSet()
+	ers := expandCustomErrorResponses(data)
+	if *ers.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *ers.Quantity)
+	}
+	if *ers.Items[0].ResponsePagePath != "/error-pages/404.html" {
+		t.Fatalf("Expected ResponsePagePath in first Item to be /error-pages/404.html, got %v", *ers.Items[0].ResponsePagePath)
+	}
+}
+
+func TestCloudFrontStructure_flattenCustomErrorResponses(t *testing.T) {
+	in := customErrorResponsesConfSet()
+	ers := expandCustomErrorResponses(in)
+	out := flattenCustomErrorResponses(ers)
+
+	if in.Equal(out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandCustomErrorResponse(t *testing.T) {
+	data := customErrorResponsesConfFirst()
+	er := expandCustomErrorResponse(data)
+	if *er.ErrorCode != 404 {
+		t.Fatalf("Expected ErrorCode to be 404, got %v", *er.ErrorCode)
+	}
+	if *er.ErrorCachingMinTTL != 30 {
+		t.Fatalf("Expected ErrorCachingMinTTL to be 30, got %v", *er.ErrorCachingMinTTL)
+	}
+	if *er.ResponseCode != "200" {
+		t.Fatalf("Expected ResponseCode to be 200 (as string), got %v", *er.ResponseCode)
+	}
+	if *er.ResponsePagePath != "/error-pages/404.html" {
+		t.Fatalf("Expected ResponsePagePath to be /error-pages/404.html, got %v", *er.ResponsePagePath)
+	}
+}
+
+func TestCloudFrontStructure_flattenCustomErrorResponse(t *testing.T) {
+	in := customErrorResponsesConfFirst()
+	er := expandCustomErrorResponse(in)
+	out := flattenCustomErrorResponse(er)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandLoggingConfig(t *testing.T) {
+	data := loggingConfigConf()
+
+	lc := expandLoggingConfig(data)
+	if *lc.Enabled != true {
+		t.Fatalf("Expected Enabled to be true, got %v", *lc.Enabled)
+	}
+	if *lc.Prefix != "myprefix" {
+		t.Fatalf("Expected Prefix to be myprefix, got %v", *lc.Prefix)
+	}
+	if *lc.Bucket != "mylogs.s3.amazonaws.com" {
+		t.Fatalf("Expected Bucket to be mylogs.s3.amazonaws.com, got %v", *lc.Bucket)
+	}
+	if *lc.IncludeCookies != false {
+		t.Fatalf("Expected IncludeCookies to be false, got %v", *lc.IncludeCookies)
+	}
+}
+
+func TestCloudFrontStructure_expandLoggingConfig_nilValue(t *testing.T) {
+	lc := expandLoggingConfig(nil)
+	if *lc.Enabled != false {
+		t.Fatalf("Expected Enabled to be false, got %v", *lc.Enabled)
+	}
+	if *lc.Prefix != "" {
+		t.Fatalf("Expected Prefix to be blank, got %v", *lc.Prefix)
+	}
+	if *lc.Bucket != "" {
+		t.Fatalf("Expected Bucket to be blank, got %v", *lc.Bucket)
+	}
+	if *lc.IncludeCookies != false {
+		t.Fatalf("Expected IncludeCookies to be false, got %v", *lc.IncludeCookies)
+	}
+}
+
+func TestCloudFrontStructure_flattenLoggingConfig(t *testing.T) {
+	in := loggingConfigConf()
+	lc := expandLoggingConfig(in)
+	out := flattenLoggingConfig(lc)
+	diff := schema.NewSet(loggingConfigHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandAliases(t *testing.T) {
+	data := aliasesConf()
+	a := expandAliases(data)
+	if *a.Quantity != 2 {
+		t.Fatalf("Expected Quantity to be 2, got %v", *a.Quantity)
+	}
+	if reflect.DeepEqual(a.Items, expandStringList(data.List())) != true {
+		t.Fatalf("Expected Items to be [example.com www.example.com], got %v", a.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenAliases(t *testing.T) {
+	in := aliasesConf()
+	a := expandAliases(in)
+	out := flattenAliases(a)
+	diff := in.Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandRestrictions(t *testing.T) {
+	data := geoRestrictionsConf()
+	r := expandRestrictions(data)
+	if *r.GeoRestriction.RestrictionType != "whitelist" {
+		t.Fatalf("Expected GeoRestriction.RestrictionType to be whitelist, got %v", *r.GeoRestriction.RestrictionType)
+	}
+}
+
+func TestCloudFrontStructure_flattenRestrictions(t *testing.T) {
+	in := geoRestrictionsConf()
+	r := expandRestrictions(in)
+	out := flattenRestrictions(r)
+	diff := schema.NewSet(restrictionsHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandGeoRestriction_whitelist(t *testing.T) {
+	data := geoRestrictionWhitelistConf()
+	gr := expandGeoRestriction(data)
+	if *gr.RestrictionType != "whitelist" {
+		t.Fatalf("Expected RestrictionType to be whitelist, got %v", *gr.RestrictionType)
+	}
+	if *gr.Quantity != 3 {
+		t.Fatalf("Expected Quantity to be 3, got %v", *gr.Quantity)
+	}
+	if reflect.DeepEqual(gr.Items, aws.StringSlice([]string{"CA", "GB", "US"})) != true {
+		t.Fatalf("Expected Items be [CA, GB, US], got %v", gr.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenGeoRestriction_whitelist(t *testing.T) {
+	in := geoRestrictionWhitelistConf()
+	gr := expandGeoRestriction(in)
+	out := flattenGeoRestriction(gr)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandGeoRestriction_no_items(t *testing.T) {
+	data := geoRestrictionConfNoItems()
+	gr := expandGeoRestriction(data)
+	if *gr.RestrictionType != "none" {
+		t.Fatalf("Expected RestrictionType to be none, got %v", *gr.RestrictionType)
+	}
+	if *gr.Quantity != 0 {
+		t.Fatalf("Expected Quantity to be 0, got %v", *gr.Quantity)
+	}
+	if gr.Items != nil {
+		t.Fatalf("Expected Items to not be set, got %v", gr.Items)
+	}
+}
+
+func TestCloudFrontStructure_flattenGeoRestriction_no_items(t *testing.T) {
+	in := geoRestrictionConfNoItems()
+	gr := expandGeoRestriction(in)
+	out := flattenGeoRestriction(gr)
+
+	if reflect.DeepEqual(in, out) != true {
+		t.Fatalf("Expected out to be %v, got %v", in, out)
+	}
+}
+
+func TestCloudFrontStructure_expandViewerCertificate_cloudfront_default_certificate(t *testing.T) {
+	data := viewerCertificateConfSetCloudFrontDefault()
+	vc := expandViewerCertificate(data)
+	if vc.ACMCertificateArn != nil {
+		t.Fatalf("Expected ACMCertificateArn to be unset, got %v", *vc.ACMCertificateArn)
+	}
+	if *vc.CloudFrontDefaultCertificate != true {
+		t.Fatalf("Expected CloudFrontDefaultCertificate to be true, got %v", *vc.CloudFrontDefaultCertificate)
+	}
+	if vc.IAMCertificateId != nil {
+		t.Fatalf("Expected IAMCertificateId to not be set, got %v", *vc.IAMCertificateId)
+	}
+	if vc.SSLSupportMethod != nil {
+		t.Fatalf("Expected IAMCertificateId to not be set, got %v", *vc.SSLSupportMethod)
+	}
+	if vc.MinimumProtocolVersion != nil {
+		t.Fatalf("Expected IAMCertificateId to not be set, got %v", *vc.MinimumProtocolVersion)
+	}
+}
+
+func TestCloudFrontStructure_flattenViewerCertificate_cloudfront_default_certificate(t *testing.T) {
+	in := viewerCertificateConfSetCloudFrontDefault()
+	vc := expandViewerCertificate(in)
+	out := flattenViewerCertificate(vc)
+	diff := schema.NewSet(viewerCertificateHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_expandViewerCertificate_iam_certificate_id(t *testing.T) {
+	data := viewerCertificateConfSetIAM()
+	vc := expandViewerCertificate(data)
+	if vc.ACMCertificateArn != nil {
+		t.Fatalf("Expected ACMCertificateArn to be unset, got %v", *vc.ACMCertificateArn)
+	}
+	if vc.CloudFrontDefaultCertificate != nil {
+		t.Fatalf("Expected CloudFrontDefaultCertificate to be unset, got %v", *vc.CloudFrontDefaultCertificate)
+	}
+	if *vc.IAMCertificateId != "iamcert-01234567" {
+		t.Fatalf("Expected IAMCertificateId to be iamcert-01234567, got %v", *vc.IAMCertificateId)
+	}
+	if *vc.SSLSupportMethod != "vip" {
+		t.Fatalf("Expected IAMCertificateId to be vip, got %v", *vc.SSLSupportMethod)
+	}
+	if *vc.MinimumProtocolVersion != "TLSv1" {
+		t.Fatalf("Expected IAMCertificateId to be TLSv1, got %v", *vc.MinimumProtocolVersion)
+	}
+}
+
+func TestCloudFrontStructure_expandViewerCertificate_acm_certificate_arn(t *testing.T) {
+	data := viewerCertificateConfSetACM()
+	vc := expandViewerCertificate(data)
+	if *vc.ACMCertificateArn != "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" {
+		t.Fatalf("Expected ACMCertificateArn to be arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012, got %v", *vc.ACMCertificateArn)
+	}
+	if vc.CloudFrontDefaultCertificate != nil {
+		t.Fatalf("Expected CloudFrontDefaultCertificate to be unset, got %v", *vc.CloudFrontDefaultCertificate)
+	}
+	if vc.IAMCertificateId != nil {
+		t.Fatalf("Expected IAMCertificateId to be unset, got %v", *vc.IAMCertificateId)
+	}
+	if *vc.SSLSupportMethod != "sni-only" {
+		t.Fatalf("Expected IAMCertificateId to be sni-only, got %v", *vc.SSLSupportMethod)
+	}
+	if *vc.MinimumProtocolVersion != "TLSv1" {
+		t.Fatalf("Expected IAMCertificateId to be TLSv1, got %v", *vc.MinimumProtocolVersion)
+	}
+}
+
+func TestCloudFrontStructure_falttenViewerCertificate_iam_certificate_id(t *testing.T) {
+	in := viewerCertificateConfSetIAM()
+	vc := expandViewerCertificate(in)
+	out := flattenViewerCertificate(vc)
+	diff := schema.NewSet(viewerCertificateHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
+
+func TestCloudFrontStructure_falttenViewerCertificate_acm_certificate_arn(t *testing.T) {
+	in := viewerCertificateConfSetACM()
+	vc := expandViewerCertificate(in)
+	out := flattenViewerCertificate(vc)
+	diff := schema.NewSet(viewerCertificateHash, []interface{}{in}).Difference(out)
+
+	if len(diff.List()) > 0 {
+		t.Fatalf("Expected out to be %v, got %v, diff: %v", in, out, diff)
+	}
+}
diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go
index 8861b260f42c..f521c755a13a 100644
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@@ -25,6 +25,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/apigateway"
 	"github.com/aws/aws-sdk-go/service/autoscaling"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
 	"github.com/aws/aws-sdk-go/service/cloudtrail"
 	"github.com/aws/aws-sdk-go/service/cloudwatch"
 	"github.com/aws/aws-sdk-go/service/cloudwatchevents"
@@ -78,6 +79,7 @@ type Config struct {
 
 type AWSClient struct {
 	cfconn               *cloudformation.CloudFormation
+	cloudfrontconn       *cloudfront.CloudFront
 	cloudtrailconn       *cloudtrail.CloudTrail
 	cloudwatchconn       *cloudwatch.CloudWatch
 	cloudwatchlogsconn   *cloudwatchlogs.CloudWatchLogs
@@ -137,8 +139,8 @@ func (c *Config) Client() (interface{}, error) {
 		_, err = creds.Get()
 		if err != nil {
 			if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
-				errs = append(errs, fmt.Errorf(`No valid credential sources found for AWS Provider. 
-  Please see https://terraform.io/docs/providers/aws/index.html for more information on 
+				errs = append(errs, fmt.Errorf(`No valid credential sources found for AWS Provider.
+  Please see https://terraform.io/docs/providers/aws/index.html for more information on
   providing credentials for the AWS Provider`))
 			} else {
 				errs = append(errs, fmt.Errorf("Error loading credentials for AWS Provider: %s", err))
@@ -188,6 +190,9 @@ func (c *Config) Client() (interface{}, error) {
 		dynamoSess := sess.Copy(&aws.Config{Endpoint: aws.String(c.DynamoDBEndpoint)})
 		client.dynamodbconn = dynamodb.New(dynamoSess)
 
+		log.Println("[INFO] Initializing Cloudfront connection")
+		client.cloudfrontconn = cloudfront.New(sess)
+
 		log.Println("[INFO] Initializing ELB connection")
 		awsElbSess := sess.Copy(&aws.Config{Endpoint: aws.String(c.ElbEndpoint)})
 		client.elbconn = elb.New(awsElbSess)
diff --git a/builtin/providers/aws/provider.go b/builtin/providers/aws/provider.go
index 01d55a8992d9..040d029ebfc1 100644
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@@ -129,6 +129,8 @@ func Provider() terraform.ResourceProvider {
 			"aws_autoscaling_policy":                       resourceAwsAutoscalingPolicy(),
 			"aws_autoscaling_schedule":                     resourceAwsAutoscalingSchedule(),
 			"aws_cloudformation_stack":                     resourceAwsCloudFormationStack(),
+			"aws_cloudfront_distribution":                  resourceAwsCloudFrontDistribution(),
+			"aws_cloudfront_origin_access_identity":        resourceAwsCloudFrontOriginAccessIdentity(),
 			"aws_cloudtrail":                               resourceAwsCloudTrail(),
 			"aws_cloudwatch_event_rule":                    resourceAwsCloudWatchEventRule(),
 			"aws_cloudwatch_event_target":                  resourceAwsCloudWatchEventTarget(),
diff --git a/builtin/providers/aws/resource_aws_cloudfront_distribution.go b/builtin/providers/aws/resource_aws_cloudfront_distribution.go
new file mode 100644
index 000000000000..e5889faeea36
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudfront_distribution.go
@@ -0,0 +1,595 @@
+package aws
+
+import (
+	"log"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsCloudFrontDistribution() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsCloudFrontDistributionCreate,
+		Read:   resourceAwsCloudFrontDistributionRead,
+		Update: resourceAwsCloudFrontDistributionUpdate,
+		Delete: resourceAwsCloudFrontDistributionDelete,
+
+		Schema: map[string]*schema.Schema{
+			"aliases": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      aliasesHash,
+			},
+			"cache_behavior": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Set:      cacheBehaviorHash,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"allowed_methods": &schema.Schema{
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"cached_methods": &schema.Schema{
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"compress": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+						"default_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"forwarded_values": &schema.Schema{
+							Type:     schema.TypeSet,
+							Required: true,
+							Set:      forwardedValuesHash,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"cookies": &schema.Schema{
+										Type:     schema.TypeSet,
+										Optional: true,
+										Set:      cookiePreferenceHash,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"forward": &schema.Schema{
+													Type:     schema.TypeString,
+													Required: true,
+												},
+												"whitelisted_names": &schema.Schema{
+													Type:     schema.TypeList,
+													Optional: true,
+													Elem:     &schema.Schema{Type: schema.TypeString},
+												},
+											},
+										},
+									},
+									"headers": &schema.Schema{
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+									"query_string": &schema.Schema{
+										Type:     schema.TypeBool,
+										Required: true,
+									},
+								},
+							},
+						},
+						"max_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"min_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"path_pattern": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"smooth_streaming": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+						"target_origin_id": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"trusted_signers": &schema.Schema{
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"viewer_protocol_policy": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+			},
+			"comment": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"custom_error_response": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Set:      customErrorResponseHash,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"error_caching_min_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Optional: true,
+						},
+						"error_code": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"response_code": &schema.Schema{
+							Type:     schema.TypeInt,
+							Optional: true,
+						},
+						"response_page_path": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
+			"default_cache_behavior": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				Set:      defaultCacheBehaviorHash,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"allowed_methods": &schema.Schema{
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"cached_methods": &schema.Schema{
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"compress": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+						"default_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"forwarded_values": &schema.Schema{
+							Type:     schema.TypeSet,
+							Required: true,
+							Set:      forwardedValuesHash,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"cookies": &schema.Schema{
+										Type:     schema.TypeSet,
+										Optional: true,
+										Set:      cookiePreferenceHash,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"forward": &schema.Schema{
+													Type:     schema.TypeString,
+													Required: true,
+												},
+												"whitelisted_names": &schema.Schema{
+													Type:     schema.TypeList,
+													Optional: true,
+													Elem:     &schema.Schema{Type: schema.TypeString},
+												},
+											},
+										},
+									},
+									"headers": &schema.Schema{
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+									"query_string": &schema.Schema{
+										Type:     schema.TypeBool,
+										Required: true,
+									},
+								},
+							},
+						},
+						"max_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"min_ttl": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+						"smooth_streaming": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+						"target_origin_id": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"trusted_signers": &schema.Schema{
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+						"viewer_protocol_policy": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+			},
+			"default_root_object": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"enabled": &schema.Schema{
+				Type:     schema.TypeBool,
+				Required: true,
+			},
+			"logging_config": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Set:      loggingConfigHash,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"bucket": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"include_cookies": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+						"prefix": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+					},
+				},
+			},
+			"origin": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				Set:      originHash,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"custom_origin_config": &schema.Schema{
+							Type:          schema.TypeSet,
+							Optional:      true,
+							ConflictsWith: []string{"origin.s3_origin_config"},
+							Set:           customOriginConfigHash,
+							MaxItems:      1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"http_port": &schema.Schema{
+										Type:     schema.TypeInt,
+										Required: true,
+									},
+									"https_port": &schema.Schema{
+										Type:     schema.TypeInt,
+										Required: true,
+									},
+									"origin_protocol_policy": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+									"origin_ssl_protocols": &schema.Schema{
+										Type:     schema.TypeList,
+										Required: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+						"domain_name": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"custom_header": &schema.Schema{
+							Type:     schema.TypeSet,
+							Optional: true,
+							Set:      originCustomHeaderHash,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"name": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+									"value": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+								},
+							},
+						},
+						"origin_id": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"origin_path": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"s3_origin_config": &schema.Schema{
+							Type:          schema.TypeSet,
+							Optional:      true,
+							ConflictsWith: []string{"origin.custom_origin_config"},
+							Set:           s3OriginConfigHash,
+							MaxItems:      1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"origin_access_identity": &schema.Schema{
+										Type:     schema.TypeString,
+										Optional: true,
+										Default:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"price_class": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "PriceClass_All",
+			},
+			"restrictions": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				Set:      restrictionsHash,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"geo_restriction": &schema.Schema{
+							Type:     schema.TypeSet,
+							Required: true,
+							Set:      geoRestrictionHash,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"locations": &schema.Schema{
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+									"restriction_type": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"viewer_certificate": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				Set:      viewerCertificateHash,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"acm_certificate_arn": &schema.Schema{
+							Type:          schema.TypeString,
+							Optional:      true,
+							ConflictsWith: []string{"viewer_certificate.cloudfront_default_certificate", "viewer_certificate.iam_certificate_id"},
+						},
+						"cloudfront_default_certificate": &schema.Schema{
+							Type:          schema.TypeBool,
+							Optional:      true,
+							ConflictsWith: []string{"viewer_certificate.acm_certificate_arn", "viewer_certificate.iam_certificate_id"},
+						},
+						"iam_certificate_id": &schema.Schema{
+							Type:          schema.TypeString,
+							Optional:      true,
+							ConflictsWith: []string{"viewer_certificate.acm_certificate_arn", "viewer_certificate.cloudfront_default_certificate"},
+						},
+						"minimum_protocol_version": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "SSLv3",
+						},
+						"ssl_support_method": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
+			"web_acl_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"caller_reference": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"status": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"active_trusted_signers": &schema.Schema{
+				Type:     schema.TypeMap,
+				Computed: true,
+			},
+			"domain_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"last_modified_time": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"in_progress_validation_batches": &schema.Schema{
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
+			"etag": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			// retain_on_delete is a non-API attribute that may help facilitate speedy
+			// deletion of a resoruce. It's mainly here for testing purposes, so
+			// enable at your own risk.
