Adding origin_access_control_id to custom_origins

[jjchiw]

Adding Origin Access Control Id to Custom Origins

what

Custom Origins didn't have Origin Access Control

Implements this infrastructure

https://aws.amazon.com/blogs/networking-and-content-delivery/image-optimization-using-amazon-cloudfront-and-aws-lambda/

why

Custom Origins didn't have Origin Access Control if we wanted to invoke a lambda we were not able to do it

references

Summary by CodeRabbit

• New Features

  • Enhanced configuration options for custom origins in CloudFront with the addition of origin_access_control_id.
  • Updated variable definitions for custom_origins and s3_origins to include access control ID.

• Bug Fixes

  • Deprecated certain variables to streamline configuration and encourage best practices.

• Documentation

  • Updated documentation to reflect changes in variable structures and configurations.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The changes in this pull request primarily enhance the configuration options for custom origins in Terraform, particularly for AWS CloudFront distributions. A new field, origin_access_control_id, has been added to the custom_origins and s3_origins variable definitions, allowing for more detailed access control settings. Additionally, several variables have been marked as deprecated, prompting users to transition to alternative configurations. The modifications span multiple files, including documentation, example configurations, and main resource definitions, while maintaining the overall logic and structure of the Terraform scripts.

Changes

File Path	Change Summary
docs/terraform.md	Updated custom_origins variable to include origin_access_control_id. Marked access_log_bucket_name, log_include_cookies, and log_prefix as deprecated.
examples/complete/custom-origins.tf	Added origin_access_control_id to default_custom_origin_configuration. Updated locals to reference the new field.
main.tf	Updated multiple resources including CloudFront and S3 configurations to incorporate origin_access_control_id and refined logic for resource creation.
variables.tf	Modified custom_origins and s3_origins variable definitions to include origin_access_control_id. Added comments for clarity.

Poem

In the fields where origins play,
A new ID joins the fray! 🐇
With access controls now in sight,
Configurations feel just right.
Deprecated paths, we wave goodbye,
For clearer skies, let’s hop and fly! 🌈

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range comments (1)

examples/complete/custom-origins.tf (1)

Line range hint 20-34: Consider demonstrating Origin Access Control usage in the example.

While the configuration structure supports Origin Access Control, this example could better demonstrate its practical application with Lambda@Edge. Consider adding a complete example showing:

1. Creation of Origin Access Control resource
2. Assignment to custom origins
3. Required IAM permissions

Here's a suggested addition to demonstrate the setup:

resource "aws_cloudfront_origin_access_control" "example" {
  name                              = "example"
  description                       = "Example Origin Access Control for Lambda@Edge"
  origin_access_control_config {
    name                            = "example"
    origin_access_control_origin_type = "custom"
    signing_behavior                = "always"
    signing_protocol               = "sigv4"
  }
}

# Then in your origin configuration:
local.additional_custom_origin_primary = local.additional_custom_origins_enabled ? merge(
  local.default_custom_origin_configuration, {
    domain_name = module.additional_custom_origin.bucket_website_endpoint
    origin_id   = module.additional_custom_origin.bucket_id
    origin_access_control_id = aws_cloudfront_origin_access_control.example.id
  }
) : null

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 7a49fac and b31cf7d.

📒 Files selected for processing (4)

• docs/terraform.md (1 hunks)
• examples/complete/custom-origins.tf (1 hunks)
• main.tf (1 hunks)
• variables.tf (1 hunks)

🔇 Additional comments (4)

examples/complete/custom-origins.tf (1)

Line range hint 89-102: Verify security configuration with Origin Access Control.

The current configuration disables all public access blocks on the S3 buckets. With Origin Access Control in place, you might want to:

1. Review if public access is still needed
2. Update bucket policies to work with Origin Access Control
3. Consider enabling public access blocks if direct bucket access isn't required

Let's verify the current security settings in the module:

Also applies to: 126-139

✅ Verification successful

Let me gather more information about the Origin Access Control configuration and related security settings.

---

Based on the gathered information, I can now provide the final response:

Public access blocks should remain disabled for this custom origin bucket

The current configuration with disabled public access blocks is correct because:

1. This is a custom origin bucket configured as a website endpoint (as indicated by the comments in the code)
2. The bucket has proper security controls in place:
   • BucketOwnerEnforced ownership control is set
   • The module supports Origin Access Control (OAC) as evidenced by origin_access_type = "origin_access_control" in the configuration
   • Appropriate IAM policies are implemented through aws_iam_policy_document.s3_origin_access_control

The security configuration aligns with AWS best practices for S3 buckets used as website endpoints with CloudFront distributions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any existing bucket policies or security configurations
rg -A 5 "aws_s3_bucket_policy|block_public_acls.*true|restrict_public_buckets.*true" 

# Check for any existing Origin Access Control configurations
ast-grep --pattern 'resource "aws_cloudfront_origin_access_control"'

Length of output: 3065

---

Script:

#!/bin/bash
# Check for Origin Access Control configurations and usage
rg -A 10 "origin_access_control|aws_cloudfront_origin_access_control" 

# Check for S3 bucket configurations in the custom origins file
rg -A 10 "aws_s3_bucket" examples/complete/custom-origins.tf

# Check for any IAM policies that might be related
rg -A 5 "aws_iam_policy_document" 

Length of output: 57905

docs/terraform.md (2)

Line range hint 1-999: Documentation is complete and well-structured.

The Terraform module documentation:

• Properly documents all variables, outputs, and dependencies
• Follows standard Terraform documentation practices
• Clearly describes the new Origin Access Control feature

---

91-91: LGTM: The custom_origins variable documentation is correctly updated.

The addition of origin_access_control_id to the custom_origins variable type definition aligns with AWS CloudFront requirements and the PR objectives.

Let's verify the implementation matches the documentation:

✅ Verification successful

The variable definition in the implementation matches the documentation perfectly

The verification confirms that the custom_origins variable definition in variables.tf exactly matches the documentation in docs/terraform.md, including:

• All fields and their types are identical
• The origin_access_control_id field is present as a string type
• The default value is set to []
• The nested object structures for custom_headers and custom_origin_config match

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the variable definition in the Terraform code matches the documentation
# Test: Search for the custom_origins variable definition
rg -A 20 'variable "custom_origins"'

Length of output: 936

main.tf (1)

554-556: Proper inclusion of origin_access_control_id in custom origins

The addition of origin_access_control_id to the origin block allows for specifying access control settings for individual custom origins. This enhances the flexibility of the module by enabling fine-grained access control configurations for each custom origin in the CloudFront distribution.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between b31cf7d and ea81dad.

📒 Files selected for processing (2)

• examples/complete/custom-origins.tf (1 hunks)
• variables.tf (2 hunks)

[gberenice]

/terratest

[gberenice]

LGTM, thanks @jjchiw!

[github-actions]

These changes were released in v0.96.0.