Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for origin-access-control to replace origin-access-identity #244

Open
brilong opened this issue Sep 26, 2022 · 2 comments
Open

Add support for origin-access-control to replace origin-access-identity #244

brilong opened this issue Sep 26, 2022 · 2 comments

Comments

@brilong
Copy link

brilong commented Sep 26, 2022

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Add the capability of enabling origin access control as described in https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/, https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cloudfront-origin-access-control/, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html and https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control.

Expected Behavior

Origin access control is used between Cloudfront and the S3 origin instead of origin access identity. This

Use Case

Allows the use of SSE aws:kms and customer-managed KMS keys that can be shared across accounts that, in turn, allows for cross-account deployments with KMS-encrypted S3 buckets.

Describe Ideal Solution

The S3 bucket that is configured as S3 origin has the proper policy assigned to allow Cloudfront to access it via OAC instead of OAI.

Alternatives Considered

None.

Additional Context

Once I used your module to create a Cloudfront distribution with OAI, I then followed the instructions in the Cloudfront developer guide to update the distribution with the OAC I created using Terraform cloudfront_origin_access_control.
cloudfront get-distribution-config --id dist-id --output yaml > dist-config.yaml
Edit as specified in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html section labeled To attach an OAC to an S3 bucket origin in an existing distribution (CLI with input file)
cloudfront update-distribution --id dist-id --cli-input-yaml file://dist-config.yaml
@joshuabalduff
Copy link
Sponsor

Are they going to deprecate origin-access-identity any time soon?

@sherifkayad
Copy link

I can happily work on that one if required. Let me know .. we do need that at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brilong @sherifkayad @joshuabalduff