feat: Added Origin Access Control (OAC) (#97)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

Author: glavk

README.md

@@ -105,6 +105,7 @@ No modules.
 |------|------|
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
+| [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
 
 ## Inputs
@@ -115,6 +116,7 @@ No modules.
 | <a name="input_comment"></a> [comment](#input\_comment) | Any comments you want to include about the distribution. | `string` | `null` | no |
 | <a name="input_create_distribution"></a> [create\_distribution](#input\_create\_distribution) | Controls if CloudFront distribution should be created | `bool` | `true` | no |
 | <a name="input_create_monitoring_subscription"></a> [create\_monitoring\_subscription](#input\_create\_monitoring\_subscription) | If enabled, the resource for monitoring subscription will created. | `bool` | `false` | no |
+| <a name="input_create_origin_access_control"></a> [create\_origin\_access\_control](#input\_create\_origin\_access\_control) | Controls if CloudFront origin access control should be created | `bool` | `false` | no |
 | <a name="input_create_origin_access_identity"></a> [create\_origin\_access\_identity](#input\_create\_origin\_access\_identity) | Controls if CloudFront origin access identity should be created | `bool` | `false` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | `any` | `{}` | no |
 | <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | `any` | `null` | no |
@@ -126,6 +128,7 @@ No modules.
 | <a name="input_logging_config"></a> [logging\_config](#input\_logging\_config) | The logging configuration that controls how logs are written to your distribution (maximum one). | `any` | `{}` | no |
 | <a name="input_ordered_cache_behavior"></a> [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | `any` | `[]` | no |
 | <a name="input_origin"></a> [origin](#input\_origin) | One or more origins for this distribution (multiples allowed). | `any` | `null` | no |
+| <a name="input_origin_access_control"></a> [origin\_access\_control](#input\_origin\_access\_control) | Map of CloudFront origin access control | <pre>map(object({<br>    description      = string<br>    origin_type      = string<br>    signing_behavior = string<br>    signing_protocol = string<br>  }))</pre> | <pre>{<br>  "s3": {<br>    "description": "",<br>    "origin_type": "s3",<br>    "signing_behavior": "always",<br>    "signing_protocol": "sigv4"<br>  }<br>}</pre> | no |
 | <a name="input_origin_access_identities"></a> [origin\_access\_identities](#input\_origin\_access\_identities) | Map of CloudFront origin access identities (value as a comment) | `map(string)` | `{}` | no |
 | <a name="input_origin_group"></a> [origin\_group](#input\_origin\_group) | One or more origin\_group for this distribution (multiples allowed). | `any` | `{}` | no |
 | <a name="input_price_class"></a> [price\_class](#input\_price\_class) | The price class for this distribution. One of PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `null` | no |
@@ -152,6 +155,8 @@ No modules.
 | <a name="output_cloudfront_distribution_tags"></a> [cloudfront\_distribution\_tags](#output\_cloudfront\_distribution\_tags) | Tags of the distribution's |
 | <a name="output_cloudfront_distribution_trusted_signers"></a> [cloudfront\_distribution\_trusted\_signers](#output\_cloudfront\_distribution\_trusted\_signers) | List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs |
 | <a name="output_cloudfront_monitoring_subscription_id"></a> [cloudfront\_monitoring\_subscription\_id](#output\_cloudfront\_monitoring\_subscription\_id) | The ID of the CloudFront monitoring subscription, which corresponds to the `distribution_id`. |
+| <a name="output_cloudfront_origin_access_controls"></a> [cloudfront\_origin\_access\_controls](#output\_cloudfront\_origin\_access\_controls) | The origin access controls created |
+| <a name="output_cloudfront_origin_access_controls_ids"></a> [cloudfront\_origin\_access\_controls\_ids](#output\_cloudfront\_origin\_access\_controls\_ids) | The IDS of the origin access identities created |
 | <a name="output_cloudfront_origin_access_identities"></a> [cloudfront\_origin\_access\_identities](#output\_cloudfront\_origin\_access\_identities) | The origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_iam_arns"></a> [cloudfront\_origin\_access\_identity\_iam\_arns](#output\_cloudfront\_origin\_access\_identity\_iam\_arns) | The IAM arns of the origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_ids"></a> [cloudfront\_origin\_access\_identity\_ids](#output\_cloudfront\_origin\_access\_identity\_ids) | The IDS of the origin access identities created |

examples/complete/README.md

@@ -61,6 +61,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
+| [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 

examples/complete/main.tf

@@ -2,7 +2,6 @@ provider "aws" {
   region = "us-east-1" # CloudFront expects ACM resources in us-east-1 region only
 