+			"retain_on_delete": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+		},
+	}
+}
+
+func resourceAwsCloudFrontDistributionCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.CreateDistributionInput{
+		DistributionConfig: expandDistributionConfig(d),
+	}
+
+	resp, err := conn.CreateDistribution(params)
+	if err != nil {
+		return err
+	}
+	d.SetId(*resp.Distribution.Id)
+	return resourceAwsCloudFrontDistributionRead(d, meta)
+}
+
+func resourceAwsCloudFrontDistributionRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.GetDistributionInput{
+		Id: aws.String(d.Id()),
+	}
+
+	resp, err := conn.GetDistribution(params)
+	if err != nil {
+		return err
+	}
+
+	// Update attributes from DistributionConfig
+	flattenDistributionConfig(d, resp.Distribution.DistributionConfig)
+	// Update other attributes outside of DistributionConfig
+	d.SetId(*resp.Distribution.Id)
+	d.Set("active_trusted_signers", flattenActiveTrustedSigners(resp.Distribution.ActiveTrustedSigners))
+	d.Set("status", *resp.Distribution.Status)
+	d.Set("domain_name", *resp.Distribution.DomainName)
+	d.Set("last_modified_time", aws.String(resp.Distribution.LastModifiedTime.String()))
+	d.Set("in_progress_validation_batches", *resp.Distribution.InProgressInvalidationBatches)
+	d.Set("etag", *resp.ETag)
+	return nil
+}
+
+func resourceAwsCloudFrontDistributionUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.UpdateDistributionInput{
+		Id:                 aws.String(d.Id()),
+		DistributionConfig: expandDistributionConfig(d),
+		IfMatch:            aws.String(d.Get("etag").(string)),
+	}
+	_, err := conn.UpdateDistribution(params)
+	if err != nil {
+		return err
+	}
+
+	return resourceAwsCloudFrontDistributionRead(d, meta)
+}
+
+func resourceAwsCloudFrontDistributionDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+
+	// manually disable the distribution first
+	d.Set("enabled", false)
+	err := resourceAwsCloudFrontDistributionUpdate(d, meta)
+	if err != nil {
+		return err
+	}
+
+	// skip delete if retain_on_delete is enabled
+	if d.Get("retain_on_delete").(bool) {
+		log.Printf("[WARN] Removing Distribtuion ID %s with retain_on_delete set. Please delete this distribution manually.", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	// Distribution needs to be in deployed state again before it can be deleted.
+	resourceAwsCloudFrontDistributionWaitUntilDeployed(d.Id(), meta)
+
+	// now delete
+	params := &cloudfront.DeleteDistributionInput{
+		Id:      aws.String(d.Id()),
+		IfMatch: aws.String(d.Get("etag").(string)),
+	}
+
+	_, err = conn.DeleteDistribution(params)
+	if err != nil {
+		return err
+	}
+
+	// Done
+	d.SetId("")
+	return nil
+}
+
+// resourceAwsCloudFrontWebDistributionWaitUntilDeployed blocks until the
+// distribution is deployed. It currently takes exactly 15 minutes to deploy
+// but that might change in the future.
+func resourceAwsCloudFrontDistributionWaitUntilDeployed(id string, meta interface{}) error {
+	stateConf := &resource.StateChangeConf{
+		Pending:    []string{"InProgress", "Deployed"},
+		Target:     []string{"Deployed"},
+		Refresh:    resourceAwsCloudFrontWebDistributionStateRefreshFunc(id, meta),
+		Timeout:    40 * time.Minute,
+		MinTimeout: 15 * time.Second,
+		Delay:      10 * time.Minute,
+	}
+
+	_, err := stateConf.WaitForState()
+	return err
+}
+
+// The refresh function for resourceAwsCloudFrontWebDistributionWaitUntilDeployed.
+func resourceAwsCloudFrontWebDistributionStateRefreshFunc(id string, meta interface{}) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		conn := meta.(*AWSClient).cloudfrontconn
+		params := &cloudfront.GetDistributionInput{
+			Id: aws.String(id),
+		}
+
+		resp, err := conn.GetDistribution(params)
+		if err != nil {
+			log.Printf("Error on retrieving CloudFront distribution when waiting: %s", err)
+			return nil, "", err
+		}
+
+		if resp == nil {
+			return nil, "", nil
+		}
+
+		return resp.Distribution, *resp.Distribution.Status, nil
+	}
+}
diff --git a/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go b/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go
new file mode 100644
index 000000000000..7972e310bdb7
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go
@@ -0,0 +1,388 @@
+package aws
+
+import (
+	"fmt"
+	"math/rand"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSCloudFrontDistribution_S3Origin(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontDistributionDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontDistributionS3Config,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontDistributionExistence(
+						"aws_cloudfront_distribution.s3_distribution",
+					),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontDistribution_customOrigin(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontDistributionDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontDistributionCustomConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontDistributionExistence(
+						"aws_cloudfront_distribution.custom_distribution",
+					),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontDistribution_multiOrigin(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontDistributionDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontDistributionMultiOriginConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontDistributionExistence(
+						"aws_cloudfront_distribution.multi_origin_distribution",
+					),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontDistribution_noOptionalItemsConfig(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontDistributionDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontDistributionNoOptionalItemsConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontDistributionExistence(
+						"aws_cloudfront_distribution.no_optional_items",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckCloudFrontDistributionDestroy(s *terraform.State) error {
+	for k, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_cloudfront_distribution" {
+			continue
+		}
+		dist, _ := testAccAuxCloudFrontGetDistributionConfig(s, k)
+
+		if *dist.DistributionConfig.Enabled != false {
+			return fmt.Errorf("CloudFront distribution should be disabled")
+		}
+	}
+	return nil
+}
+
+func testAccCheckCloudFrontDistributionExistence(cloudFrontResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, err := testAccAuxCloudFrontGetDistributionConfig(s, cloudFrontResource)
+
+		return err
+	}
+}
+
+func testAccAuxCloudFrontGetDistributionConfig(s *terraform.State, cloudFrontResource string) (*cloudfront.Distribution, error) {
+	cf, ok := s.RootModule().Resources[cloudFrontResource]
+	if !ok {
+		return nil, fmt.Errorf("Not found: %s", cloudFrontResource)
+	}
+
+	if cf.Primary.ID == "" {
+		return nil, fmt.Errorf("No Id is set")
+	}
+
+	cloudfrontconn := testAccProvider.Meta().(*AWSClient).cloudfrontconn
+
+	req := &cloudfront.GetDistributionInput{
+		Id: aws.String(cf.Primary.ID),
+	}
+
+	res, err := cloudfrontconn.GetDistribution(req)
+	if err != nil {
+		return nil, fmt.Errorf("Error retrieving CloudFront distribution: %s", err)
+	}
+
+	return res.Distribution, nil
+}
+
+var testAccAWSCloudFrontDistributionS3Config = fmt.Sprintf(`
+variable rand_id {
+	default = %d
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+	bucket = "mybucket.${var.rand_id}.s3.amazonaws.com"
+	acl = "public-read"
+}
+
+resource "aws_cloudfront_distribution" "s3_distribution" {
+	origin {
+		domain_name = "${aws_s3_bucket.s3_bucket.id}"
+		origin_id = "myS3Origin"
+		s3_origin_config {}
+	}
+	enabled = true
+	default_root_object = "index.html"
+	logging_config {
+		include_cookies = false
+		bucket = "mylogs.${var.rand_id}.s3.amazonaws.com"
+		prefix = "myprefix"
+	}
+	aliases = [ "mysite.${var.rand_id}.example.com", "yoursite.${var.rand_id}.example.com" ]
+	default_cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myS3Origin"
+		forwarded_values {
+			query_string = false
+			cookies {
+				forward = "none"
+			}
+		}
+		viewer_protocol_policy = "allow-all"
+		min_ttl = 0
+		default_ttl = 3600
+		max_ttl = 86400
+	}
+	price_class = "PriceClass_200"
+	restrictions {
+		geo_restriction {
+			restriction_type = "whitelist"
+			locations = [ "US", "CA", "GB", "DE" ]
+		}
+	}
+	viewer_certificate {
+		cloudfront_default_certificate = true
+	}
+	retain_on_delete = true
+}
+`, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
+
+var testAccAWSCloudFrontDistributionCustomConfig = fmt.Sprintf(`
+variable rand_id {
+	default = %d
+}
+
+resource "aws_cloudfront_distribution" "custom_distribution" {
+	origin {
+		domain_name = "www.example.com"
+		origin_id = "myCustomOrigin"
+		custom_origin_config {
+			http_port = 80
+			https_port = 443
+			origin_protocol_policy = "http-only"
+			origin_ssl_protocols = [ "SSLv3", "TLSv1" ]
+		}
+	}
+	enabled = true
+	comment = "Some comment"
+	default_root_object = "index.html"
+	logging_config {
+		include_cookies = false
+		bucket = "mylogs.${var.rand_id}.s3.amazonaws.com"
+		prefix = "myprefix"
+	}
+	aliases = [ "mysite.${var.rand_id}.example.com", "*.yoursite.${var.rand_id}.example.com" ]
+	default_cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myCustomOrigin"
+		smooth_streaming = false
+		forwarded_values {
+			query_string = false
+			cookies {
+				forward = "all"
+			}
+		}
+		viewer_protocol_policy = "allow-all"
+		min_ttl = 0
+		default_ttl = 3600
+		max_ttl = 86400
+	}
+	price_class = "PriceClass_200"
+	restrictions {
+		geo_restriction {
+			restriction_type = "whitelist"
+			locations = [ "US", "CA", "GB", "DE" ]
+		}
+	}
+	viewer_certificate {
+		cloudfront_default_certificate = true
+	}
+	retain_on_delete = true
+}
+`, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
+
+var testAccAWSCloudFrontDistributionMultiOriginConfig = fmt.Sprintf(`
+variable rand_id {
+	default = %d
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+	bucket = "mybucket.${var.rand_id}.s3.amazonaws.com"
+	acl = "public-read"
+}
+
+resource "aws_cloudfront_distribution" "multi_origin_distribution" {
+	origin {
+		domain_name = "${aws_s3_bucket.s3_bucket.id}"
+		origin_id = "myS3Origin"
+		s3_origin_config {}
+	}
+	origin {
+		domain_name = "www.example.com"
+		origin_id = "myCustomOrigin"
+		custom_origin_config {
+			http_port = 80
+			https_port = 443
+			origin_protocol_policy = "http-only"
+			origin_ssl_protocols = [ "SSLv3", "TLSv1" ]
+		}
+	}
+	enabled = true
+	comment = "Some comment"
+	default_root_object = "index.html"
+	logging_config {
+		include_cookies = false
+		bucket = "mylogs.${var.rand_id}.s3.amazonaws.com"
+		prefix = "myprefix"
+	}
+	aliases = [ "mysite.${var.rand_id}.example.com", "*.yoursite.${var.rand_id}.example.com" ]
+	default_cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myS3Origin"
+		smooth_streaming = true
+		forwarded_values {
+			query_string = false
+			cookies {
+				forward = "all"
+			}
+		}
+		min_ttl = 100
+		default_ttl = 100
+		max_ttl = 100
+		viewer_protocol_policy = "allow-all"
+	}
+	cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myS3Origin"
+		forwarded_values {
+			query_string = true
+			cookies {
+				forward = "none"
+			}
+		}
+		min_ttl = 50
+		default_ttl = 50
+		max_ttl = 50
+		viewer_protocol_policy = "allow-all"
+		path_pattern = "images1/*.jpg"
+	}
+	cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myCustomOrigin"
+		forwarded_values {
+			query_string = true
+			cookies {
+				forward = "none"
+			}
+		}
+		min_ttl = 50
+		default_ttl = 50
+		max_ttl = 50
+		viewer_protocol_policy = "allow-all"
+		path_pattern = "images2/*.jpg"
+	}
+	price_class = "PriceClass_All"
+	custom_error_response {
+		error_code = 404
+		response_page_path = "/error-pages/404.html"
+		response_code = 200
+		error_caching_min_ttl = 30
+	}
+	restrictions {
+		geo_restriction {
+			restriction_type = "none"
+		}
+	}
+	viewer_certificate {
+		cloudfront_default_certificate = true
+	}
+	retain_on_delete = true
+}
+`, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
+
+var testAccAWSCloudFrontDistributionNoOptionalItemsConfig = fmt.Sprintf(`
+variable rand_id {
+	default = %d
+}
+
+resource "aws_cloudfront_distribution" "no_optional_items" {
+	origin {
+		domain_name = "www.example.com"
+		origin_id = "myCustomOrigin"
+		custom_origin_config {
+			http_port = 80
+			https_port = 443
+			origin_protocol_policy = "http-only"
+			origin_ssl_protocols = [ "SSLv3", "TLSv1" ]
+		}
+	}
+	enabled = true
+	comment = "Some comment"
+	default_cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myCustomOrigin"
+		smooth_streaming = false
+		forwarded_values {
+			query_string = false
+			cookies {
+				forward = "all"
+			}
+		}
+		viewer_protocol_policy = "allow-all"
+		min_ttl = 0
+		default_ttl = 3600
+		max_ttl = 86400
+	}
+	restrictions {
+		geo_restriction {
+			restriction_type = "whitelist"
+			locations = [ "US", "CA", "GB", "DE" ]
+		}
+	}
+	viewer_certificate {
+		cloudfront_default_certificate = true
+	}
+	retain_on_delete = true
+}
+`, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
diff --git a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go
new file mode 100644
index 000000000000..3b367f8f5055
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go
@@ -0,0 +1,130 @@
+package aws
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsCloudFrontOriginAccessIdentityCreate,
+		Read:   resourceAwsCloudFrontOriginAccessIdentityRead,
+		Update: resourceAwsCloudFrontOriginAccessIdentityUpdate,
+		Delete: resourceAwsCloudFrontOriginAccessIdentityDelete,
+
+		Schema: map[string]*schema.Schema{
+			"comment": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "",
+			},
+			"caller_reference": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"cloudfront_access_identity_path": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"etag": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"s3_canonical_user_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceAwsCloudFrontOriginAccessIdentityCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.CreateCloudFrontOriginAccessIdentityInput{
+		CloudFrontOriginAccessIdentityConfig: expandOriginAccessIdentityConfig(d),
+	}
+
+	resp, err := conn.CreateCloudFrontOriginAccessIdentity(params)
+	if err != nil {
+		return err
+	}
+	d.SetId(*resp.CloudFrontOriginAccessIdentity.Id)
+	return resourceAwsCloudFrontOriginAccessIdentityRead(d, meta)
+}
+
+func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.GetCloudFrontOriginAccessIdentityInput{
+		Id: aws.String(d.Id()),
+	}
+
+	resp, err := conn.GetCloudFrontOriginAccessIdentity(params)
+	if err != nil {
+		return err
+	}
+
+	// Update attributes from DistributionConfig
+	flattenOriginAccessIdentityConfig(d, resp.CloudFrontOriginAccessIdentity.CloudFrontOriginAccessIdentityConfig)
+	// Update other attributes outside of DistributionConfig
+	d.SetId(*resp.CloudFrontOriginAccessIdentity.Id)
+	d.Set("etag", *resp.ETag)
+	d.Set("s3_canonical_user_id", *resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId)
+	d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id))
+	return nil
+}
+
+func resourceAwsCloudFrontOriginAccessIdentityUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.UpdateCloudFrontOriginAccessIdentityInput{
+		Id: aws.String(d.Id()),
+		CloudFrontOriginAccessIdentityConfig: expandOriginAccessIdentityConfig(d),
+		IfMatch: aws.String(d.Get("etag").(string)),
+	}
+	_, err := conn.UpdateCloudFrontOriginAccessIdentity(params)
+	if err != nil {
+		return err
+	}
+
+	return resourceAwsCloudFrontOriginAccessIdentityRead(d, meta)
+}
+
+func resourceAwsCloudFrontOriginAccessIdentityDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).cloudfrontconn
+	params := &cloudfront.DeleteCloudFrontOriginAccessIdentityInput{
+		Id:      aws.String(d.Id()),
+		IfMatch: aws.String(d.Get("etag").(string)),
+	}
+
+	_, err := conn.DeleteCloudFrontOriginAccessIdentity(params)
+	if err != nil {
+		return err
+	}
+
+	// Done
+	d.SetId("")
+	return nil
+}
+
+func expandOriginAccessIdentityConfig(d *schema.ResourceData) *cloudfront.OriginAccessIdentityConfig {
+	originAccessIdentityConfig := &cloudfront.OriginAccessIdentityConfig{
+		Comment: aws.String(d.Get("comment").(string)),
+	}
+	// This sets CallerReference if it's still pending computation (ie: new resource)
+	if v, ok := d.GetOk("caller_reference"); ok == false {
+		originAccessIdentityConfig.CallerReference = aws.String(time.Now().Format(time.RFC3339Nano))
+	} else {
+		originAccessIdentityConfig.CallerReference = aws.String(v.(string))
+	}
+	return originAccessIdentityConfig
+}
+
+func flattenOriginAccessIdentityConfig(d *schema.ResourceData, originAccessIdentityConfig *cloudfront.OriginAccessIdentityConfig) {
+	if originAccessIdentityConfig.Comment != nil {
+		d.Set("comment", *originAccessIdentityConfig.Comment)
+	}
+	d.Set("caller_reference", *originAccessIdentityConfig.CallerReference)
+}
diff --git a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go
new file mode 100644
index 000000000000..d73b8e033242
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go
@@ -0,0 +1,119 @@
+package aws
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontOriginAccessIdentityDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontOriginAccessIdentityConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontOriginAccessIdentityExistence("aws_cloudfront_origin_access_identity.origin_access_identity"),
+					resource.TestCheckResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity", "comment", "some comment"),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"caller_reference",
+						regexp.MustCompile("^20[0-9]{2}.*")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"s3_canonical_user_id",
+						regexp.MustCompile("^[a-z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"cloudfront_access_identity_path",
+						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudFrontOriginAccessIdentityDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudFrontOriginAccessIdentityNoCommentConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudFrontOriginAccessIdentityExistence("aws_cloudfront_origin_access_identity.origin_access_identity"),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"caller_reference",
+						regexp.MustCompile("^20[0-9]{2}.*")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"s3_canonical_user_id",
+						regexp.MustCompile("^[a-z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"cloudfront_access_identity_path",
+						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckCloudFrontOriginAccessIdentityDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).cloudfrontconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_cloudfront_origin_access_identity" {
+			continue
+		}
+
+		params := &cloudfront.GetCloudFrontOriginAccessIdentityInput{
+			Id: aws.String(rs.Primary.ID),
+		}
+
+		_, err := conn.GetCloudFrontOriginAccessIdentity(params)
+		if err == nil {
+			return fmt.Errorf("CloudFront origin access identity was not deleted")
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckCloudFrontOriginAccessIdentityExistence(r string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[r]
+		if !ok {
+			return fmt.Errorf("Not found: %s", r)
+		}
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Id is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).cloudfrontconn
+
+		params := &cloudfront.GetCloudFrontOriginAccessIdentityInput{
+			Id: aws.String(rs.Primary.ID),
+		}
+
+		_, err := conn.GetCloudFrontOriginAccessIdentity(params)
+		if err != nil {
+			return fmt.Errorf("Error retrieving CloudFront distribution: %s", err)
+		}
+		return nil
+	}
+}
+
+const testAccAWSCloudFrontOriginAccessIdentityConfig = `
+resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
+	comment = "some comment"
+}
+`
+
+const testAccAWSCloudFrontOriginAccessIdentityNoCommentConfig = `
+resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
+}
+`
diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
index a23b1ef6ca85..2e186f812004 100644
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@@ -1077,3 +1077,23 @@ func flattenBeanstalkTrigger(list []*elasticbeanstalk.Trigger) []string {
 	}
 	return strs
 }
+
+// There are several parts of the AWS API that will sort lists of strings,
+// causing diffs inbetweeen resources that use lists. This avoids a bit of
+// code duplication for pre-sorts that can be used for things like hash
+// functions, etc.
