Batch update all CloudFront distributions using a specified certificate ID to a new one

cloudfront-batch-certificates.sh

old_certificate="A..."
new_certificate="A..."

distributions=($(aws cloudfront list-distributions | jq --arg certificate $old_certificate -r '.DistributionList.Items[] | select(.ViewerCertificate.IAMCertificateId == $certificate) | .Id'))

echo "Distributions"
echo "============="
printf "%s\n" "${distributions[@]}"

echo "\n"
echo "Results"
echo "======="

for i in "${distributions[@]}"
do
  previous=$(aws cloudfront get-distribution-config --id $i)
  update=$(echo "$previous" | sed "s/$old_certificate/$new_certificate/" | jq '.DistributionConfig')
  result=$(aws cloudfront update-distribution --id $i --distribution-config "$update" --if-match $(echo "$previous" | jq -r '.ETag'))
  echo "$(echo $result | jq -r '.Distribution.Id + ": " + .Distribution.Status')"
done