   # Make it faster by skipping something
-  skip_get_ec2_platforms      = true
   skip_metadata_api_check     = true
   skip_region_validation      = true
   skip_credentials_validation = true
@@ -37,6 +36,16 @@ module "cloudfront" {
     s3_bucket_one = "My awesome CloudFront can access"
   }
 
+  create_origin_access_control = true
+  origin_access_control = {
+    s3_oac = {
+      description      = "CloudFront access to S3"
+      origin_type      = "s3"
+      signing_behavior = "always"
+      signing_protocol = "sigv4"
+    }
+  }
+
   logging_config = {
     bucket = module.log_bucket.s3_bucket_bucket_domain_name
     prefix = "cloudfront"
@@ -69,13 +78,19 @@ module "cloudfront" {
       }
     }
 
-    s3_one = {
+    s3_one = { # with origin access identity (legacy)
       domain_name = module.s3_one.s3_bucket_bucket_regional_domain_name
       s3_origin_config = {
         origin_access_identity = "s3_bucket_one" # key in `origin_access_identities`
         # cloudfront_access_identity_path = "origin-access-identity/cloudfront/E5IGQAA1QO48Z" # external OAI resource
       }
     }
+
+    s3_oac = { # with origin access control settings (recommended)
+      domain_name           = module.s3_one.s3_bucket_bucket_regional_domain_name
+      origin_access_control = "s3_oac" # key in `origin_access_control`
+      #      origin_access_control_id = "E345SXM82MIOSU" # external OAС resource
+    }
   }
 
   origin_group = {
@@ -142,9 +157,11 @@ module "cloudfront" {
 
   custom_error_response = [{
     error_code         = 404
+    response_code      = 404
     response_page_path = "/errors/404.html"
     }, {
     error_code         = 403
+    response_code      = 403
     response_page_path = "/errors/403.html"
   }]
 

main.tf

@@ -1,5 +1,6 @@
 locals {
   create_origin_access_identity = var.create_origin_access_identity && length(keys(var.origin_access_identities)) > 0
+  create_origin_access_control  = var.create_origin_access_control && length(keys(var.origin_access_control)) > 0
 }
 
 resource "aws_cloudfront_origin_access_identity" "this" {
@@ -12,6 +13,17 @@ resource "aws_cloudfront_origin_access_identity" "this" {
   }
 }
 
+resource "aws_cloudfront_origin_access_control" "this" {
+  for_each = local.create_origin_access_control ? var.origin_access_control : {}
+
+  name = each.key
+
+  description                       = each.value["description"]
+  origin_access_control_origin_type = each.value["origin_type"]
+  signing_behavior                  = each.value["signing_behavior"]
+  signing_protocol                  = each.value["signing_protocol"]
+}
+
 resource "aws_cloudfront_distribution" "this" {
   count = var.create_distribution ? 1 : 0
 
@@ -46,7 +58,7 @@ resource "aws_cloudfront_distribution" "this" {
       origin_path              = lookup(origin.value, "origin_path", "")
       connection_attempts      = lookup(origin.value, "connection_attempts", null)
       connection_timeout       = lookup(origin.value, "connection_timeout", null)
-      origin_access_control_id = lookup(origin.value, "origin_access_control_id", null)
+      origin_access_control_id = lookup(origin.value, "origin_access_control_id", lookup(lookup(aws_cloudfront_origin_access_control.this, lookup(origin.value, "origin_access_control", ""), {}), "id", null))
 
       dynamic "s3_origin_config" {
         for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]

outputs.tf

@@ -72,3 +72,13 @@ output "cloudfront_distribution_tags" {
   description = "Tags of the distribution's"
   value       = try(aws_cloudfront_distribution.this[0].tags_all, "")
 }
+
+output "cloudfront_origin_access_controls" {
+  description = "The origin access controls created"
+  value       = local.create_origin_access_control ? { for k, v in aws_cloudfront_origin_access_control.this : k => v } : {}
+}
+
+output "cloudfront_origin_access_controls_ids" {
+  description = "The IDS of the origin access identities created"
+  value       = local.create_origin_access_control ? [for v in aws_cloudfront_origin_access_control.this : v.id] : []
+}