+func sortInterfaceSlice(in []interface{}) []interface{} {
+	a := []string{}
+	b := []interface{}{}
+	for _, v := range in {
+		a = append(a, v.(string))
+	}
+
+	sort.Strings(a)
+
+	for _, v := range a {
+		b = append(b, v)
+	}
+
+	return b
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudfront/api.go b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/api.go
new file mode 100644
index 000000000000..cfdb35577d71
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/api.go
@@ -0,0 +1,3450 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+// Package cloudfront provides a client for Amazon CloudFront.
+package cloudfront
+
+import (
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws/awsutil"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/private/protocol"
+	"github.com/aws/aws-sdk-go/private/protocol/restxml"
+)
+
+const opCreateCloudFrontOriginAccessIdentity = "CreateCloudFrontOriginAccessIdentity2016_01_28"
+
+// CreateCloudFrontOriginAccessIdentityRequest generates a request for the CreateCloudFrontOriginAccessIdentity operation.
+func (c *CloudFront) CreateCloudFrontOriginAccessIdentityRequest(input *CreateCloudFrontOriginAccessIdentityInput) (req *request.Request, output *CreateCloudFrontOriginAccessIdentityOutput) {
+	op := &request.Operation{
+		Name:       opCreateCloudFrontOriginAccessIdentity,
+		HTTPMethod: "POST",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront",
+	}
+
+	if input == nil {
+		input = &CreateCloudFrontOriginAccessIdentityInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &CreateCloudFrontOriginAccessIdentityOutput{}
+	req.Data = output
+	return
+}
+
+// Create a new origin access identity.
+func (c *CloudFront) CreateCloudFrontOriginAccessIdentity(input *CreateCloudFrontOriginAccessIdentityInput) (*CreateCloudFrontOriginAccessIdentityOutput, error) {
+	req, out := c.CreateCloudFrontOriginAccessIdentityRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opCreateDistribution = "CreateDistribution2016_01_28"
+
+// CreateDistributionRequest generates a request for the CreateDistribution operation.
+func (c *CloudFront) CreateDistributionRequest(input *CreateDistributionInput) (req *request.Request, output *CreateDistributionOutput) {
+	op := &request.Operation{
+		Name:       opCreateDistribution,
+		HTTPMethod: "POST",
+		HTTPPath:   "/2016-01-28/distribution",
+	}
+
+	if input == nil {
+		input = &CreateDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &CreateDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Create a new distribution.
+func (c *CloudFront) CreateDistribution(input *CreateDistributionInput) (*CreateDistributionOutput, error) {
+	req, out := c.CreateDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opCreateInvalidation = "CreateInvalidation2016_01_28"
+
+// CreateInvalidationRequest generates a request for the CreateInvalidation operation.
+func (c *CloudFront) CreateInvalidationRequest(input *CreateInvalidationInput) (req *request.Request, output *CreateInvalidationOutput) {
+	op := &request.Operation{
+		Name:       opCreateInvalidation,
+		HTTPMethod: "POST",
+		HTTPPath:   "/2016-01-28/distribution/{DistributionId}/invalidation",
+	}
+
+	if input == nil {
+		input = &CreateInvalidationInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &CreateInvalidationOutput{}
+	req.Data = output
+	return
+}
+
+// Create a new invalidation.
+func (c *CloudFront) CreateInvalidation(input *CreateInvalidationInput) (*CreateInvalidationOutput, error) {
+	req, out := c.CreateInvalidationRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opCreateStreamingDistribution = "CreateStreamingDistribution2016_01_28"
+
+// CreateStreamingDistributionRequest generates a request for the CreateStreamingDistribution operation.
+func (c *CloudFront) CreateStreamingDistributionRequest(input *CreateStreamingDistributionInput) (req *request.Request, output *CreateStreamingDistributionOutput) {
+	op := &request.Operation{
+		Name:       opCreateStreamingDistribution,
+		HTTPMethod: "POST",
+		HTTPPath:   "/2016-01-28/streaming-distribution",
+	}
+
+	if input == nil {
+		input = &CreateStreamingDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &CreateStreamingDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Create a new streaming distribution.
+func (c *CloudFront) CreateStreamingDistribution(input *CreateStreamingDistributionInput) (*CreateStreamingDistributionOutput, error) {
+	req, out := c.CreateStreamingDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opDeleteCloudFrontOriginAccessIdentity = "DeleteCloudFrontOriginAccessIdentity2016_01_28"
+
+// DeleteCloudFrontOriginAccessIdentityRequest generates a request for the DeleteCloudFrontOriginAccessIdentity operation.
+func (c *CloudFront) DeleteCloudFrontOriginAccessIdentityRequest(input *DeleteCloudFrontOriginAccessIdentityInput) (req *request.Request, output *DeleteCloudFrontOriginAccessIdentityOutput) {
+	op := &request.Operation{
+		Name:       opDeleteCloudFrontOriginAccessIdentity,
+		HTTPMethod: "DELETE",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront/{Id}",
+	}
+
+	if input == nil {
+		input = &DeleteCloudFrontOriginAccessIdentityInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Remove(restxml.UnmarshalHandler)
+	req.Handlers.Unmarshal.PushBackNamed(protocol.UnmarshalDiscardBodyHandler)
+	output = &DeleteCloudFrontOriginAccessIdentityOutput{}
+	req.Data = output
+	return
+}
+
+// Delete an origin access identity.
+func (c *CloudFront) DeleteCloudFrontOriginAccessIdentity(input *DeleteCloudFrontOriginAccessIdentityInput) (*DeleteCloudFrontOriginAccessIdentityOutput, error) {
+	req, out := c.DeleteCloudFrontOriginAccessIdentityRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opDeleteDistribution = "DeleteDistribution2016_01_28"
+
+// DeleteDistributionRequest generates a request for the DeleteDistribution operation.
+func (c *CloudFront) DeleteDistributionRequest(input *DeleteDistributionInput) (req *request.Request, output *DeleteDistributionOutput) {
+	op := &request.Operation{
+		Name:       opDeleteDistribution,
+		HTTPMethod: "DELETE",
+		HTTPPath:   "/2016-01-28/distribution/{Id}",
+	}
+
+	if input == nil {
+		input = &DeleteDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Remove(restxml.UnmarshalHandler)
+	req.Handlers.Unmarshal.PushBackNamed(protocol.UnmarshalDiscardBodyHandler)
+	output = &DeleteDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Delete a distribution.
+func (c *CloudFront) DeleteDistribution(input *DeleteDistributionInput) (*DeleteDistributionOutput, error) {
+	req, out := c.DeleteDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opDeleteStreamingDistribution = "DeleteStreamingDistribution2016_01_28"
+
+// DeleteStreamingDistributionRequest generates a request for the DeleteStreamingDistribution operation.
+func (c *CloudFront) DeleteStreamingDistributionRequest(input *DeleteStreamingDistributionInput) (req *request.Request, output *DeleteStreamingDistributionOutput) {
+	op := &request.Operation{
+		Name:       opDeleteStreamingDistribution,
+		HTTPMethod: "DELETE",
+		HTTPPath:   "/2016-01-28/streaming-distribution/{Id}",
+	}
+
+	if input == nil {
+		input = &DeleteStreamingDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Remove(restxml.UnmarshalHandler)
+	req.Handlers.Unmarshal.PushBackNamed(protocol.UnmarshalDiscardBodyHandler)
+	output = &DeleteStreamingDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Delete a streaming distribution.
+func (c *CloudFront) DeleteStreamingDistribution(input *DeleteStreamingDistributionInput) (*DeleteStreamingDistributionOutput, error) {
+	req, out := c.DeleteStreamingDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetCloudFrontOriginAccessIdentity = "GetCloudFrontOriginAccessIdentity2016_01_28"
+
+// GetCloudFrontOriginAccessIdentityRequest generates a request for the GetCloudFrontOriginAccessIdentity operation.
+func (c *CloudFront) GetCloudFrontOriginAccessIdentityRequest(input *GetCloudFrontOriginAccessIdentityInput) (req *request.Request, output *GetCloudFrontOriginAccessIdentityOutput) {
+	op := &request.Operation{
+		Name:       opGetCloudFrontOriginAccessIdentity,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront/{Id}",
+	}
+
+	if input == nil {
+		input = &GetCloudFrontOriginAccessIdentityInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetCloudFrontOriginAccessIdentityOutput{}
+	req.Data = output
+	return
+}
+
+// Get the information about an origin access identity.
+func (c *CloudFront) GetCloudFrontOriginAccessIdentity(input *GetCloudFrontOriginAccessIdentityInput) (*GetCloudFrontOriginAccessIdentityOutput, error) {
+	req, out := c.GetCloudFrontOriginAccessIdentityRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetCloudFrontOriginAccessIdentityConfig = "GetCloudFrontOriginAccessIdentityConfig2016_01_28"
+
+// GetCloudFrontOriginAccessIdentityConfigRequest generates a request for the GetCloudFrontOriginAccessIdentityConfig operation.
+func (c *CloudFront) GetCloudFrontOriginAccessIdentityConfigRequest(input *GetCloudFrontOriginAccessIdentityConfigInput) (req *request.Request, output *GetCloudFrontOriginAccessIdentityConfigOutput) {
+	op := &request.Operation{
+		Name:       opGetCloudFrontOriginAccessIdentityConfig,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront/{Id}/config",
+	}
+
+	if input == nil {
+		input = &GetCloudFrontOriginAccessIdentityConfigInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetCloudFrontOriginAccessIdentityConfigOutput{}
+	req.Data = output
+	return
+}
+
+// Get the configuration information about an origin access identity.
+func (c *CloudFront) GetCloudFrontOriginAccessIdentityConfig(input *GetCloudFrontOriginAccessIdentityConfigInput) (*GetCloudFrontOriginAccessIdentityConfigOutput, error) {
+	req, out := c.GetCloudFrontOriginAccessIdentityConfigRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetDistribution = "GetDistribution2016_01_28"
+
+// GetDistributionRequest generates a request for the GetDistribution operation.
+func (c *CloudFront) GetDistributionRequest(input *GetDistributionInput) (req *request.Request, output *GetDistributionOutput) {
+	op := &request.Operation{
+		Name:       opGetDistribution,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distribution/{Id}",
+	}
+
+	if input == nil {
+		input = &GetDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Get the information about a distribution.
+func (c *CloudFront) GetDistribution(input *GetDistributionInput) (*GetDistributionOutput, error) {
+	req, out := c.GetDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetDistributionConfig = "GetDistributionConfig2016_01_28"
+
+// GetDistributionConfigRequest generates a request for the GetDistributionConfig operation.
+func (c *CloudFront) GetDistributionConfigRequest(input *GetDistributionConfigInput) (req *request.Request, output *GetDistributionConfigOutput) {
+	op := &request.Operation{
+		Name:       opGetDistributionConfig,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distribution/{Id}/config",
+	}
+
+	if input == nil {
+		input = &GetDistributionConfigInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetDistributionConfigOutput{}
+	req.Data = output
+	return
+}
+
+// Get the configuration information about a distribution.
+func (c *CloudFront) GetDistributionConfig(input *GetDistributionConfigInput) (*GetDistributionConfigOutput, error) {
+	req, out := c.GetDistributionConfigRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetInvalidation = "GetInvalidation2016_01_28"
+
+// GetInvalidationRequest generates a request for the GetInvalidation operation.
+func (c *CloudFront) GetInvalidationRequest(input *GetInvalidationInput) (req *request.Request, output *GetInvalidationOutput) {
+	op := &request.Operation{
+		Name:       opGetInvalidation,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distribution/{DistributionId}/invalidation/{Id}",
+	}
+
+	if input == nil {
+		input = &GetInvalidationInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetInvalidationOutput{}
+	req.Data = output
+	return
+}
+
+// Get the information about an invalidation.
+func (c *CloudFront) GetInvalidation(input *GetInvalidationInput) (*GetInvalidationOutput, error) {
+	req, out := c.GetInvalidationRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetStreamingDistribution = "GetStreamingDistribution2016_01_28"
+
+// GetStreamingDistributionRequest generates a request for the GetStreamingDistribution operation.
+func (c *CloudFront) GetStreamingDistributionRequest(input *GetStreamingDistributionInput) (req *request.Request, output *GetStreamingDistributionOutput) {
+	op := &request.Operation{
+		Name:       opGetStreamingDistribution,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/streaming-distribution/{Id}",
+	}
+
+	if input == nil {
+		input = &GetStreamingDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetStreamingDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Get the information about a streaming distribution.
+func (c *CloudFront) GetStreamingDistribution(input *GetStreamingDistributionInput) (*GetStreamingDistributionOutput, error) {
+	req, out := c.GetStreamingDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opGetStreamingDistributionConfig = "GetStreamingDistributionConfig2016_01_28"
+
+// GetStreamingDistributionConfigRequest generates a request for the GetStreamingDistributionConfig operation.
+func (c *CloudFront) GetStreamingDistributionConfigRequest(input *GetStreamingDistributionConfigInput) (req *request.Request, output *GetStreamingDistributionConfigOutput) {
+	op := &request.Operation{
+		Name:       opGetStreamingDistributionConfig,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/streaming-distribution/{Id}/config",
+	}
+
+	if input == nil {
+		input = &GetStreamingDistributionConfigInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &GetStreamingDistributionConfigOutput{}
+	req.Data = output
+	return
+}
+
+// Get the configuration information about a streaming distribution.
+func (c *CloudFront) GetStreamingDistributionConfig(input *GetStreamingDistributionConfigInput) (*GetStreamingDistributionConfigOutput, error) {
+	req, out := c.GetStreamingDistributionConfigRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opListCloudFrontOriginAccessIdentities = "ListCloudFrontOriginAccessIdentities2016_01_28"
+
+// ListCloudFrontOriginAccessIdentitiesRequest generates a request for the ListCloudFrontOriginAccessIdentities operation.
+func (c *CloudFront) ListCloudFrontOriginAccessIdentitiesRequest(input *ListCloudFrontOriginAccessIdentitiesInput) (req *request.Request, output *ListCloudFrontOriginAccessIdentitiesOutput) {
+	op := &request.Operation{
+		Name:       opListCloudFrontOriginAccessIdentities,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"CloudFrontOriginAccessIdentityList.NextMarker"},
+			LimitToken:      "MaxItems",
+			TruncationToken: "CloudFrontOriginAccessIdentityList.IsTruncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListCloudFrontOriginAccessIdentitiesInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ListCloudFrontOriginAccessIdentitiesOutput{}
+	req.Data = output
+	return
+}
+
+// List origin access identities.
+func (c *CloudFront) ListCloudFrontOriginAccessIdentities(input *ListCloudFrontOriginAccessIdentitiesInput) (*ListCloudFrontOriginAccessIdentitiesOutput, error) {
+	req, out := c.ListCloudFrontOriginAccessIdentitiesRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+func (c *CloudFront) ListCloudFrontOriginAccessIdentitiesPages(input *ListCloudFrontOriginAccessIdentitiesInput, fn func(p *ListCloudFrontOriginAccessIdentitiesOutput, lastPage bool) (shouldContinue bool)) error {
+	page, _ := c.ListCloudFrontOriginAccessIdentitiesRequest(input)
+	page.Handlers.Build.PushBack(request.MakeAddToUserAgentFreeFormHandler("Paginator"))
+	return page.EachPage(func(p interface{}, lastPage bool) bool {
+		return fn(p.(*ListCloudFrontOriginAccessIdentitiesOutput), lastPage)
+	})
+}
+
+const opListDistributions = "ListDistributions2016_01_28"
+
+// ListDistributionsRequest generates a request for the ListDistributions operation.
+func (c *CloudFront) ListDistributionsRequest(input *ListDistributionsInput) (req *request.Request, output *ListDistributionsOutput) {
+	op := &request.Operation{
+		Name:       opListDistributions,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distribution",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"DistributionList.NextMarker"},
+			LimitToken:      "MaxItems",
+			TruncationToken: "DistributionList.IsTruncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListDistributionsInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ListDistributionsOutput{}
+	req.Data = output
+	return
+}
+
+// List distributions.
+func (c *CloudFront) ListDistributions(input *ListDistributionsInput) (*ListDistributionsOutput, error) {
+	req, out := c.ListDistributionsRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+func (c *CloudFront) ListDistributionsPages(input *ListDistributionsInput, fn func(p *ListDistributionsOutput, lastPage bool) (shouldContinue bool)) error {
+	page, _ := c.ListDistributionsRequest(input)
+	page.Handlers.Build.PushBack(request.MakeAddToUserAgentFreeFormHandler("Paginator"))
+	return page.EachPage(func(p interface{}, lastPage bool) bool {
+		return fn(p.(*ListDistributionsOutput), lastPage)
+	})
+}
+
+const opListDistributionsByWebACLId = "ListDistributionsByWebACLId2016_01_28"
+
+// ListDistributionsByWebACLIdRequest generates a request for the ListDistributionsByWebACLId operation.
+func (c *CloudFront) ListDistributionsByWebACLIdRequest(input *ListDistributionsByWebACLIdInput) (req *request.Request, output *ListDistributionsByWebACLIdOutput) {
+	op := &request.Operation{
+		Name:       opListDistributionsByWebACLId,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distributionsByWebACLId/{WebACLId}",
+	}
+
+	if input == nil {
+		input = &ListDistributionsByWebACLIdInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ListDistributionsByWebACLIdOutput{}
+	req.Data = output
+	return
+}
+
+// List the distributions that are associated with a specified AWS WAF web ACL.
+func (c *CloudFront) ListDistributionsByWebACLId(input *ListDistributionsByWebACLIdInput) (*ListDistributionsByWebACLIdOutput, error) {
+	req, out := c.ListDistributionsByWebACLIdRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opListInvalidations = "ListInvalidations2016_01_28"
+
+// ListInvalidationsRequest generates a request for the ListInvalidations operation.
+func (c *CloudFront) ListInvalidationsRequest(input *ListInvalidationsInput) (req *request.Request, output *ListInvalidationsOutput) {
+	op := &request.Operation{
+		Name:       opListInvalidations,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/distribution/{DistributionId}/invalidation",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"InvalidationList.NextMarker"},
+			LimitToken:      "MaxItems",
+			TruncationToken: "InvalidationList.IsTruncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListInvalidationsInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ListInvalidationsOutput{}
+	req.Data = output
+	return
+}
+
+// List invalidation batches.
+func (c *CloudFront) ListInvalidations(input *ListInvalidationsInput) (*ListInvalidationsOutput, error) {
+	req, out := c.ListInvalidationsRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+func (c *CloudFront) ListInvalidationsPages(input *ListInvalidationsInput, fn func(p *ListInvalidationsOutput, lastPage bool) (shouldContinue bool)) error {
+	page, _ := c.ListInvalidationsRequest(input)
+	page.Handlers.Build.PushBack(request.MakeAddToUserAgentFreeFormHandler("Paginator"))
+	return page.EachPage(func(p interface{}, lastPage bool) bool {
+		return fn(p.(*ListInvalidationsOutput), lastPage)
+	})
+}
+
+const opListStreamingDistributions = "ListStreamingDistributions2016_01_28"
+
+// ListStreamingDistributionsRequest generates a request for the ListStreamingDistributions operation.
+func (c *CloudFront) ListStreamingDistributionsRequest(input *ListStreamingDistributionsInput) (req *request.Request, output *ListStreamingDistributionsOutput) {
+	op := &request.Operation{
+		Name:       opListStreamingDistributions,
+		HTTPMethod: "GET",
+		HTTPPath:   "/2016-01-28/streaming-distribution",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"StreamingDistributionList.NextMarker"},
+			LimitToken:      "MaxItems",
+			TruncationToken: "StreamingDistributionList.IsTruncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListStreamingDistributionsInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ListStreamingDistributionsOutput{}
+	req.Data = output
+	return
+}
+
+// List streaming distributions.
