AWS Cloudfront

[djgrant]

WIP.

Some challenges:

• A distribution has to be disabled before it is deleted
• It takes 4 minutes to deploy a change to a distribution
• Cloudfront itself has its own mechanism using etags to prevent concurrent writes

This opens up some interesting requirements for the provisioner:

• How should resources be structured to enable multi-stage operations?
• How should the provisioner manage long waits, and how should they be surfaced to the user?
• What should happen if the etag managed in state is out of date – presumably IaC is always source of truth?