variables.tf

@@ -16,6 +16,31 @@ variable "origin_access_identities" {
   default     = {}
 }
 
+variable "create_origin_access_control" {
+  description = "Controls if CloudFront origin access control should be created"
+  type        = bool
+  default     = false
+}
+
+variable "origin_access_control" {
+  description = "Map of CloudFront origin access control"
+  type = map(object({
+    description      = string
+    origin_type      = string
+    signing_behavior = string
+    signing_protocol = string
+  }))
+
+  default = {
+    s3 = {
+      description      = "",
+      origin_type      = "s3",
+      signing_behavior = "always",
+      signing_protocol = "sigv4"
+    }
+  }
+}
+
 variable "aliases" {
   description = "Extra CNAMEs (alternate domain names), if any, for this distribution."
   type        = list(string)

wrappers/main.tf

@@ -6,19 +6,28 @@ module "wrapper" {
   create_distribution           = try(each.value.create_distribution, var.defaults.create_distribution, true)
   create_origin_access_identity = try(each.value.create_origin_access_identity, var.defaults.create_origin_access_identity, false)
   origin_access_identities      = try(each.value.origin_access_identities, var.defaults.origin_access_identities, {})
-  aliases                       = try(each.value.aliases, var.defaults.aliases, null)
-  comment                       = try(each.value.comment, var.defaults.comment, null)
-  default_root_object           = try(each.value.default_root_object, var.defaults.default_root_object, null)
-  enabled                       = try(each.value.enabled, var.defaults.enabled, true)
-  http_version                  = try(each.value.http_version, var.defaults.http_version, "http2")
-  is_ipv6_enabled               = try(each.value.is_ipv6_enabled, var.defaults.is_ipv6_enabled, null)
-  price_class                   = try(each.value.price_class, var.defaults.price_class, null)
-  retain_on_delete              = try(each.value.retain_on_delete, var.defaults.retain_on_delete, false)
-  wait_for_deployment           = try(each.value.wait_for_deployment, var.defaults.wait_for_deployment, true)
-  web_acl_id                    = try(each.value.web_acl_id, var.defaults.web_acl_id, null)
-  tags                          = try(each.value.tags, var.defaults.tags, null)
-  origin                        = try(each.value.origin, var.defaults.origin, null)
-  origin_group                  = try(each.value.origin_group, var.defaults.origin_group, {})
+  create_origin_access_control  = try(each.value.create_origin_access_control, var.defaults.create_origin_access_control, false)
+  origin_access_control = try(each.value.origin_access_control, var.defaults.origin_access_control, {
+    s3 = {
+      description      = "",
+      origin_type      = "s3",
+      signing_behavior = "always",
+      signing_protocol = "sigv4"
+    }
+  })
+  aliases             = try(each.value.aliases, var.defaults.aliases, null)
+  comment             = try(each.value.comment, var.defaults.comment, null)
+  default_root_object = try(each.value.default_root_object, var.defaults.default_root_object, null)
+  enabled             = try(each.value.enabled, var.defaults.enabled, true)
+  http_version        = try(each.value.http_version, var.defaults.http_version, "http2")
+  is_ipv6_enabled     = try(each.value.is_ipv6_enabled, var.defaults.is_ipv6_enabled, null)
+  price_class         = try(each.value.price_class, var.defaults.price_class, null)
+  retain_on_delete    = try(each.value.retain_on_delete, var.defaults.retain_on_delete, false)
+  wait_for_deployment = try(each.value.wait_for_deployment, var.defaults.wait_for_deployment, true)
+  web_acl_id          = try(each.value.web_acl_id, var.defaults.web_acl_id, null)
+  tags                = try(each.value.tags, var.defaults.tags, null)
+  origin              = try(each.value.origin, var.defaults.origin, null)
+  origin_group        = try(each.value.origin_group, var.defaults.origin_group, {})
   viewer_certificate = try(each.value.viewer_certificate, var.defaults.viewer_certificate, {
     cloudfront_default_certificate = true
     minimum_protocol_version       = "TLSv1"