+func (c *CloudFront) ListStreamingDistributions(input *ListStreamingDistributionsInput) (*ListStreamingDistributionsOutput, error) {
+	req, out := c.ListStreamingDistributionsRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+func (c *CloudFront) ListStreamingDistributionsPages(input *ListStreamingDistributionsInput, fn func(p *ListStreamingDistributionsOutput, lastPage bool) (shouldContinue bool)) error {
+	page, _ := c.ListStreamingDistributionsRequest(input)
+	page.Handlers.Build.PushBack(request.MakeAddToUserAgentFreeFormHandler("Paginator"))
+	return page.EachPage(func(p interface{}, lastPage bool) bool {
+		return fn(p.(*ListStreamingDistributionsOutput), lastPage)
+	})
+}
+
+const opUpdateCloudFrontOriginAccessIdentity = "UpdateCloudFrontOriginAccessIdentity2016_01_28"
+
+// UpdateCloudFrontOriginAccessIdentityRequest generates a request for the UpdateCloudFrontOriginAccessIdentity operation.
+func (c *CloudFront) UpdateCloudFrontOriginAccessIdentityRequest(input *UpdateCloudFrontOriginAccessIdentityInput) (req *request.Request, output *UpdateCloudFrontOriginAccessIdentityOutput) {
+	op := &request.Operation{
+		Name:       opUpdateCloudFrontOriginAccessIdentity,
+		HTTPMethod: "PUT",
+		HTTPPath:   "/2016-01-28/origin-access-identity/cloudfront/{Id}/config",
+	}
+
+	if input == nil {
+		input = &UpdateCloudFrontOriginAccessIdentityInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &UpdateCloudFrontOriginAccessIdentityOutput{}
+	req.Data = output
+	return
+}
+
+// Update an origin access identity.
+func (c *CloudFront) UpdateCloudFrontOriginAccessIdentity(input *UpdateCloudFrontOriginAccessIdentityInput) (*UpdateCloudFrontOriginAccessIdentityOutput, error) {
+	req, out := c.UpdateCloudFrontOriginAccessIdentityRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opUpdateDistribution = "UpdateDistribution2016_01_28"
+
+// UpdateDistributionRequest generates a request for the UpdateDistribution operation.
+func (c *CloudFront) UpdateDistributionRequest(input *UpdateDistributionInput) (req *request.Request, output *UpdateDistributionOutput) {
+	op := &request.Operation{
+		Name:       opUpdateDistribution,
+		HTTPMethod: "PUT",
+		HTTPPath:   "/2016-01-28/distribution/{Id}/config",
+	}
+
+	if input == nil {
+		input = &UpdateDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &UpdateDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Update a distribution.
+func (c *CloudFront) UpdateDistribution(input *UpdateDistributionInput) (*UpdateDistributionOutput, error) {
+	req, out := c.UpdateDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+const opUpdateStreamingDistribution = "UpdateStreamingDistribution2016_01_28"
+
+// UpdateStreamingDistributionRequest generates a request for the UpdateStreamingDistribution operation.
+func (c *CloudFront) UpdateStreamingDistributionRequest(input *UpdateStreamingDistributionInput) (req *request.Request, output *UpdateStreamingDistributionOutput) {
+	op := &request.Operation{
+		Name:       opUpdateStreamingDistribution,
+		HTTPMethod: "PUT",
+		HTTPPath:   "/2016-01-28/streaming-distribution/{Id}/config",
+	}
+
+	if input == nil {
+		input = &UpdateStreamingDistributionInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &UpdateStreamingDistributionOutput{}
+	req.Data = output
+	return
+}
+
+// Update a streaming distribution.
+func (c *CloudFront) UpdateStreamingDistribution(input *UpdateStreamingDistributionInput) (*UpdateStreamingDistributionOutput, error) {
+	req, out := c.UpdateStreamingDistributionRequest(input)
+	err := req.Send()
+	return out, err
+}
+
+// A complex type that lists the AWS accounts, if any, that you included in
+// the TrustedSigners complex type for the default cache behavior or for any
+// of the other cache behaviors for this distribution. These are accounts that
+// you want to allow to create signed URLs for private content.
+type ActiveTrustedSigners struct {
+	_ struct{} `type:"structure"`
+
+	// Each active trusted signer.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// A complex type that contains one Signer complex type for each unique trusted
+	// signer that is specified in the TrustedSigners complex type, including trusted
+	// signers in the default cache behavior and in all of the other cache behaviors.
+	Items []*Signer `locationNameList:"Signer" type:"list"`
+
+	// The number of unique trusted signers included in all cache behaviors. For
+	// example, if three cache behaviors all list the same three AWS accounts, the
+	// value of Quantity for ActiveTrustedSigners will be 3.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s ActiveTrustedSigners) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ActiveTrustedSigners) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about CNAMEs (alternate domain names),
+// if any, for this distribution.
+type Aliases struct {
+	_ struct{} `type:"structure"`
+
+	// Optional: A complex type that contains CNAME elements, if any, for this distribution.
+	// If Quantity is 0, you can omit Items.
+	Items []*string `locationNameList:"CNAME" type:"list"`
+
+	// The number of CNAMEs, if any, for this distribution.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s Aliases) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Aliases) GoString() string {
+	return s.String()
+}
+
+// A complex type that controls which HTTP methods CloudFront processes and
+// forwards to your Amazon S3 bucket or your custom origin. There are three
+// choices: - CloudFront forwards only GET and HEAD requests. - CloudFront forwards
+// only GET, HEAD and OPTIONS requests. - CloudFront forwards GET, HEAD, OPTIONS,
+// PUT, PATCH, POST, and DELETE requests. If you pick the third choice, you
+// may need to restrict access to your Amazon S3 bucket or to your custom origin
+// so users can't perform operations that you don't want them to. For example,
+// you may not want users to have permission to delete objects from your origin.
+type AllowedMethods struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that controls whether CloudFront caches the response to requests
+	// using the specified HTTP methods. There are two choices: - CloudFront caches
+	// responses to GET and HEAD requests. - CloudFront caches responses to GET,
+	// HEAD, and OPTIONS requests. If you pick the second choice for your S3 Origin,
+	// you may need to forward Access-Control-Request-Method, Access-Control-Request-Headers
+	// and Origin headers for the responses to be cached correctly.
+	CachedMethods *CachedMethods `type:"structure"`
+
+	// A complex type that contains the HTTP methods that you want CloudFront to
+	// process and forward to your origin.
+	Items []*string `locationNameList:"Method" type:"list" required:"true"`
+
+	// The number of HTTP methods that you want CloudFront to forward to your origin.
+	// Valid values are 2 (for GET and HEAD requests), 3 (for GET, HEAD and OPTIONS
+	// requests) and 7 (for GET, HEAD, OPTIONS, PUT, PATCH, POST, and DELETE requests).
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s AllowedMethods) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s AllowedMethods) GoString() string {
+	return s.String()
+}
+
+// A complex type that describes how CloudFront processes requests. You can
+// create up to 10 cache behaviors.You must create at least as many cache behaviors
+// (including the default cache behavior) as you have origins if you want CloudFront
+// to distribute objects from all of the origins. Each cache behavior specifies
+// the one origin from which you want CloudFront to get objects. If you have
+// two origins and only the default cache behavior, the default cache behavior
+// will cause CloudFront to get objects from one of the origins, but the other
+// origin will never be used. If you don't want to specify any cache behaviors,
+// include only an empty CacheBehaviors element. Don't include an empty CacheBehavior
+// element, or CloudFront returns a MalformedXML error. To delete all cache
+// behaviors in an existing distribution, update the distribution configuration
+// and include only an empty CacheBehaviors element. To add, change, or remove
+// one or more cache behaviors, update the distribution configuration and specify
+// all of the cache behaviors that you want to include in the updated distribution.
+type CacheBehavior struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that controls which HTTP methods CloudFront processes and
+	// forwards to your Amazon S3 bucket or your custom origin. There are three
+	// choices: - CloudFront forwards only GET and HEAD requests. - CloudFront forwards
+	// only GET, HEAD and OPTIONS requests. - CloudFront forwards GET, HEAD, OPTIONS,
+	// PUT, PATCH, POST, and DELETE requests. If you pick the third choice, you
+	// may need to restrict access to your Amazon S3 bucket or to your custom origin
+	// so users can't perform operations that you don't want them to. For example,
+	// you may not want users to have permission to delete objects from your origin.
+	AllowedMethods *AllowedMethods `type:"structure"`
+
+	// Whether you want CloudFront to automatically compress content for web requests
+	// that include Accept-Encoding: gzip in the request header. If so, specify
+	// true; if not, specify false. CloudFront compresses files larger than 1000
+	// bytes and less than 1 megabyte for both Amazon S3 and custom origins. When
+	// a CloudFront edge location is unusually busy, some files might not be compressed.
+	// The value of the Content-Type header must be on the list of file types that
+	// CloudFront will compress. For the current list, see Serving Compressed Content
+	// (http://docs.aws.amazon.com/console/cloudfront/compressed-content) in the
+	// Amazon CloudFront Developer Guide. If you configure CloudFront to compress
+	// content, CloudFront removes the ETag response header from the objects that
+	// it compresses. The ETag header indicates that the version in a CloudFront
+	// edge cache is identical to the version on the origin server, but after compression
+	// the two versions are no longer identical. As a result, for compressed objects,
+	// CloudFront can't use the ETag header to determine whether an expired object
+	// in the CloudFront edge cache is still the latest version.
+	Compress *bool `type:"boolean"`
+
+	// If you don't configure your origin to add a Cache-Control max-age directive
+	// or an Expires header, DefaultTTL is the default amount of time (in seconds)
+	// that an object is in a CloudFront cache before CloudFront forwards another
+	// request to your origin to determine whether the object has been updated.
+	// The value that you specify applies only when your origin does not add HTTP
+	// headers such as Cache-Control max-age, Cache-Control s-maxage, and Expires
+	// to objects. You can specify a value from 0 to 3,153,600,000 seconds (100
+	// years).
+	DefaultTTL *int64 `type:"long"`
+
+	// A complex type that specifies how CloudFront handles query strings, cookies
+	// and headers.
+	ForwardedValues *ForwardedValues `type:"structure" required:"true"`
+
+	// The maximum amount of time (in seconds) that an object is in a CloudFront
+	// cache before CloudFront forwards another request to your origin to determine
+	// whether the object has been updated. The value that you specify applies only
+	// when your origin adds HTTP headers such as Cache-Control max-age, Cache-Control
+	// s-maxage, and Expires to objects. You can specify a value from 0 to 3,153,600,000
+	// seconds (100 years).
+	MaxTTL *int64 `type:"long"`
+
+	// The minimum amount of time that you want objects to stay in CloudFront caches
+	// before CloudFront queries your origin to see whether the object has been
+	// updated.You can specify a value from 0 to 3,153,600,000 seconds (100 years).
+	MinTTL *int64 `type:"long" required:"true"`
+
+	// The pattern (for example, images/*.jpg) that specifies which requests you
+	// want this cache behavior to apply to. When CloudFront receives an end-user
+	// request, the requested path is compared with path patterns in the order in
+	// which cache behaviors are listed in the distribution. The path pattern for
+	// the default cache behavior is * and cannot be changed. If the request for
+	// an object does not match the path pattern for any cache behaviors, CloudFront
+	// applies the behavior in the default cache behavior.
+	PathPattern *string `type:"string" required:"true"`
+
+	// Indicates whether you want to distribute media files in Microsoft Smooth
+	// Streaming format using the origin that is associated with this cache behavior.
+	// If so, specify true; if not, specify false.
+	SmoothStreaming *bool `type:"boolean"`
+
+	// The value of ID for the origin that you want CloudFront to route requests
+	// to when a request matches the path pattern either for a cache behavior or
+	// for the default cache behavior.
+	TargetOriginId *string `type:"string" required:"true"`
+
+	// A complex type that specifies the AWS accounts, if any, that you want to
+	// allow to create signed URLs for private content. If you want to require signed
+	// URLs in requests for objects in the target origin that match the PathPattern
+	// for this cache behavior, specify true for Enabled, and specify the applicable
+	// values for Quantity and Items. For more information, go to Using a Signed
+	// URL to Serve Private Content in the Amazon CloudFront Developer Guide. If
+	// you don't want to require signed URLs in requests for objects that match
+	// PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To
+	// add, change, or remove one or more trusted signers, change Enabled to true
+	// (if it's currently false), change Quantity as applicable, and specify all
+	// of the trusted signers that you want to include in the updated distribution.
+	TrustedSigners *TrustedSigners `type:"structure" required:"true"`
+
+	// Use this element to specify the protocol that users can use to access the
+	// files in the origin specified by TargetOriginId when a request matches the
+	// path pattern in PathPattern. If you want CloudFront to allow end users to
+	// use any available protocol, specify allow-all. If you want CloudFront to
+	// require HTTPS, specify https. If you want CloudFront to respond to an HTTP
+	// request with an HTTP status code of 301 (Moved Permanently) and the HTTPS
+	// URL, specify redirect-to-https. The viewer then resubmits the request using
+	// the HTTPS URL.
+	ViewerProtocolPolicy *string `type:"string" required:"true" enum:"ViewerProtocolPolicy"`
+}
+
+// String returns the string representation
+func (s CacheBehavior) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CacheBehavior) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains zero or more CacheBehavior elements.
+type CacheBehaviors struct {
+	_ struct{} `type:"structure"`
+
+	// Optional: A complex type that contains cache behaviors for this distribution.
+	// If Quantity is 0, you can omit Items.
+	Items []*CacheBehavior `locationNameList:"CacheBehavior" type:"list"`
+
+	// The number of cache behaviors for this distribution.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s CacheBehaviors) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CacheBehaviors) GoString() string {
+	return s.String()
+}
+
+// A complex type that controls whether CloudFront caches the response to requests
+// using the specified HTTP methods. There are two choices: - CloudFront caches
+// responses to GET and HEAD requests. - CloudFront caches responses to GET,
+// HEAD, and OPTIONS requests. If you pick the second choice for your S3 Origin,
+// you may need to forward Access-Control-Request-Method, Access-Control-Request-Headers
+// and Origin headers for the responses to be cached correctly.
+type CachedMethods struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains the HTTP methods that you want CloudFront to
+	// cache responses to.
+	Items []*string `locationNameList:"Method" type:"list" required:"true"`
+
+	// The number of HTTP methods for which you want CloudFront to cache responses.
+	// Valid values are 2 (for caching responses to GET and HEAD requests) and 3
+	// (for caching responses to GET, HEAD, and OPTIONS requests).
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s CachedMethods) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CachedMethods) GoString() string {
+	return s.String()
+}
+
+// A complex type that specifies the whitelisted cookies, if any, that you want
+// CloudFront to forward to your origin that is associated with this cache behavior.
+type CookieNames struct {
+	_ struct{} `type:"structure"`
+
+	// Optional: A complex type that contains whitelisted cookies for this cache
+	// behavior. If Quantity is 0, you can omit Items.
+	Items []*string `locationNameList:"Name" type:"list"`
+
+	// The number of whitelisted cookies for this cache behavior.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s CookieNames) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CookieNames) GoString() string {
+	return s.String()
+}
+
+// A complex type that specifies the cookie preferences associated with this
+// cache behavior.
+type CookiePreference struct {
+	_ struct{} `type:"structure"`
+
+	// Use this element to specify whether you want CloudFront to forward cookies
+	// to the origin that is associated with this cache behavior. You can specify
+	// all, none or whitelist. If you choose All, CloudFront forwards all cookies
+	// regardless of how many your application uses.
+	Forward *string `type:"string" required:"true" enum:"ItemSelection"`
+
+	// A complex type that specifies the whitelisted cookies, if any, that you want
+	// CloudFront to forward to your origin that is associated with this cache behavior.
+	WhitelistedNames *CookieNames `type:"structure"`
+}
+
+// String returns the string representation
+func (s CookiePreference) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CookiePreference) GoString() string {
+	return s.String()
+}
+
+// The request to create a new origin access identity.
+type CreateCloudFrontOriginAccessIdentityInput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentityConfig"`
+
+	// The origin access identity's configuration information.
+	CloudFrontOriginAccessIdentityConfig *OriginAccessIdentityConfig `locationName:"CloudFrontOriginAccessIdentityConfig" type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateCloudFrontOriginAccessIdentityInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateCloudFrontOriginAccessIdentityInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type CreateCloudFrontOriginAccessIdentityOutput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentity"`
+
+	// The origin access identity's information.
+	CloudFrontOriginAccessIdentity *OriginAccessIdentity `type:"structure"`
+
+	// The current version of the origin access identity created.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The fully qualified URI of the new origin access identity just created. For
+	// example: https://cloudfront.amazonaws.com/2010-11-01/origin-access-identity/cloudfront/E74FTE3AJFJ256A.
+	Location *string `location:"header" locationName:"Location" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateCloudFrontOriginAccessIdentityOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateCloudFrontOriginAccessIdentityOutput) GoString() string {
+	return s.String()
+}
+
+// The request to create a new distribution.
+type CreateDistributionInput struct {
+	_ struct{} `type:"structure" payload:"DistributionConfig"`
+
+	// The distribution's configuration information.
+	DistributionConfig *DistributionConfig `locationName:"DistributionConfig" type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type CreateDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"Distribution"`
+
+	// The distribution's information.
+	Distribution *Distribution `type:"structure"`
+
+	// The current version of the distribution created.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The fully qualified URI of the new distribution resource just created. For
+	// example: https://cloudfront.amazonaws.com/2010-11-01/distribution/EDFDVBD632BHDS5.
+	Location *string `location:"header" locationName:"Location" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// The request to create an invalidation.
+type CreateInvalidationInput struct {
+	_ struct{} `type:"structure" payload:"InvalidationBatch"`
+
+	// The distribution's id.
+	DistributionId *string `location:"uri" locationName:"DistributionId" type:"string" required:"true"`
+
+	// The batch information for the invalidation.
+	InvalidationBatch *InvalidationBatch `locationName:"InvalidationBatch" type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateInvalidationInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateInvalidationInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type CreateInvalidationOutput struct {
+	_ struct{} `type:"structure" payload:"Invalidation"`
+
+	// The invalidation's information.
+	Invalidation *Invalidation `type:"structure"`
+
+	// The fully qualified URI of the distribution and invalidation batch request,
+	// including the Invalidation ID.
+	Location *string `location:"header" locationName:"Location" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateInvalidationOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateInvalidationOutput) GoString() string {
+	return s.String()
+}
+
+// The request to create a new streaming distribution.
+type CreateStreamingDistributionInput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistributionConfig"`
+
+	// The streaming distribution's configuration information.
+	StreamingDistributionConfig *StreamingDistributionConfig `locationName:"StreamingDistributionConfig" type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateStreamingDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateStreamingDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type CreateStreamingDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistribution"`
+
+	// The current version of the streaming distribution created.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The fully qualified URI of the new streaming distribution resource just created.
+	// For example: https://cloudfront.amazonaws.com/2010-11-01/streaming-distribution/EGTXBD79H29TRA8.
+	Location *string `location:"header" locationName:"Location" type:"string"`
+
+	// The streaming distribution's information.
+	StreamingDistribution *StreamingDistribution `type:"structure"`
+}
+
+// String returns the string representation
+func (s CreateStreamingDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateStreamingDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// A complex type that describes how you'd prefer CloudFront to respond to requests
+// that result in either a 4xx or 5xx response. You can control whether a custom
+// error page should be displayed, what the desired response code should be
+// for this error page and how long should the error response be cached by CloudFront.
+// If you don't want to specify any custom error responses, include only an
+// empty CustomErrorResponses element. To delete all custom error responses
+// in an existing distribution, update the distribution configuration and include
+// only an empty CustomErrorResponses element. To add, change, or remove one
+// or more custom error responses, update the distribution configuration and
+// specify all of the custom error responses that you want to include in the
+// updated distribution.
+type CustomErrorResponse struct {
+	_ struct{} `type:"structure"`
+
+	// The minimum amount of time you want HTTP error codes to stay in CloudFront
+	// caches before CloudFront queries your origin to see whether the object has
+	// been updated. You can specify a value from 0 to 31,536,000.
+	ErrorCachingMinTTL *int64 `type:"long"`
+
+	// The 4xx or 5xx HTTP status code that you want to customize. For a list of
+	// HTTP status codes that you can customize, see CloudFront documentation.
