Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for origin-access-control to replace origin-access-identity #244

Closed
brilong opened this issue Sep 26, 2022 · 3 comments · Fixed by #319
Closed

Add support for origin-access-control to replace origin-access-identity #244

brilong opened this issue Sep 26, 2022 · 3 comments · Fixed by #319

Comments

@brilong
Copy link

brilong commented Sep 26, 2022

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Add the capability of enabling origin access control as described in https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/, https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cloudfront-origin-access-control/, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html and https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control.

Expected Behavior

Origin access control is used between Cloudfront and the S3 origin instead of origin access identity. This

Use Case

Allows the use of SSE aws:kms and customer-managed KMS keys that can be shared across accounts that, in turn, allows for cross-account deployments with KMS-encrypted S3 buckets.

Describe Ideal Solution

The S3 bucket that is configured as S3 origin has the proper policy assigned to allow Cloudfront to access it via OAC instead of OAI.

Alternatives Considered

None.

Additional Context

Once I used your module to create a Cloudfront distribution with OAI, I then followed the instructions in the Cloudfront developer guide to update the distribution with the OAC I created using Terraform cloudfront_origin_access_control.
cloudfront get-distribution-config --id dist-id --output yaml > dist-config.yaml
Edit as specified in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html section labeled To attach an OAC to an S3 bucket origin in an existing distribution (CLI with input file)
cloudfront update-distribution --id dist-id --cli-input-yaml file://dist-config.yaml
@joshuabalduff
Copy link

Are they going to deprecate origin-access-identity any time soon?

@sherifkayad
Copy link

I can happily work on that one if required. Let me know .. we do need that at the moment.

@PeterBurner
Copy link

AWS Security Hub also flags this: https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-13

@rankin-tr rankin-tr mentioned this issue Aug 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for origin-access-control rankin-tr/terraform-aws-cloudfront-s3-cdn
4 participants
@brilong @sherifkayad @joshuabalduff @PeterBurner