+	ErrorCode *int64 `type:"integer" required:"true"`
+
+	// The HTTP status code that you want CloudFront to return with the custom error
+	// page to the viewer. For a list of HTTP status codes that you can replace,
+	// see CloudFront Documentation.
+	ResponseCode *string `type:"string"`
+
+	// The path of the custom error page (for example, /custom_404.html). The path
+	// is relative to the distribution and must begin with a slash (/). If the path
+	// includes any non-ASCII characters or unsafe characters as defined in RFC
+	// 1783 (http://www.ietf.org/rfc/rfc1738.txt), URL encode those characters.
+	// Do not URL encode any other characters in the path, or CloudFront will not
+	// return the custom error page to the viewer.
+	ResponsePagePath *string `type:"string"`
+}
+
+// String returns the string representation
+func (s CustomErrorResponse) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CustomErrorResponse) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains zero or more CustomErrorResponse elements.
+type CustomErrorResponses struct {
+	_ struct{} `type:"structure"`
+
+	// Optional: A complex type that contains custom error responses for this distribution.
+	// If Quantity is 0, you can omit Items.
+	Items []*CustomErrorResponse `locationNameList:"CustomErrorResponse" type:"list"`
+
+	// The number of custom error responses for this distribution.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s CustomErrorResponses) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CustomErrorResponses) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains the list of Custom Headers for each origin.
+type CustomHeaders struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains the custom headers for this Origin.
+	Items []*OriginCustomHeader `locationNameList:"OriginCustomHeader" type:"list"`
+
+	// The number of custom headers for this origin.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s CustomHeaders) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CustomHeaders) GoString() string {
+	return s.String()
+}
+
+// A customer origin.
+type CustomOriginConfig struct {
+	_ struct{} `type:"structure"`
+
+	// The HTTP port the custom origin listens on.
+	HTTPPort *int64 `type:"integer" required:"true"`
+
+	// The HTTPS port the custom origin listens on.
+	HTTPSPort *int64 `type:"integer" required:"true"`
+
+	// The origin protocol policy to apply to your origin.
+	OriginProtocolPolicy *string `type:"string" required:"true" enum:"OriginProtocolPolicy"`
+
+	// The SSL/TLS protocols that you want CloudFront to use when communicating
+	// with your origin over HTTPS.
+	OriginSslProtocols *OriginSslProtocols `type:"structure"`
+}
+
+// String returns the string representation
+func (s CustomOriginConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CustomOriginConfig) GoString() string {
+	return s.String()
+}
+
+// A complex type that describes the default cache behavior if you do not specify
+// a CacheBehavior element or if files don't match any of the values of PathPattern
+// in CacheBehavior elements.You must create exactly one default cache behavior.
+type DefaultCacheBehavior struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that controls which HTTP methods CloudFront processes and
+	// forwards to your Amazon S3 bucket or your custom origin. There are three
+	// choices: - CloudFront forwards only GET and HEAD requests. - CloudFront forwards
+	// only GET, HEAD and OPTIONS requests. - CloudFront forwards GET, HEAD, OPTIONS,
+	// PUT, PATCH, POST, and DELETE requests. If you pick the third choice, you
+	// may need to restrict access to your Amazon S3 bucket or to your custom origin
+	// so users can't perform operations that you don't want them to. For example,
+	// you may not want users to have permission to delete objects from your origin.
+	AllowedMethods *AllowedMethods `type:"structure"`
+
+	// Whether you want CloudFront to automatically compress content for web requests
+	// that include Accept-Encoding: gzip in the request header. If so, specify
+	// true; if not, specify false. CloudFront compresses files larger than 1000
+	// bytes and less than 1 megabyte for both Amazon S3 and custom origins. When
+	// a CloudFront edge location is unusually busy, some files might not be compressed.
+	// The value of the Content-Type header must be on the list of file types that
+	// CloudFront will compress. For the current list, see Serving Compressed Content
+	// (http://docs.aws.amazon.com/console/cloudfront/compressed-content) in the
+	// Amazon CloudFront Developer Guide. If you configure CloudFront to compress
+	// content, CloudFront removes the ETag response header from the objects that
+	// it compresses. The ETag header indicates that the version in a CloudFront
+	// edge cache is identical to the version on the origin server, but after compression
+	// the two versions are no longer identical. As a result, for compressed objects,
+	// CloudFront can't use the ETag header to determine whether an expired object
+	// in the CloudFront edge cache is still the latest version.
+	Compress *bool `type:"boolean"`
+
+	// If you don't configure your origin to add a Cache-Control max-age directive
+	// or an Expires header, DefaultTTL is the default amount of time (in seconds)
+	// that an object is in a CloudFront cache before CloudFront forwards another
+	// request to your origin to determine whether the object has been updated.
+	// The value that you specify applies only when your origin does not add HTTP
+	// headers such as Cache-Control max-age, Cache-Control s-maxage, and Expires
+	// to objects. You can specify a value from 0 to 3,153,600,000 seconds (100
+	// years).
+	DefaultTTL *int64 `type:"long"`
+
+	// A complex type that specifies how CloudFront handles query strings, cookies
+	// and headers.
+	ForwardedValues *ForwardedValues `type:"structure" required:"true"`
+
+	// The maximum amount of time (in seconds) that an object is in a CloudFront
+	// cache before CloudFront forwards another request to your origin to determine
+	// whether the object has been updated. The value that you specify applies only
+	// when your origin adds HTTP headers such as Cache-Control max-age, Cache-Control
+	// s-maxage, and Expires to objects. You can specify a value from 0 to 3,153,600,000
+	// seconds (100 years).
+	MaxTTL *int64 `type:"long"`
+
+	// The minimum amount of time that you want objects to stay in CloudFront caches
+	// before CloudFront queries your origin to see whether the object has been
+	// updated.You can specify a value from 0 to 3,153,600,000 seconds (100 years).
+	MinTTL *int64 `type:"long" required:"true"`
+
+	// Indicates whether you want to distribute media files in Microsoft Smooth
+	// Streaming format using the origin that is associated with this cache behavior.
+	// If so, specify true; if not, specify false.
+	SmoothStreaming *bool `type:"boolean"`
+
+	// The value of ID for the origin that you want CloudFront to route requests
+	// to when a request matches the path pattern either for a cache behavior or
+	// for the default cache behavior.
+	TargetOriginId *string `type:"string" required:"true"`
+
+	// A complex type that specifies the AWS accounts, if any, that you want to
+	// allow to create signed URLs for private content. If you want to require signed
+	// URLs in requests for objects in the target origin that match the PathPattern
+	// for this cache behavior, specify true for Enabled, and specify the applicable
+	// values for Quantity and Items. For more information, go to Using a Signed
+	// URL to Serve Private Content in the Amazon CloudFront Developer Guide. If
+	// you don't want to require signed URLs in requests for objects that match
+	// PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To
+	// add, change, or remove one or more trusted signers, change Enabled to true
+	// (if it's currently false), change Quantity as applicable, and specify all
+	// of the trusted signers that you want to include in the updated distribution.
+	TrustedSigners *TrustedSigners `type:"structure" required:"true"`
+
+	// Use this element to specify the protocol that users can use to access the
+	// files in the origin specified by TargetOriginId when a request matches the
+	// path pattern in PathPattern. If you want CloudFront to allow end users to
+	// use any available protocol, specify allow-all. If you want CloudFront to
+	// require HTTPS, specify https. If you want CloudFront to respond to an HTTP
+	// request with an HTTP status code of 301 (Moved Permanently) and the HTTPS
+	// URL, specify redirect-to-https. The viewer then resubmits the request using
+	// the HTTPS URL.
+	ViewerProtocolPolicy *string `type:"string" required:"true" enum:"ViewerProtocolPolicy"`
+}
+
+// String returns the string representation
+func (s DefaultCacheBehavior) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DefaultCacheBehavior) GoString() string {
+	return s.String()
+}
+
+// The request to delete a origin access identity.
+type DeleteCloudFrontOriginAccessIdentityInput struct {
+	_ struct{} `type:"structure"`
+
+	// The origin access identity's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received from a previous GET or PUT request.
+	// For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+}
+
+// String returns the string representation
+func (s DeleteCloudFrontOriginAccessIdentityInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteCloudFrontOriginAccessIdentityInput) GoString() string {
+	return s.String()
+}
+
+type DeleteCloudFrontOriginAccessIdentityOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteCloudFrontOriginAccessIdentityOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteCloudFrontOriginAccessIdentityOutput) GoString() string {
+	return s.String()
+}
+
+// The request to delete a distribution.
+type DeleteDistributionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received when you disabled the distribution.
+	// For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+}
+
+// String returns the string representation
+func (s DeleteDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteDistributionInput) GoString() string {
+	return s.String()
+}
+
+type DeleteDistributionOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// The request to delete a streaming distribution.
+type DeleteStreamingDistributionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received when you disabled the streaming
+	// distribution. For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+}
+
+// String returns the string representation
+func (s DeleteStreamingDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteStreamingDistributionInput) GoString() string {
+	return s.String()
+}
+
+type DeleteStreamingDistributionOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteStreamingDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteStreamingDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// A distribution.
+type Distribution struct {
+	_ struct{} `type:"structure"`
+
+	// CloudFront automatically adds this element to the response only if you've
+	// set up the distribution to serve private content with signed URLs. The element
+	// lists the key pair IDs that CloudFront is aware of for each trusted signer.
+	// The Signer child element lists the AWS account number of the trusted signer
+	// (or an empty Self element if the signer is you). The Signer element also
+	// includes the IDs of any active key pairs associated with the trusted signer's
+	// AWS account. If no KeyPairId element appears for a Signer, that signer can't
+	// create working signed URLs.
+	ActiveTrustedSigners *ActiveTrustedSigners `type:"structure" required:"true"`
+
+	// The current configuration information for the distribution.
+	DistributionConfig *DistributionConfig `type:"structure" required:"true"`
+
+	// The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net.
+	DomainName *string `type:"string" required:"true"`
+
+	// The identifier for the distribution. For example: EDFDVBD632BHDS5.
+	Id *string `type:"string" required:"true"`
+
+	// The number of invalidation batches currently in progress.
+	InProgressInvalidationBatches *int64 `type:"integer" required:"true"`
+
+	// The date and time the distribution was last modified.
+	LastModifiedTime *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
+
+	// This response element indicates the current status of the distribution. When
+	// the status is Deployed, the distribution's information is fully propagated
+	// throughout the Amazon CloudFront system.
+	Status *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s Distribution) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Distribution) GoString() string {
+	return s.String()
+}
+
+// A distribution Configuration.
+type DistributionConfig struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains information about CNAMEs (alternate domain names),
+	// if any, for this distribution.
+	Aliases *Aliases `type:"structure"`
+
+	// A complex type that contains zero or more CacheBehavior elements.
+	CacheBehaviors *CacheBehaviors `type:"structure"`
+
+	// A unique number that ensures the request can't be replayed. If the CallerReference
+	// is new (no matter the content of the DistributionConfig object), a new distribution
+	// is created. If the CallerReference is a value you already sent in a previous
+	// request to create a distribution, and the content of the DistributionConfig
+	// is identical to the original request (ignoring white space), the response
+	// includes the same information returned to the original request. If the CallerReference
+	// is a value you already sent in a previous request to create a distribution
+	// but the content of the DistributionConfig is different from the original
+	// request, CloudFront returns a DistributionAlreadyExists error.
+	CallerReference *string `type:"string" required:"true"`
+
+	// Any comments you want to include about the distribution.
+	Comment *string `type:"string" required:"true"`
+
+	// A complex type that contains zero or more CustomErrorResponse elements.
+	CustomErrorResponses *CustomErrorResponses `type:"structure"`
+
+	// A complex type that describes the default cache behavior if you do not specify
+	// a CacheBehavior element or if files don't match any of the values of PathPattern
+	// in CacheBehavior elements.You must create exactly one default cache behavior.
+	DefaultCacheBehavior *DefaultCacheBehavior `type:"structure" required:"true"`
+
+	// The object that you want CloudFront to return (for example, index.html) when
+	// an end user requests the root URL for your distribution (http://www.example.com)
+	// instead of an object in your distribution (http://www.example.com/index.html).
+	// Specifying a default root object avoids exposing the contents of your distribution.
+	// If you don't want to specify a default root object when you create a distribution,
+	// include an empty DefaultRootObject element. To delete the default root object
+	// from an existing distribution, update the distribution configuration and
+	// include an empty DefaultRootObject element. To replace the default root object,
+	// update the distribution configuration and specify the new object.
+	DefaultRootObject *string `type:"string"`
+
+	// Whether the distribution is enabled to accept end user requests for content.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// A complex type that controls whether access logs are written for the distribution.
+	Logging *LoggingConfig `type:"structure"`
+
+	// A complex type that contains information about origins for this distribution.
+	Origins *Origins `type:"structure" required:"true"`
+
+	// A complex type that contains information about price class for this distribution.
+	PriceClass *string `type:"string" enum:"PriceClass"`
+
+	// A complex type that identifies ways in which you want to restrict distribution
+	// of your content.
+	Restrictions *Restrictions `type:"structure"`
+
+	// A complex type that contains information about viewer certificates for this
+	// distribution.
+	ViewerCertificate *ViewerCertificate `type:"structure"`
+
+	// (Optional) If you're using AWS WAF to filter CloudFront requests, the Id
+	// of the AWS WAF web ACL that is associated with the distribution.
+	WebACLId *string `type:"string"`
+}
+
+// String returns the string representation
+func (s DistributionConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DistributionConfig) GoString() string {
+	return s.String()
+}
+
+// A distribution list.
+type DistributionList struct {
+	_ struct{} `type:"structure"`
+
+	// A flag that indicates whether more distributions remain to be listed. If
+	// your results were truncated, you can make a follow-up pagination request
+	// using the Marker request parameter to retrieve more distributions in the
+	// list.
+	IsTruncated *bool `type:"boolean" required:"true"`
+
+	// A complex type that contains one DistributionSummary element for each distribution
+	// that was created by the current AWS account.
+	Items []*DistributionSummary `locationNameList:"DistributionSummary" type:"list"`
+
+	// The value you provided for the Marker request parameter.
+	Marker *string `type:"string" required:"true"`
+
+	// The value you provided for the MaxItems request parameter.
+	MaxItems *int64 `type:"integer" required:"true"`
+
+	// If IsTruncated is true, this element is present and contains the value you
+	// can use for the Marker request parameter to continue listing your distributions
+	// where they left off.
+	NextMarker *string `type:"string"`
+
+	// The number of distributions that were created by the current AWS account.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s DistributionList) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DistributionList) GoString() string {
+	return s.String()
+}
+
+// A summary of the information for an Amazon CloudFront distribution.
+type DistributionSummary struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains information about CNAMEs (alternate domain names),
+	// if any, for this distribution.
+	Aliases *Aliases `type:"structure" required:"true"`
+
+	// A complex type that contains zero or more CacheBehavior elements.
+	CacheBehaviors *CacheBehaviors `type:"structure" required:"true"`
+
+	// The comment originally specified when this distribution was created.
+	Comment *string `type:"string" required:"true"`
+
+	// A complex type that contains zero or more CustomErrorResponses elements.
+	CustomErrorResponses *CustomErrorResponses `type:"structure" required:"true"`
+
+	// A complex type that describes the default cache behavior if you do not specify
+	// a CacheBehavior element or if files don't match any of the values of PathPattern
+	// in CacheBehavior elements.You must create exactly one default cache behavior.
+	DefaultCacheBehavior *DefaultCacheBehavior `type:"structure" required:"true"`
+
+	// The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net.
+	DomainName *string `type:"string" required:"true"`
+
+	// Whether the distribution is enabled to accept end user requests for content.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// The identifier for the distribution. For example: EDFDVBD632BHDS5.
+	Id *string `type:"string" required:"true"`
+
+	// The date and time the distribution was last modified.
+	LastModifiedTime *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
+
+	// A complex type that contains information about origins for this distribution.
+	Origins *Origins `type:"structure" required:"true"`
+
+	PriceClass *string `type:"string" required:"true" enum:"PriceClass"`
+
+	// A complex type that identifies ways in which you want to restrict distribution
+	// of your content.
+	Restrictions *Restrictions `type:"structure" required:"true"`
+
+	// This response element indicates the current status of the distribution. When
+	// the status is Deployed, the distribution's information is fully propagated
+	// throughout the Amazon CloudFront system.
+	Status *string `type:"string" required:"true"`
+
+	// A complex type that contains information about viewer certificates for this
+	// distribution.
+	ViewerCertificate *ViewerCertificate `type:"structure" required:"true"`
+
+	// The Web ACL Id (if any) associated with the distribution.
+	WebACLId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DistributionSummary) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DistributionSummary) GoString() string {
+	return s.String()
+}
+
+// A complex type that specifies how CloudFront handles query strings, cookies
+// and headers.
+type ForwardedValues struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that specifies how CloudFront handles cookies.
+	Cookies *CookiePreference `type:"structure" required:"true"`
+
+	// A complex type that specifies the Headers, if any, that you want CloudFront
+	// to vary upon for this cache behavior.
+	Headers *Headers `type:"structure"`
+
+	// Indicates whether you want CloudFront to forward query strings to the origin
+	// that is associated with this cache behavior. If so, specify true; if not,
+	// specify false.
+	QueryString *bool `type:"boolean" required:"true"`
+}
+
+// String returns the string representation
+func (s ForwardedValues) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ForwardedValues) GoString() string {
+	return s.String()
+}
+
+// A complex type that controls the countries in which your content is distributed.
+// For more information about geo restriction, go to Customizing Error Responses
+// in the Amazon CloudFront Developer Guide. CloudFront determines the location
+// of your users using MaxMind GeoIP databases. For information about the accuracy
+// of these databases, see How accurate are your GeoIP databases? on the MaxMind
+// website.
+type GeoRestriction struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains a Location element for each country in which
+	// you want CloudFront either to distribute your content (whitelist) or not
+	// distribute your content (blacklist). The Location element is a two-letter,
+	// uppercase country code for a country that you want to include in your blacklist
+	// or whitelist. Include one Location element for each country. CloudFront and
+	// MaxMind both use ISO 3166 country codes. For the current list of countries
+	// and the corresponding codes, see ISO 3166-1-alpha-2 code on the International
+	// Organization for Standardization website. You can also refer to the country
+	// list in the CloudFront console, which includes both country names and codes.
+	Items []*string `locationNameList:"Location" type:"list"`
+
+	// When geo restriction is enabled, this is the number of countries in your
+	// whitelist or blacklist. Otherwise, when it is not enabled, Quantity is 0,
+	// and you can omit Items.
+	Quantity *int64 `type:"integer" required:"true"`
+
+	// The method that you want to use to restrict distribution of your content
+	// by country: - none: No geo restriction is enabled, meaning access to content
+	// is not restricted by client geo location. - blacklist: The Location elements
+	// specify the countries in which you do not want CloudFront to distribute your
+	// content. - whitelist: The Location elements specify the countries in which
+	// you want CloudFront to distribute your content.
+	RestrictionType *string `type:"string" required:"true" enum:"GeoRestrictionType"`
+}
+
+// String returns the string representation
+func (s GeoRestriction) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GeoRestriction) GoString() string {
+	return s.String()
+}
+
+// The request to get an origin access identity's configuration.
+type GetCloudFrontOriginAccessIdentityConfigInput struct {
+	_ struct{} `type:"structure"`
+
+	// The identity's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetCloudFrontOriginAccessIdentityConfigInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCloudFrontOriginAccessIdentityConfigInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetCloudFrontOriginAccessIdentityConfigOutput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentityConfig"`
+
+	// The origin access identity's configuration information.
+	CloudFrontOriginAccessIdentityConfig *OriginAccessIdentityConfig `type:"structure"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s GetCloudFrontOriginAccessIdentityConfigOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCloudFrontOriginAccessIdentityConfigOutput) GoString() string {
+	return s.String()
+}
+
+// The request to get an origin access identity's information.
+type GetCloudFrontOriginAccessIdentityInput struct {
+	_ struct{} `type:"structure"`
+
+	// The identity's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetCloudFrontOriginAccessIdentityInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCloudFrontOriginAccessIdentityInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetCloudFrontOriginAccessIdentityOutput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentity"`
+
+	// The origin access identity's information.
+	CloudFrontOriginAccessIdentity *OriginAccessIdentity `type:"structure"`
+
+	// The current version of the origin access identity's information. For example:
+	// E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s GetCloudFrontOriginAccessIdentityOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCloudFrontOriginAccessIdentityOutput) GoString() string {
+	return s.String()
+}
+
+// The request to get a distribution configuration.
+type GetDistributionConfigInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetDistributionConfigInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetDistributionConfigInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetDistributionConfigOutput struct {
+	_ struct{} `type:"structure" payload:"DistributionConfig"`
+
+	// The distribution's configuration information.
+	DistributionConfig *DistributionConfig `type:"structure"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s GetDistributionConfigOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetDistributionConfigOutput) GoString() string {
+	return s.String()
+}
+
+// The request to get a distribution's information.
+type GetDistributionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"Distribution"`
+
+	// The distribution's information.
+	Distribution *Distribution `type:"structure"`
+
+	// The current version of the distribution's information. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s GetDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// The request to get an invalidation's information.
+type GetInvalidationInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution's id.
+	DistributionId *string `location:"uri" locationName:"DistributionId" type:"string" required:"true"`
+
+	// The invalidation's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetInvalidationInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetInvalidationInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetInvalidationOutput struct {
+	_ struct{} `type:"structure" payload:"Invalidation"`
+
+	// The invalidation's information.
+	Invalidation *Invalidation `type:"structure"`
+}
+
+// String returns the string representation
+func (s GetInvalidationOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetInvalidationOutput) GoString() string {
+	return s.String()
+}
+
+// To request to get a streaming distribution configuration.
+type GetStreamingDistributionConfigInput struct {
+	_ struct{} `type:"structure"`
+
+	// The streaming distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetStreamingDistributionConfigInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetStreamingDistributionConfigInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetStreamingDistributionConfigOutput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistributionConfig"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The streaming distribution's configuration information.
+	StreamingDistributionConfig *StreamingDistributionConfig `type:"structure"`
+}
+
+// String returns the string representation
+func (s GetStreamingDistributionConfigOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetStreamingDistributionConfigOutput) GoString() string {
+	return s.String()
+}
+
+// The request to get a streaming distribution's information.
+type GetStreamingDistributionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The streaming distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetStreamingDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetStreamingDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type GetStreamingDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistribution"`
+
+	// The current version of the streaming distribution's information. For example:
+	// E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The streaming distribution's information.
+	StreamingDistribution *StreamingDistribution `type:"structure"`
+}
+
+// String returns the string representation
+func (s GetStreamingDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetStreamingDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// A complex type that specifies the headers that you want CloudFront to forward
+// to the origin for this cache behavior. For the headers that you specify,
+// CloudFront also caches separate versions of a given object based on the header
+// values in viewer requests; this is known as varying on headers. For example,
+// suppose viewer requests for logo.jpg contain a custom Product header that
+// has a value of either Acme or Apex, and you configure CloudFront to vary
+// on the Product header. CloudFront forwards the Product header to the origin
+// and caches the response from the origin once for each header value.
+type Headers struct {
+	_ struct{} `type:"structure"`
+
+	// Optional: A complex type that contains a Name element for each header that
+	// you want CloudFront to forward to the origin and to vary on for this cache
+	// behavior. If Quantity is 0, omit Items.
+	Items []*string `locationNameList:"Name" type:"list"`
+
+	// The number of different headers that you want CloudFront to forward to the
+	// origin and to vary on for this cache behavior. The maximum number of headers
+	// that you can specify by name is 10. If you want CloudFront to forward all
+	// headers to the origin and vary on all of them, specify 1 for Quantity and
+	// * for Name. If you don't want CloudFront to forward any additional headers
+	// to the origin or to vary on any headers, specify 0 for Quantity and omit
+	// Items.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s Headers) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Headers) GoString() string {
+	return s.String()
+}
+
+// An invalidation.
+type Invalidation struct {
+	_ struct{} `type:"structure"`
+
+	// The date and time the invalidation request was first made.
+	CreateTime *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
+
+	// The identifier for the invalidation request. For example: IDFDVBD632BHDS5.
+	Id *string `type:"string" required:"true"`
+
+	// The current invalidation information for the batch request.
+	InvalidationBatch *InvalidationBatch `type:"structure" required:"true"`
+
+	// The status of the invalidation request. When the invalidation batch is finished,
+	// the status is Completed.
+	Status *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s Invalidation) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Invalidation) GoString() string {
+	return s.String()
+}
+
+// An invalidation batch.
+type InvalidationBatch struct {
+	_ struct{} `type:"structure"`
+
+	// A unique name that ensures the request can't be replayed. If the CallerReference
+	// is new (no matter the content of the Path object), a new distribution is
+	// created. If the CallerReference is a value you already sent in a previous
+	// request to create an invalidation batch, and the content of each Path element
+	// is identical to the original request, the response includes the same information
+	// returned to the original request. If the CallerReference is a value you already
+	// sent in a previous request to create a distribution but the content of any
+	// Path is different from the original request, CloudFront returns an InvalidationBatchAlreadyExists
+	// error.
+	CallerReference *string `type:"string" required:"true"`
+
+	// The path of the object to invalidate. The path is relative to the distribution
+	// and must begin with a slash (/). You must enclose each invalidation object
+	// with the Path element tags. If the path includes non-ASCII characters or
+	// unsafe characters as defined in RFC 1783 (http://www.ietf.org/rfc/rfc1738.txt),
+	// URL encode those characters. Do not URL encode any other characters in the
+	// path, or CloudFront will not invalidate the old version of the updated object.
+	Paths *Paths `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s InvalidationBatch) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s InvalidationBatch) GoString() string {
+	return s.String()
+}
+
+// An invalidation list.
+type InvalidationList struct {
+	_ struct{} `type:"structure"`
+
+	// A flag that indicates whether more invalidation batch requests remain to
+	// be listed. If your results were truncated, you can make a follow-up pagination
+	// request using the Marker request parameter to retrieve more invalidation
+	// batches in the list.
+	IsTruncated *bool `type:"boolean" required:"true"`
+
+	// A complex type that contains one InvalidationSummary element for each invalidation
+	// batch that was created by the current AWS account.
+	Items []*InvalidationSummary `locationNameList:"InvalidationSummary" type:"list"`
+
+	// The value you provided for the Marker request parameter.
+	Marker *string `type:"string" required:"true"`
+
+	// The value you provided for the MaxItems request parameter.
+	MaxItems *int64 `type:"integer" required:"true"`
+
+	// If IsTruncated is true, this element is present and contains the value you
+	// can use for the Marker request parameter to continue listing your invalidation
+	// batches where they left off.
+	NextMarker *string `type:"string"`
+
+	// The number of invalidation batches that were created by the current AWS account.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s InvalidationList) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s InvalidationList) GoString() string {
+	return s.String()
+}
+
+// Summary of an invalidation request.
+type InvalidationSummary struct {
+	_ struct{} `type:"structure"`
+
+	CreateTime *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
+
+	// The unique ID for an invalidation request.
+	Id *string `type:"string" required:"true"`
+
+	// The status of an invalidation request.
+	Status *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s InvalidationSummary) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s InvalidationSummary) GoString() string {
+	return s.String()
+}
+
+// A complex type that lists the active CloudFront key pairs, if any, that are
+// associated with AwsAccountNumber.
+type KeyPairIds struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that lists the active CloudFront key pairs, if any, that are
+	// associated with AwsAccountNumber.
+	Items []*string `locationNameList:"KeyPairId" type:"list"`
+
+	// The number of active CloudFront key pairs for AwsAccountNumber.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s KeyPairIds) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s KeyPairIds) GoString() string {
+	return s.String()
+}
+
+// The request to list origin access identities.
+type ListCloudFrontOriginAccessIdentitiesInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use this when paginating results to indicate where to begin in your list
+	// of origin access identities. The results include identities in the list that
+	// occur after the marker. To get the next page of results, set the Marker to
+	// the value of the NextMarker from the current page's response (which is also
+	// the ID of the last identity on that page).
+	Marker *string `location:"querystring" locationName:"Marker" type:"string"`
+
+	// The maximum number of origin access identities you want in the response body.
+	MaxItems *int64 `location:"querystring" locationName:"MaxItems" type:"integer"`
+}
+
+// String returns the string representation
+func (s ListCloudFrontOriginAccessIdentitiesInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListCloudFrontOriginAccessIdentitiesInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type ListCloudFrontOriginAccessIdentitiesOutput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentityList"`
+
+	// The CloudFrontOriginAccessIdentityList type.
+	CloudFrontOriginAccessIdentityList *OriginAccessIdentityList `type:"structure"`
+}
+
+// String returns the string representation
+func (s ListCloudFrontOriginAccessIdentitiesOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListCloudFrontOriginAccessIdentitiesOutput) GoString() string {
+	return s.String()
+}
+
+// The request to list distributions that are associated with a specified AWS
+// WAF web ACL.
+type ListDistributionsByWebACLIdInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use Marker and MaxItems to control pagination of results. If you have more
+	// than MaxItems distributions that satisfy the request, the response includes
+	// a NextMarker element. To get the next page of results, submit another request.
+	// For the value of Marker, specify the value of NextMarker from the last response.
+	// (For the first request, omit Marker.)
+	Marker *string `location:"querystring" locationName:"Marker" type:"string"`
+
+	// The maximum number of distributions that you want CloudFront to return in
+	// the response body. The maximum and default values are both 100.
+	MaxItems *int64 `location:"querystring" locationName:"MaxItems" type:"integer"`
+
+	// The Id of the AWS WAF web ACL for which you want to list the associated distributions.
+	// If you specify "null" for the Id, the request returns a list of the distributions
+	// that aren't associated with a web ACL.
+	WebACLId *string `location:"uri" locationName:"WebACLId" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ListDistributionsByWebACLIdInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListDistributionsByWebACLIdInput) GoString() string {
+	return s.String()
+}
+
+// The response to a request to list the distributions that are associated with
+// a specified AWS WAF web ACL.
+type ListDistributionsByWebACLIdOutput struct {
+	_ struct{} `type:"structure" payload:"DistributionList"`
+
+	// The DistributionList type.
+	DistributionList *DistributionList `type:"structure"`
+}
+
+// String returns the string representation
+func (s ListDistributionsByWebACLIdOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListDistributionsByWebACLIdOutput) GoString() string {
+	return s.String()
+}
+
+// The request to list your distributions.
+type ListDistributionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use Marker and MaxItems to control pagination of results. If you have more
+	// than MaxItems distributions that satisfy the request, the response includes
+	// a NextMarker element. To get the next page of results, submit another request.
+	// For the value of Marker, specify the value of NextMarker from the last response.
+	// (For the first request, omit Marker.)
+	Marker *string `location:"querystring" locationName:"Marker" type:"string"`
+
+	// The maximum number of distributions that you want CloudFront to return in
+	// the response body. The maximum and default values are both 100.
+	MaxItems *int64 `location:"querystring" locationName:"MaxItems" type:"integer"`
+}
+
+// String returns the string representation
+func (s ListDistributionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListDistributionsInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type ListDistributionsOutput struct {
+	_ struct{} `type:"structure" payload:"DistributionList"`
+
+	// The DistributionList type.
+	DistributionList *DistributionList `type:"structure"`
+}
+
+// String returns the string representation
+func (s ListDistributionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListDistributionsOutput) GoString() string {
+	return s.String()
+}
+
+// The request to list invalidations.
+type ListInvalidationsInput struct {
+	_ struct{} `type:"structure"`
+
+	// The distribution's id.
+	DistributionId *string `location:"uri" locationName:"DistributionId" type:"string" required:"true"`
+
+	// Use this parameter when paginating results to indicate where to begin in
+	// your list of invalidation batches. Because the results are returned in decreasing
+	// order from most recent to oldest, the most recent results are on the first
+	// page, the second page will contain earlier results, and so on. To get the
+	// next page of results, set the Marker to the value of the NextMarker from
+	// the current page's response. This value is the same as the ID of the last
+	// invalidation batch on that page.
+	Marker *string `location:"querystring" locationName:"Marker" type:"string"`
+
+	// The maximum number of invalidation batches you want in the response body.
+	MaxItems *int64 `location:"querystring" locationName:"MaxItems" type:"integer"`
+}
+
+// String returns the string representation
+func (s ListInvalidationsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListInvalidationsInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type ListInvalidationsOutput struct {
+	_ struct{} `type:"structure" payload:"InvalidationList"`
+
+	// Information about invalidation batches.
+	InvalidationList *InvalidationList `type:"structure"`
+}
+
+// String returns the string representation
+func (s ListInvalidationsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListInvalidationsOutput) GoString() string {
+	return s.String()
+}
+
+// The request to list your streaming distributions.
+type ListStreamingDistributionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use this when paginating results to indicate where to begin in your list
+	// of streaming distributions. The results include distributions in the list
+	// that occur after the marker. To get the next page of results, set the Marker
+	// to the value of the NextMarker from the current page's response (which is
+	// also the ID of the last distribution on that page).
+	Marker *string `location:"querystring" locationName:"Marker" type:"string"`
+
+	// The maximum number of streaming distributions you want in the response body.
+	MaxItems *int64 `location:"querystring" locationName:"MaxItems" type:"integer"`
+}
+
+// String returns the string representation
+func (s ListStreamingDistributionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListStreamingDistributionsInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type ListStreamingDistributionsOutput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistributionList"`
+
+	// The StreamingDistributionList type.
+	StreamingDistributionList *StreamingDistributionList `type:"structure"`
+}
+
+// String returns the string representation
+func (s ListStreamingDistributionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListStreamingDistributionsOutput) GoString() string {
+	return s.String()
+}
+
+// A complex type that controls whether access logs are written for the distribution.
+type LoggingConfig struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon S3 bucket to store the access logs in, for example, myawslogbucket.s3.amazonaws.com.
+	Bucket *string `type:"string" required:"true"`
+
+	// Specifies whether you want CloudFront to save access logs to an Amazon S3
+	// bucket. If you do not want to enable logging when you create a distribution
+	// or if you want to disable logging for an existing distribution, specify false
+	// for Enabled, and specify empty Bucket and Prefix elements. If you specify
+	// false for Enabled but you specify values for Bucket, prefix and IncludeCookies,
+	// the values are automatically deleted.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// Specifies whether you want CloudFront to include cookies in access logs,
+	// specify true for IncludeCookies. If you choose to include cookies in logs,
+	// CloudFront logs all cookies regardless of how you configure the cache behaviors
+	// for this distribution. If you do not want to include cookies when you create
+	// a distribution or if you want to disable include cookies for an existing
+	// distribution, specify false for IncludeCookies.
+	IncludeCookies *bool `type:"boolean" required:"true"`
+
+	// An optional string that you want CloudFront to prefix to the access log filenames
+	// for this distribution, for example, myprefix/. If you want to enable logging,
+	// but you do not want to specify a prefix, you still must include an empty
+	// Prefix element in the Logging element.
+	Prefix *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s LoggingConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s LoggingConfig) GoString() string {
+	return s.String()
+}
+
+// A complex type that describes the Amazon S3 bucket or the HTTP server (for
+// example, a web server) from which CloudFront gets your files.You must create
+// at least one origin.
+type Origin struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains information about the custom headers associated
+	// with this Origin.
+	CustomHeaders *CustomHeaders `type:"structure"`
+
+	// A complex type that contains information about a custom origin. If the origin
+	// is an Amazon S3 bucket, use the S3OriginConfig element instead.
+	CustomOriginConfig *CustomOriginConfig `type:"structure"`
+
+	// Amazon S3 origins: The DNS name of the Amazon S3 bucket from which you want
+	// CloudFront to get objects for this origin, for example, myawsbucket.s3.amazonaws.com.
+	// Custom origins: The DNS domain name for the HTTP server from which you want
+	// CloudFront to get objects for this origin, for example, www.example.com.
+	DomainName *string `type:"string" required:"true"`
+
+	// A unique identifier for the origin. The value of Id must be unique within
+	// the distribution. You use the value of Id when you create a cache behavior.
+	// The Id identifies the origin that CloudFront routes a request to when the
+	// request matches the path pattern for that cache behavior.
+	Id *string `type:"string" required:"true"`
+
+	// An optional element that causes CloudFront to request your content from a
+	// directory in your Amazon S3 bucket or your custom origin. When you include
+	// the OriginPath element, specify the directory name, beginning with a /. CloudFront
+	// appends the directory name to the value of DomainName.
+	OriginPath *string `type:"string"`
+
+	// A complex type that contains information about the Amazon S3 origin. If the
+	// origin is a custom origin, use the CustomOriginConfig element instead.
+	S3OriginConfig *S3OriginConfig `type:"structure"`
+}
+
+// String returns the string representation
+func (s Origin) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Origin) GoString() string {
+	return s.String()
+}
+
+// CloudFront origin access identity.
+type OriginAccessIdentity struct {
+	_ struct{} `type:"structure"`
+
+	// The current configuration information for the identity.
+	CloudFrontOriginAccessIdentityConfig *OriginAccessIdentityConfig `type:"structure"`
+
+	// The ID for the origin access identity. For example: E74FTE3AJFJ256A.
+	Id *string `type:"string" required:"true"`
+
+	// The Amazon S3 canonical user ID for the origin access identity, which you
+	// use when giving the origin access identity read permission to an object in
+	// Amazon S3.
+	S3CanonicalUserId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginAccessIdentity) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginAccessIdentity) GoString() string {
+	return s.String()
+}
+
+// Origin access identity configuration.
+type OriginAccessIdentityConfig struct {
+	_ struct{} `type:"structure"`
+
+	// A unique number that ensures the request can't be replayed. If the CallerReference
+	// is new (no matter the content of the CloudFrontOriginAccessIdentityConfig
+	// object), a new origin access identity is created. If the CallerReference
+	// is a value you already sent in a previous request to create an identity,
+	// and the content of the CloudFrontOriginAccessIdentityConfig is identical
+	// to the original request (ignoring white space), the response includes the
+	// same information returned to the original request. If the CallerReference
+	// is a value you already sent in a previous request to create an identity but
+	// the content of the CloudFrontOriginAccessIdentityConfig is different from
+	// the original request, CloudFront returns a CloudFrontOriginAccessIdentityAlreadyExists
+	// error.
+	CallerReference *string `type:"string" required:"true"`
+
+	// Any comments you want to include about the origin access identity.
+	Comment *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginAccessIdentityConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginAccessIdentityConfig) GoString() string {
+	return s.String()
+}
+
+// The CloudFrontOriginAccessIdentityList type.
+type OriginAccessIdentityList struct {
+	_ struct{} `type:"structure"`
+
+	// A flag that indicates whether more origin access identities remain to be
+	// listed. If your results were truncated, you can make a follow-up pagination
+	// request using the Marker request parameter to retrieve more items in the
+	// list.
+	IsTruncated *bool `type:"boolean" required:"true"`
+
+	// A complex type that contains one CloudFrontOriginAccessIdentitySummary element
+	// for each origin access identity that was created by the current AWS account.
+	Items []*OriginAccessIdentitySummary `locationNameList:"CloudFrontOriginAccessIdentitySummary" type:"list"`
+
+	// The value you provided for the Marker request parameter.
+	Marker *string `type:"string" required:"true"`
+
+	// The value you provided for the MaxItems request parameter.
+	MaxItems *int64 `type:"integer" required:"true"`
+
+	// If IsTruncated is true, this element is present and contains the value you
+	// can use for the Marker request parameter to continue listing your origin
+	// access identities where they left off.
+	NextMarker *string `type:"string"`
+
+	// The number of CloudFront origin access identities that were created by the
+	// current AWS account.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginAccessIdentityList) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginAccessIdentityList) GoString() string {
+	return s.String()
+}
+
+// Summary of the information about a CloudFront origin access identity.
+type OriginAccessIdentitySummary struct {
+	_ struct{} `type:"structure"`
+
+	// The comment for this origin access identity, as originally specified when
+	// created.
+	Comment *string `type:"string" required:"true"`
+
+	// The ID for the origin access identity. For example: E74FTE3AJFJ256A.
+	Id *string `type:"string" required:"true"`
+
+	// The Amazon S3 canonical user ID for the origin access identity, which you
+	// use when giving the origin access identity read permission to an object in
+	// Amazon S3.
+	S3CanonicalUserId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginAccessIdentitySummary) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginAccessIdentitySummary) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information related to a Header
+type OriginCustomHeader struct {
+	_ struct{} `type:"structure"`
+
+	// The header's name.
+	HeaderName *string `type:"string" required:"true"`
+
+	// The header's value.
+	HeaderValue *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginCustomHeader) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginCustomHeader) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains the list of SSL/TLS protocols that you want
+// CloudFront to use when communicating with your origin over HTTPS.
+type OriginSslProtocols struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains one SslProtocol element for each SSL/TLS protocol
+	// that you want to allow CloudFront to use when establishing an HTTPS connection
+	// with this origin.
+	Items []*string `locationNameList:"SslProtocol" type:"list" required:"true"`
+
+	// The number of SSL/TLS protocols that you want to allow CloudFront to use
+	// when establishing an HTTPS connection with this origin.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s OriginSslProtocols) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s OriginSslProtocols) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about origins for this distribution.
+type Origins struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains origins for this distribution.
+	Items []*Origin `locationNameList:"Origin" min:"1" type:"list"`
+
+	// The number of origins for this distribution.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s Origins) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Origins) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about the objects that you want
+// to invalidate.
+type Paths struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains a list of the objects that you want to invalidate.
+	Items []*string `locationNameList:"Path" type:"list"`
+
+	// The number of objects that you want to invalidate.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s Paths) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Paths) GoString() string {
+	return s.String()
+}
+
+// A complex type that identifies ways in which you want to restrict distribution
+// of your content.
+type Restrictions struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that controls the countries in which your content is distributed.
+	// For more information about geo restriction, go to Customizing Error Responses
+	// in the Amazon CloudFront Developer Guide. CloudFront determines the location
+	// of your users using MaxMind GeoIP databases. For information about the accuracy
+	// of these databases, see How accurate are your GeoIP databases? on the MaxMind
+	// website.
+	GeoRestriction *GeoRestriction `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s Restrictions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Restrictions) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about the Amazon S3 bucket from
+// which you want CloudFront to get your media files for distribution.
+type S3Origin struct {
+	_ struct{} `type:"structure"`
+
+	// The DNS name of the S3 origin.
+	DomainName *string `type:"string" required:"true"`
+
+	// Your S3 origin's origin access identity.
+	OriginAccessIdentity *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s S3Origin) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s S3Origin) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about the Amazon S3 origin. If the
+// origin is a custom origin, use the CustomOriginConfig element instead.
+type S3OriginConfig struct {
+	_ struct{} `type:"structure"`
+
+	// The CloudFront origin access identity to associate with the origin. Use an
+	// origin access identity to configure the origin so that end users can only
+	// access objects in an Amazon S3 bucket through CloudFront. If you want end
+	// users to be able to access objects using either the CloudFront URL or the
+	// Amazon S3 URL, specify an empty OriginAccessIdentity element. To delete the
+	// origin access identity from an existing distribution, update the distribution
+	// configuration and include an empty OriginAccessIdentity element. To replace
+	// the origin access identity, update the distribution configuration and specify
+	// the new origin access identity. Use the format origin-access-identity/cloudfront/Id
+	// where Id is the value that CloudFront returned in the Id element when you
+	// created the origin access identity.
+	OriginAccessIdentity *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s S3OriginConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s S3OriginConfig) GoString() string {
+	return s.String()
+}
+
+// A complex type that lists the AWS accounts that were included in the TrustedSigners
+// complex type, as well as their active CloudFront key pair IDs, if any.
+type Signer struct {
+	_ struct{} `type:"structure"`
+
+	// Specifies an AWS account that can create signed URLs. Values: self, which
+	// indicates that the AWS account that was used to create the distribution can
+	// created signed URLs, or an AWS account number. Omit the dashes in the account
+	// number.
+	AwsAccountNumber *string `type:"string"`
+
+	// A complex type that lists the active CloudFront key pairs, if any, that are
+	// associated with AwsAccountNumber.
+	KeyPairIds *KeyPairIds `type:"structure"`
+}
+
+// String returns the string representation
+func (s Signer) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Signer) GoString() string {
+	return s.String()
+}
+
+// A streaming distribution.
+type StreamingDistribution struct {
+	_ struct{} `type:"structure"`
+
+	// CloudFront automatically adds this element to the response only if you've
+	// set up the distribution to serve private content with signed URLs. The element
+	// lists the key pair IDs that CloudFront is aware of for each trusted signer.
+	// The Signer child element lists the AWS account number of the trusted signer
+	// (or an empty Self element if the signer is you). The Signer element also
+	// includes the IDs of any active key pairs associated with the trusted signer's
+	// AWS account. If no KeyPairId element appears for a Signer, that signer can't
+	// create working signed URLs.
+	ActiveTrustedSigners *ActiveTrustedSigners `type:"structure" required:"true"`
+
+	// The domain name corresponding to the streaming distribution. For example:
+	// s5c39gqb8ow64r.cloudfront.net.
+	DomainName *string `type:"string" required:"true"`
+
+	// The identifier for the streaming distribution. For example: EGTXBD79H29TRA8.
+	Id *string `type:"string" required:"true"`
+
+	// The date and time the distribution was last modified.
+	LastModifiedTime *time.Time `type:"timestamp" timestampFormat:"iso8601"`
+
+	// The current status of the streaming distribution. When the status is Deployed,
+	// the distribution's information is fully propagated throughout the Amazon
+	// CloudFront system.
+	Status *string `type:"string" required:"true"`
+
+	// The current configuration information for the streaming distribution.
+	StreamingDistributionConfig *StreamingDistributionConfig `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s StreamingDistribution) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s StreamingDistribution) GoString() string {
+	return s.String()
+}
+
+// The configuration for the streaming distribution.
+type StreamingDistributionConfig struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains information about CNAMEs (alternate domain names),
+	// if any, for this streaming distribution.
+	Aliases *Aliases `type:"structure"`
+
+	// A unique number that ensures the request can't be replayed. If the CallerReference
+	// is new (no matter the content of the StreamingDistributionConfig object),
+	// a new streaming distribution is created. If the CallerReference is a value
+	// you already sent in a previous request to create a streaming distribution,
+	// and the content of the StreamingDistributionConfig is identical to the original
+	// request (ignoring white space), the response includes the same information
+	// returned to the original request. If the CallerReference is a value you already
+	// sent in a previous request to create a streaming distribution but the content
+	// of the StreamingDistributionConfig is different from the original request,
+	// CloudFront returns a DistributionAlreadyExists error.
+	CallerReference *string `type:"string" required:"true"`
+
+	// Any comments you want to include about the streaming distribution.
+	Comment *string `type:"string" required:"true"`
+
+	// Whether the streaming distribution is enabled to accept end user requests
+	// for content.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// A complex type that controls whether access logs are written for the streaming
+	// distribution.
+	Logging *StreamingLoggingConfig `type:"structure"`
+
+	// A complex type that contains information about price class for this streaming
+	// distribution.
+	PriceClass *string `type:"string" enum:"PriceClass"`
+
+	// A complex type that contains information about the Amazon S3 bucket from
+	// which you want CloudFront to get your media files for distribution.
+	S3Origin *S3Origin `type:"structure" required:"true"`
+
+	// A complex type that specifies the AWS accounts, if any, that you want to
+	// allow to create signed URLs for private content. If you want to require signed
+	// URLs in requests for objects in the target origin that match the PathPattern
+	// for this cache behavior, specify true for Enabled, and specify the applicable
+	// values for Quantity and Items. For more information, go to Using a Signed
+	// URL to Serve Private Content in the Amazon CloudFront Developer Guide. If
+	// you don't want to require signed URLs in requests for objects that match
+	// PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To
+	// add, change, or remove one or more trusted signers, change Enabled to true
+	// (if it's currently false), change Quantity as applicable, and specify all
+	// of the trusted signers that you want to include in the updated distribution.
+	TrustedSigners *TrustedSigners `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s StreamingDistributionConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s StreamingDistributionConfig) GoString() string {
+	return s.String()
+}
+
+// A streaming distribution list.
+type StreamingDistributionList struct {
+	_ struct{} `type:"structure"`
+
+	// A flag that indicates whether more streaming distributions remain to be listed.
+	// If your results were truncated, you can make a follow-up pagination request
+	// using the Marker request parameter to retrieve more distributions in the
+	// list.
+	IsTruncated *bool `type:"boolean" required:"true"`
+
+	// A complex type that contains one StreamingDistributionSummary element for
+	// each distribution that was created by the current AWS account.
+	Items []*StreamingDistributionSummary `locationNameList:"StreamingDistributionSummary" type:"list"`
+
+	// The value you provided for the Marker request parameter.
+	Marker *string `type:"string" required:"true"`
+
+	// The value you provided for the MaxItems request parameter.
+	MaxItems *int64 `type:"integer" required:"true"`
+
+	// If IsTruncated is true, this element is present and contains the value you
+	// can use for the Marker request parameter to continue listing your streaming
+	// distributions where they left off.
+	NextMarker *string `type:"string"`
+
+	// The number of streaming distributions that were created by the current AWS
+	// account.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s StreamingDistributionList) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s StreamingDistributionList) GoString() string {
+	return s.String()
+}
+
+// A summary of the information for an Amazon CloudFront streaming distribution.
+type StreamingDistributionSummary struct {
+	_ struct{} `type:"structure"`
+
+	// A complex type that contains information about CNAMEs (alternate domain names),
+	// if any, for this streaming distribution.
+	Aliases *Aliases `type:"structure" required:"true"`
+
+	// The comment originally specified when this distribution was created.
+	Comment *string `type:"string" required:"true"`
+
+	// The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net.
+	DomainName *string `type:"string" required:"true"`
+
+	// Whether the distribution is enabled to accept end user requests for content.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// The identifier for the distribution. For example: EDFDVBD632BHDS5.
+	Id *string `type:"string" required:"true"`
+
+	// The date and time the distribution was last modified.
+	LastModifiedTime *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
+
+	PriceClass *string `type:"string" required:"true" enum:"PriceClass"`
+
+	// A complex type that contains information about the Amazon S3 bucket from
+	// which you want CloudFront to get your media files for distribution.
+	S3Origin *S3Origin `type:"structure" required:"true"`
+
+	// Indicates the current status of the distribution. When the status is Deployed,
+	// the distribution's information is fully propagated throughout the Amazon
+	// CloudFront system.
+	Status *string `type:"string" required:"true"`
+
+	// A complex type that specifies the AWS accounts, if any, that you want to
+	// allow to create signed URLs for private content. If you want to require signed
+	// URLs in requests for objects in the target origin that match the PathPattern
+	// for this cache behavior, specify true for Enabled, and specify the applicable
+	// values for Quantity and Items. For more information, go to Using a Signed
+	// URL to Serve Private Content in the Amazon CloudFront Developer Guide. If
+	// you don't want to require signed URLs in requests for objects that match
+	// PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To
+	// add, change, or remove one or more trusted signers, change Enabled to true
+	// (if it's currently false), change Quantity as applicable, and specify all
+	// of the trusted signers that you want to include in the updated distribution.
+	TrustedSigners *TrustedSigners `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s StreamingDistributionSummary) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s StreamingDistributionSummary) GoString() string {
+	return s.String()
+}
+
+// A complex type that controls whether access logs are written for this streaming
+// distribution.
+type StreamingLoggingConfig struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon S3 bucket to store the access logs in, for example, myawslogbucket.s3.amazonaws.com.
+	Bucket *string `type:"string" required:"true"`
+
+	// Specifies whether you want CloudFront to save access logs to an Amazon S3
+	// bucket. If you do not want to enable logging when you create a streaming
+	// distribution or if you want to disable logging for an existing streaming
+	// distribution, specify false for Enabled, and specify empty Bucket and Prefix
+	// elements. If you specify false for Enabled but you specify values for Bucket
+	// and Prefix, the values are automatically deleted.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// An optional string that you want CloudFront to prefix to the access log filenames
+	// for this streaming distribution, for example, myprefix/. If you want to enable
+	// logging, but you do not want to specify a prefix, you still must include
+	// an empty Prefix element in the Logging element.
+	Prefix *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s StreamingLoggingConfig) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s StreamingLoggingConfig) GoString() string {
+	return s.String()
+}
+
+// A complex type that specifies the AWS accounts, if any, that you want to
+// allow to create signed URLs for private content. If you want to require signed
+// URLs in requests for objects in the target origin that match the PathPattern
+// for this cache behavior, specify true for Enabled, and specify the applicable
+// values for Quantity and Items. For more information, go to Using a Signed
+// URL to Serve Private Content in the Amazon CloudFront Developer Guide. If
+// you don't want to require signed URLs in requests for objects that match
+// PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To
+// add, change, or remove one or more trusted signers, change Enabled to true
+// (if it's currently false), change Quantity as applicable, and specify all
+// of the trusted signers that you want to include in the updated distribution.
+type TrustedSigners struct {
+	_ struct{} `type:"structure"`
+
+	// Specifies whether you want to require end users to use signed URLs to access
+	// the files specified by PathPattern and TargetOriginId.
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// Optional: A complex type that contains trusted signers for this cache behavior.
+	// If Quantity is 0, you can omit Items.
+	Items []*string `locationNameList:"AwsAccountNumber" type:"list"`
+
+	// The number of trusted signers for this cache behavior.
+	Quantity *int64 `type:"integer" required:"true"`
+}
+
+// String returns the string representation
+func (s TrustedSigners) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s TrustedSigners) GoString() string {
+	return s.String()
+}
+
+// The request to update an origin access identity.
+type UpdateCloudFrontOriginAccessIdentityInput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentityConfig"`
+
+	// The identity's configuration information.
+	CloudFrontOriginAccessIdentityConfig *OriginAccessIdentityConfig `locationName:"CloudFrontOriginAccessIdentityConfig" type:"structure" required:"true"`
+
+	// The identity's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received when retrieving the identity's
+	// configuration. For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+}
+
+// String returns the string representation
+func (s UpdateCloudFrontOriginAccessIdentityInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateCloudFrontOriginAccessIdentityInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type UpdateCloudFrontOriginAccessIdentityOutput struct {
+	_ struct{} `type:"structure" payload:"CloudFrontOriginAccessIdentity"`
+
+	// The origin access identity's information.
+	CloudFrontOriginAccessIdentity *OriginAccessIdentity `type:"structure"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s UpdateCloudFrontOriginAccessIdentityOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateCloudFrontOriginAccessIdentityOutput) GoString() string {
+	return s.String()
+}
+
+// The request to update a distribution.
+type UpdateDistributionInput struct {
+	_ struct{} `type:"structure" payload:"DistributionConfig"`
+
+	// The distribution's configuration information.
+	DistributionConfig *DistributionConfig `locationName:"DistributionConfig" type:"structure" required:"true"`
+
+	// The distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received when retrieving the distribution's
+	// configuration. For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+}
+
+// String returns the string representation
+func (s UpdateDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type UpdateDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"Distribution"`
+
+	// The distribution's information.
+	Distribution *Distribution `type:"structure"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+}
+
+// String returns the string representation
+func (s UpdateDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// The request to update a streaming distribution.
+type UpdateStreamingDistributionInput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistributionConfig"`
+
+	// The streaming distribution's id.
+	Id *string `location:"uri" locationName:"Id" type:"string" required:"true"`
+
+	// The value of the ETag header you received when retrieving the streaming distribution's
+	// configuration. For example: E2QWRUHAPOMQZL.
+	IfMatch *string `location:"header" locationName:"If-Match" type:"string"`
+
+	// The streaming distribution's configuration information.
+	StreamingDistributionConfig *StreamingDistributionConfig `locationName:"StreamingDistributionConfig" type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s UpdateStreamingDistributionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateStreamingDistributionInput) GoString() string {
+	return s.String()
+}
+
+// The returned result of the corresponding request.
+type UpdateStreamingDistributionOutput struct {
+	_ struct{} `type:"structure" payload:"StreamingDistribution"`
+
+	// The current version of the configuration. For example: E2QWRUHAPOMQZL.
+	ETag *string `location:"header" locationName:"ETag" type:"string"`
+
+	// The streaming distribution's information.
+	StreamingDistribution *StreamingDistribution `type:"structure"`
+}
+
+// String returns the string representation
+func (s UpdateStreamingDistributionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateStreamingDistributionOutput) GoString() string {
+	return s.String()
+}
+
+// A complex type that contains information about viewer certificates for this
+// distribution.
+type ViewerCertificate struct {
+	_ struct{} `type:"structure"`
+
+	// If you want viewers to use HTTPS to request your objects and you're using
+	// an alternate domain name in your object URLs (for example, https://example.com/logo.jpg),
+	// specify the ACM certificate ARN of the custom viewer certificate for this
+	// distribution. Specify either this value, IAMCertificateId, or CloudFrontDefaultCertificate.
+	ACMCertificateArn *string `type:"string"`
+
+	// Note: this field is deprecated. Please use one of [ACMCertificateArn, IAMCertificateId,
+	// CloudFrontDefaultCertificate].
+	Certificate *string `deprecated:"true" type:"string"`
+
+	// Note: this field is deprecated. Please use one of [ACMCertificateArn, IAMCertificateId,
+	// CloudFrontDefaultCertificate].
+	CertificateSource *string `deprecated:"true" type:"string" enum:"CertificateSource"`
+
+	// If you want viewers to use HTTPS to request your objects and you're using
+	// the CloudFront domain name of your distribution in your object URLs (for
+	// example, https://d111111abcdef8.cloudfront.net/logo.jpg), set to true. Omit
+	// this value if you are setting an ACMCertificateArn or IAMCertificateId.
+	CloudFrontDefaultCertificate *bool `type:"boolean"`
+
+	// If you want viewers to use HTTPS to request your objects and you're using
+	// an alternate domain name in your object URLs (for example, https://example.com/logo.jpg),
+	// specify the IAM certificate identifier of the custom viewer certificate for
+	// this distribution. Specify either this value, ACMCertificateArn, or CloudFrontDefaultCertificate.
+	IAMCertificateId *string `type:"string"`
+
+	// Specify the minimum version of the SSL protocol that you want CloudFront
+	// to use, SSLv3 or TLSv1, for HTTPS connections. CloudFront will serve your
+	// objects only to browsers or devices that support at least the SSL version
+	// that you specify. The TLSv1 protocol is more secure, so we recommend that
+	// you specify SSLv3 only if your users are using browsers or devices that don't
+	// support TLSv1. If you're using a custom certificate (if you specify a value
+	// for IAMCertificateId) and if you're using dedicated IP (if you specify vip
+	// for SSLSupportMethod), you can choose SSLv3 or TLSv1 as the MinimumProtocolVersion.
+	// If you're using a custom certificate (if you specify a value for IAMCertificateId)
+	// and if you're using SNI (if you specify sni-only for SSLSupportMethod), you
+	// must specify TLSv1 for MinimumProtocolVersion.
+	MinimumProtocolVersion *string `type:"string" enum:"MinimumProtocolVersion"`
+
+	// If you specify a value for IAMCertificateId, you must also specify how you
+	// want CloudFront to serve HTTPS requests. Valid values are vip and sni-only.
+	// If you specify vip, CloudFront uses dedicated IP addresses for your content
+	// and can respond to HTTPS requests from any viewer. However, you must request
+	// permission to use this feature, and you incur additional monthly charges.
+	// If you specify sni-only, CloudFront can only respond to HTTPS requests from
+	// viewers that support Server Name Indication (SNI). All modern browsers support
+	// SNI, but some browsers still in use don't support SNI. Do not specify a value
+	// for SSLSupportMethod if you specified true for CloudFrontDefaultCertificate.
+	SSLSupportMethod *string `type:"string" enum:"SSLSupportMethod"`
+}
+
+// String returns the string representation
+func (s ViewerCertificate) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ViewerCertificate) GoString() string {
+	return s.String()
+}
+
+const (
+	// @enum CertificateSource
+	CertificateSourceCloudfront = "cloudfront"
+	// @enum CertificateSource
+	CertificateSourceIam = "iam"
+	// @enum CertificateSource
+	CertificateSourceAcm = "acm"
+)
+
+const (
+	// @enum GeoRestrictionType
+	GeoRestrictionTypeBlacklist = "blacklist"
+	// @enum GeoRestrictionType
+	GeoRestrictionTypeWhitelist = "whitelist"
+	// @enum GeoRestrictionType
+	GeoRestrictionTypeNone = "none"
+)
+
+const (
+	// @enum ItemSelection
+	ItemSelectionNone = "none"
+	// @enum ItemSelection
+	ItemSelectionWhitelist = "whitelist"
+	// @enum ItemSelection
+	ItemSelectionAll = "all"
+)
+
+const (
+	// @enum Method
+	MethodGet = "GET"
+	// @enum Method
+	MethodHead = "HEAD"
+	// @enum Method
+	MethodPost = "POST"
+	// @enum Method
+	MethodPut = "PUT"
+	// @enum Method
+	MethodPatch = "PATCH"
+	// @enum Method
+	MethodOptions = "OPTIONS"
+	// @enum Method
+	MethodDelete = "DELETE"
+)
+
+const (
+	// @enum MinimumProtocolVersion
+	MinimumProtocolVersionSslv3 = "SSLv3"
+	// @enum MinimumProtocolVersion
+	MinimumProtocolVersionTlsv1 = "TLSv1"
+)
+
+const (
+	// @enum OriginProtocolPolicy
+	OriginProtocolPolicyHttpOnly = "http-only"
+	// @enum OriginProtocolPolicy
+	OriginProtocolPolicyMatchViewer = "match-viewer"
+	// @enum OriginProtocolPolicy
+	OriginProtocolPolicyHttpsOnly = "https-only"
+)
+
+const (
+	// @enum PriceClass
+	PriceClassPriceClass100 = "PriceClass_100"
+	// @enum PriceClass
+	PriceClassPriceClass200 = "PriceClass_200"
+	// @enum PriceClass
+	PriceClassPriceClassAll = "PriceClass_All"
+)
+
+const (
+	// @enum SSLSupportMethod
+	SSLSupportMethodSniOnly = "sni-only"
+	// @enum SSLSupportMethod
+	SSLSupportMethodVip = "vip"
+)
+
+const (
+	// @enum SslProtocol
+	SslProtocolSslv3 = "SSLv3"
+	// @enum SslProtocol
+	SslProtocolTlsv1 = "TLSv1"
+	// @enum SslProtocol
+	SslProtocolTlsv11 = "TLSv1.1"
+	// @enum SslProtocol
+	SslProtocolTlsv12 = "TLSv1.2"
+)
+
+const (
+	// @enum ViewerProtocolPolicy
+	ViewerProtocolPolicyAllowAll = "allow-all"
+	// @enum ViewerProtocolPolicy
+	ViewerProtocolPolicyHttpsOnly = "https-only"
+	// @enum ViewerProtocolPolicy
+	ViewerProtocolPolicyRedirectToHttps = "redirect-to-https"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudfront/service.go b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/service.go
new file mode 100644
index 000000000000..51b73c6efef8
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/service.go
@@ -0,0 +1,86 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package cloudfront
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/private/protocol/restxml"
+	"github.com/aws/aws-sdk-go/private/signer/v4"
+)
+
+// CloudFront is a client for CloudFront.
+//The service client's operations are safe to be used concurrently.
+// It is not safe to mutate any of the client's properties though.
+type CloudFront struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// A ServiceName is the name of the service the client will make API calls to.
+const ServiceName = "cloudfront"
+
+// New creates a new instance of the CloudFront client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a CloudFront client from just a session.
+//     svc := cloudfront.New(mySession)
+//
+//     // Create a CloudFront client with additional configuration
+//     svc := cloudfront.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *CloudFront {
+	c := p.ClientConfig(ServiceName, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion string) *CloudFront {
+	svc := &CloudFront{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2016-01-28",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBack(v4.Sign)
+	svc.Handlers.Build.PushBackNamed(restxml.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(restxml.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(restxml.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(restxml.UnmarshalErrorHandler)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a CloudFront operation and runs any
+// custom request initialization.
+func (c *CloudFront) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudfront/waiters.go b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/waiters.go
new file mode 100644
index 000000000000..7a0525d1770b
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudfront/waiters.go
@@ -0,0 +1,76 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package cloudfront
+
+import (
+	"github.com/aws/aws-sdk-go/private/waiter"
+)
+
+func (c *CloudFront) WaitUntilDistributionDeployed(input *GetDistributionInput) error {
+	waiterCfg := waiter.Config{
+		Operation:   "GetDistribution",
+		Delay:       60,
+		MaxAttempts: 25,
+		Acceptors: []waiter.WaitAcceptor{
+			{
+				State:    "success",
+				Matcher:  "path",
+				Argument: "Distribution.Status",
+				Expected: "Deployed",
+			},
+		},
+	}
+
+	w := waiter.Waiter{
+		Client: c,
+		Input:  input,
+		Config: waiterCfg,
+	}
+	return w.Wait()
+}
+
+func (c *CloudFront) WaitUntilInvalidationCompleted(input *GetInvalidationInput) error {
+	waiterCfg := waiter.Config{
+		Operation:   "GetInvalidation",
+		Delay:       20,
+		MaxAttempts: 30,
+		Acceptors: []waiter.WaitAcceptor{
+			{
+				State:    "success",
+				Matcher:  "path",
+				Argument: "Invalidation.Status",
+				Expected: "Completed",
+			},
+		},
+	}
+
+	w := waiter.Waiter{
+		Client: c,
+		Input:  input,
+		Config: waiterCfg,
+	}
+	return w.Wait()
+}
+
+func (c *CloudFront) WaitUntilStreamingDistributionDeployed(input *GetStreamingDistributionInput) error {
+	waiterCfg := waiter.Config{
+		Operation:   "GetStreamingDistribution",
+		Delay:       60,
+		MaxAttempts: 25,
+		Acceptors: []waiter.WaitAcceptor{
+			{
+				State:    "success",
+				Matcher:  "path",
+				Argument: "StreamingDistribution.Status",
+				Expected: "Deployed",
+			},
+		},
+	}
+
+	w := waiter.Waiter{
+		Client: c,
+		Input:  input,
+		Config: waiterCfg,
+	}
+	return w.Wait()
+}
diff --git a/website/source/docs/providers/aws/r/cloudfront_distribution.html.markdown b/website/source/docs/providers/aws/r/cloudfront_distribution.html.markdown
new file mode 100644
index 000000000000..6c9f10a099a7
--- /dev/null
+++ b/website/source/docs/providers/aws/r/cloudfront_distribution.html.markdown
@@ -0,0 +1,197 @@
+---
+layout: "aws"
+page_title: "AWS: cloudfront_distribution"
+sidebar_current: "docs-aws-resource-cloudfront-distribution"
+description: |-
+  Provides a CloudFront web distribution resource.
+---
+
+# aws\_cloudfront\_distribution
+
+Creates an Amazon CloudFront web distribution.
+
+For information about CloudFront distributions, see the
+[Amazon CloudFront Developer Guide][1]. For specific information about creating
+CloudFront web distributions, see the [POST Distribution][2] page in the Amazon
+CloudFront API Reference.
+
+~> **NOTE:** CloudFront distributions take about 15 minutes to a deployed state
+after creation or modification. During this time, deletes to resources will be
+blocked. If you need to delete a distribution that is enabled and you do not
+want to wait, you need to use the `retain_on_delete` flag.
+
+## Example Usage
+
+The following example below creates a CloudFront distribution with an S3 origin.
+
+```
+resource "aws_cloudfront_distribution" "s3_distribution" {
+	origin {
+		domain_name = "mybucket.s3.amazonaws.com"
+		origin_id = "myS3Origin"
+		s3_origin_config {
+      origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
+    }
+	}
+	enabled = true
+	comment = "Some comment"
+	default_root_object = "index.html"
+	logging_config {
+		include_cookies = false
+		bucket = "mylogs.s3.amazonaws.com"
+		prefix = "myprefix"
+	}
+	aliases = [ "mysite.example.com", "yoursite.example.com" ]
+	default_cache_behavior {
+		allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+		cached_methods = [ "GET", "HEAD" ]
+		target_origin_id = "myS3Origin"
+		forwarded_values {
+			query_string = false
+			cookies {
+				forward = "none"
+			}
+		}
+		viewer_protocol_policy = "allow-all"
+		min_ttl = 0
+		default_ttl = 3600
+		max_ttl = 86400
+	}
+	price_class = "PriceClass_200"
+	restrictions {
+		geo_restriction {
+			restriction_type = "whitelist"
+			locations = [ "US", "CA", "GB", "DE" ]
+		}
+	}
+	viewer_certificate {
+		cloudfront_default_certificate = true
+	}
+}
+```
+
+## Argument Reference
+
+The CloudFront distribution argument layout is a complex structure composed
+of several sub-resources - these resources are laid out below.
+
+### Top-Level Arguments
+
+* `aliases` (Optional) - Extra CNAMEs (alternate domain names), if any, for this distribution.
+* `cache_behavior` (Optional) - A [cache behavior](#cache_behavior) resource for this distribution (multiples allowed).
+* `comment` (Optional) - Any comments you want to include about the distribution.
+* `custom_error_response` (Optional) - One or more [custom error response](#custom_error_response) elements (multiples allowed).
+* `default_cache_behavior` (Required) - The [default cache behavior](#default_cache_behavior) for this distribution (maximum one).
+* `default_root_object` (Optional) - The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL.
+* `enabled` (Required) - Whether the distribution is enabled to accept end user requests for content.
+* `logging_config` (Optional) - The [logging configuration](#logging_config) that controls how logs are written to your distribution (maximum one).
+* `origin` (Required) - One or more [origins](#origin) for this distribution (multiples allowed).
+* `price_class` (Optional) - The price class for this distribution.
+* `restrictions` (Required) - The [restriction configuration](#restrictions) for this distribution (maximum one).
+* `viewer_certificate` (Required) - The [SSL configuration](#viewer_certificate) for this distribution (maximum one).
+* `web_acl_id` (Optional) - If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution.
+* `retain_on_delete` (Optional) - Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. Default: `false`.
+
+#### <a name="cache_behavior"> `cache_behavior` Arguments
+
+* `allowed_methods` (Required) - Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin.
+* `cached_methods` (Required) - Controls whether CloudFront caches the response to requests using the specified HTTP methods.
+* `compress` (Optional) - Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header (default: `false`).
+* `default_ttl` (Required) - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an `Cache-Control max-age` or `Expires` header.
+* `forwarded_values` (Required) - The [forwarded values configuration](#forwarded_values) that specifies how CloudFront handles query strings, cookies and headers (maximum one).
+* `max_ttl` (Required) - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of `Cache-Control max-age`, `Cache-Control s-maxage`, and `Expires` headers.
+* `min_ttl` (Required) - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
+* `path_pattern` (Required) - The pattern (for example, `images/*.jpg)` that specifies which requests you want this cache behavior to apply to.
+* `smooth_streaming` (Optional) - Indicates whether you want to distribute media files in Microsoft Smooth Streaming format using the origin that is associated with this cache behavior.
+* `target_origin_id` (Required) - The value of ID for the origin that you want CloudFront to route requests to when a request matches the path pattern either for a cache behavior or for the default cache behavior.
+* `trusted_signers` (Optional) - The AWS accounts, if any, that you want to allow to create signed URLs for private content.
+* `viewer_protocol_policy` (Required) - Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of `allow-all`, `https-only`, or `redirect-to-https`.
+
+##### <a name="forwarded_values"> `forwarded_values` Arguments
+
+* `cookies` (Optional) - The [forwarded values cookies](#cookies) that specifies how CloudFront handles cookies (maximum one).
+* `headers` (Optional) - Specifies the Headers, if any, that you want CloudFront to vary upon for this cache behavior. Specify `*` to include all headers.
+* `query_string` (Required) - Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior.
+
+##### <a name="cookies"> `cookies` Arguments
+
+* `forward` (Required) - Specifies whether you want CloudFront to forward cookies to the origin that is associated with this cache behavior. You can specify `all`, `none` or `whitelist`.
+* `whitelisted_names` (Optional) - If you have specified `whitelist` to `forward`, the whitelisted cookies that you want CloudFront to forward to your origin.
+
+#### <a name="custom_error_response"> `custom_error_response` Arguments
+
+* `error_caching_min_ttl` (Optional) - The minimum amount of time you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
+* `error_code` (Required) - The 4xx or 5xx HTTP status code that you want to customize.
+* `response_code` (Optional) - The HTTP status code that you want CloudFront to return with the custom error page to the viewer.
+* `response_page_path` (Optional) - The path of the custom error page (for example, `/custom_404.html`).
+
+#### <a name="default_cache_behavior"> `default_cache_behavior` Arguments
+
+The arguments for `default_cache_behavior` are the same as for
+[`cache_behavior`](#cache_behavior), except for the `path_pattern` argument is
+not required.
+
+#### <a name="logging_config"> `logging_config` Arguments
+
+* `bucket` (Required) - The Amazon S3 bucket to store the access logs in, for example, `myawslogbucket.s3.amazonaws.com`.
+* `include_cookies` (Optional) - Specifies whether you want CloudFront to include cookies in access logs (default: `false`).
+* `prefix` (Optional) - An optional string that you want CloudFront to prefix to the access log filenames for this distribution, for example, `myprefix/`.
+
+#### <a name="origin"> `origin` Arguments
+
+* `custom_origin_config` - The [CloudFront custom origin](#custom_origin_config) configuration information. If an S3 origin is required, use `s3_origin_config` instead.
+* `domain_name` (Required) - The DNS domain name of either the S3 bucket, or web site of your custom origin.
+* `custom_header` (Optional) - One or more sub-resources with `name` and `value` parameters that specify header data that will be sent to the origin (multiples allowed).
+* `origin_id` (Required) - A unique identifier for the origin.
+* `origin_path` (Optional) - An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin.
+* `s3_origin_config` - The [CloudFront S3 origin](#s3_origin_config) configuration information. If a custom origin is required, use `s3_origin_config` instead.
+
+##### <a name="custom_origin_config"> `custom_origin_config` Arguments
+
+* `http_port` (Required) - The HTTP port the custom origin listens on.
+* `https_port` (Required) - The HTTPS port the custom origin listens on.
+* `origin_protocol_policy` (Required) - The origin protocol policy to apply to your origin. One of `http-only`, `https-only`, or `match-viewer`.
+* `origin_ssl_protocols` (Required) - The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. A list of one or more of `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`.
+
+##### <a name="s3_origin_config"> `s3_origin_config` Arguments
+
+* `origin_access_identity` (Optional) - The [CloudFront origin access identity][5] to associate with the origin.
+
+#### <a name="restrictions"> `restrictions` Arguments
+
+The `restrictions` sub-resource takes another single sub-resource named
+`geo_restriction` (see the example for usage).
+
+The arguments of `geo_restriction` are:
+
+* `locations` (Optional) - The [ISO 3166-1-alpha-2 codes][4] for which you want CloudFront either to distribute your content (`whitelist`) or not distribute your content (`blacklist`).
+* `restriction_type` (Required) - The method that you want to use to restrict distribution of your content by country: `none`, `whitelist`, or `blacklist`.
+
+#### <a name="viewer_certificate"> `viewer_certificate` Arguments
+
+* `acm_certificate_arn` - The ARN of the [AWS Certificate Manager][6] certificate that you wish to use with this distribution. Specify this, `cloudfront_default_certificate`, or `iam_certificate_id`.
+* `cloudfront_default_certificate` - `true` if you want viewers to use HTTPS to request your objects and you're using the CloudFront domain name for your distribution. Specify this, `acm_certificate_arn`, or `iam_certificate_id`.
+* `iam_certificate_id` - The IAM certificate identifier of the custom viewer certificate for this distribution if you are using a custom domain. Specify this, `acm_certificate_arn`, or `cloudfront_default_certificate`.
+* `minimum_protocol_version` - The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. One of `SSLv3` or `TLSv1`. Default: `SSLv3`. **NOTE**: If you are using a custom certificate (specified with `acm_certificate_arn` or `iam_certificate_id`), and have specified `sni-only` in `ssl_support_method`, `TLSv1` must be specified.
+* `ssl_support_method`: Specifies how you want CloudFront to serve HTTPS requests. One of `vip` or `sni-only`. Required if you specify `acm_certificate_arn` or `iam_certificate_id`. **NOTE:** `vip` causes CloudFront to use a dedicated IP address and may incur extra charges.
+
+## Attribute Reference
+
+The following attributes are exported:
+
+* `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
+* `caller_reference` - Internal value used by CloudFront to allow future updates to the distribution configuration.
+* `status` - The current status of the distribution. `Deployed` if the distribution's information is fully propagated throughout the Amazon CloudFront system.
+* `active_trusted_signers` - The key pair IDs that CloudFront is aware of for each trusted signer, if the distribution is set up to serve private content with signed URLs.
+* `domain_name` - The domain name corresponding to the distribution. For example: `d604721fxaaqy9.cloudfront.net`.
+* `last_modified_time` - The date and time the distribution was last modified.
+* `in_progress_validation_batches` - The number of invalidation batches currently in progress.
+* `etag` - The current version of the distribution's information. For example: `E2QWRUHAPOMQZL`.
+
+
+[1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
+[2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/CreateDistribution.html
+[3]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
+[4]: http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
+[5]: /docs/providers/aws/r/cloudfront_origin_access_identity.html
+[6]: https://aws.amazon.com/certificate-manager/
diff --git a/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown b/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown
new file mode 100644
index 000000000000..0587aa533245
--- /dev/null
+++ b/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown
@@ -0,0 +1,58 @@
+---
+layout: "aws"
+page_title: "AWS: cloudfront_origin_access_identity"
+sidebar_current: "docs-aws-resource-cloudfront-origin-access-identity"
+description: |-
+  Provides a CloudFront origin access identity.
+---
+
+# aws\_cloudfront\_origin\_access\_identity
+
+Creates an Amazon CloudFront origin access identity.
+
+For information about CloudFront distributions, see the
+[Amazon CloudFront Developer Guide][1]. For more information on generating
+origin access identities, see
+[Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content][2].
+
+## Example Usage
+
+The following example below creates a CloudFront origin access identity.
+
+```
+resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
+	comment = "Some comment"
+}
+```
+
+## Argument Reference
+
+* `comment` (Optional) - An optional comment for the origin access identity.
+
+## Attribute Reference
+
+The following attributes are exported:
+
+* `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
+* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity.
+* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below.
+* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL.
+* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
+
+## Using With CloudFront
+
+Normally, when referencing an origin access identity in CloudFront, you need to
+prefix the ID with the `origin-access-identity/cloudfront/` special path.
+The `cloudfront_access_identity_path` allows this to be circumvented.
+The below snippet demonstrates use with the `s3_origin_config` structure for the
+[`aws_cloudfront_web_distribution`][3] resource:
+
+```
+s3_origin_config {
+  origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
+}
+```
+
+[1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
+[2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
+[3]: /docs/providers/aws/r/cloudfront_distribution.html
diff --git a/website/source/layouts/aws.erb b/website/source/layouts/aws.erb
index aba5778c92f1..aac78dcdc3ce 100644
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@@ -52,6 +52,18 @@
                     </ul>
                 </li>
 
+                <li<%= sidebar_current(/^docs-aws-resource-cloudfront/) %>>
+                    <a href="#">CloudFront Resources</a>
+                    <ul class="nav nav-visible">
+                        <li<%= sidebar_current("docs-aws-resource-cloudfront-distribution") %>>
+                            <a href="/docs/providers/aws/r/cloudfront_distribution.html">aws_cloudfront_distribution</a>
+                        </li>
+                        <li<%= sidebar_current("docs-aws-resource-cloudfront-origin-access-identity") %>>
+                            <a href="/docs/providers/aws/r/cloudfront_origin_access_identity.html">aws_cloudfront_origin_access_identity</a>
+                        </li>
+                    </ul>
+                </li>
+
                 <li<%= sidebar_current(/^docs-aws-resource-cloudtrail/) %>>
                     <a href="#">CloudTrail Resources</a>
                     <ul class="nav nav-visible">