From b31cf7d2bc55079699086091301298882635f66b Mon Sep 17 00:00:00 2001
From: jjchiw <jjchiw@gmail.com>
Date: Fri, 1 Nov 2024 19:02:25 +0100
Subject: [PATCH 1/2] Adding origin_access_control_id to custom_origins

fix specification

fix specification 2
---
 docs/terraform.md                   | 2 +-
 examples/complete/custom-origins.tf | 9 +++++----
 main.tf                             | 7 ++++---
 variables.tf                        | 7 ++++---
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/docs/terraform.md b/docs/terraform.md
index 4e9c4cbe..b699fe52 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -88,7 +88,7 @@
 | <a name="input_cors_max_age_seconds"></a> [cors\_max\_age\_seconds](#input\_cors\_max\_age\_seconds) | Time in seconds that browser can cache the response for S3 bucket | `number` | `3600` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | List of one or more custom error response element maps | <pre>list(object({<br>    error_caching_min_ttl = string<br>    error_code            = string<br>    response_code         = string<br>    response_page_path    = string<br>  }))</pre> | `[]` | no |
 | <a name="input_custom_origin_headers"></a> [custom\_origin\_headers](#input\_custom\_origin\_headers) | A list of origin header parameters that will be sent to origin | `list(object({ name = string, value = string }))` | `[]` | no |
-| <a name="input_custom_origins"></a> [custom\_origins](#input\_custom\_origins) | A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution. | <pre>list(object({<br>    domain_name = string<br>    origin_id   = string<br>    origin_path = string<br>    custom_headers = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    custom_origin_config = object({<br>      http_port                = number<br>      https_port               = number<br>      origin_protocol_policy   = string<br>      origin_ssl_protocols     = list(string)<br>      origin_keepalive_timeout = number<br>      origin_read_timeout      = number<br>    })<br>  }))</pre> | `[]` | no |
+| <a name="input_custom_origins"></a> [custom\_origins](#input\_custom\_origins) | A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution. | <pre>list(object({<br>    domain_name = string<br>    origin_id   = string<br>    origin_path = string<br> origin_access_control_id = string<br>    custom_headers = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    custom_origin_config = object({<br>      http_port                = number<br>      https_port               = number<br>      origin_protocol_policy   = string<br>      origin_ssl_protocols     = list(string)<br>      origin_keepalive_timeout = number<br>      origin_read_timeout      = number<br>    })<br>  }))</pre> | `[]` | no |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
diff --git a/examples/complete/custom-origins.tf b/examples/complete/custom-origins.tf
index 2bbeb5d5..2a961dd5 100644
--- a/examples/complete/custom-origins.tf
+++ b/examples/complete/custom-origins.tf
@@ -1,10 +1,11 @@
 locals {
   additional_custom_origins_enabled = local.enabled && var.additional_custom_origins_enabled
   default_custom_origin_configuration = {
-    domain_name    = null
-    origin_id      = null
-    origin_path    = null
-    custom_headers = []
+    domain_name              = null
+    origin_id                = null
+    origin_path              = null
+    origin_access_control_id = null
+    custom_headers           = []
     custom_origin_config = {
       http_port                = 80
       https_port               = 443
diff --git a/main.tf b/main.tf
index 6a7cee4a..12d80708 100644
--- a/main.tf
+++ b/main.tf
@@ -551,9 +551,10 @@ resource "aws_cloudfront_distribution" "default" {
   dynamic "origin" {
     for_each = var.custom_origins
     content {
-      domain_name = origin.value.domain_name
-      origin_id   = origin.value.origin_id
-      origin_path = lookup(origin.value, "origin_path", "")
+      domain_name              = origin.value.domain_name
+      origin_id                = origin.value.origin_id
+      origin_path              = lookup(origin.value, "origin_path", "")
+      origin_access_control_id = lookup(origin.value, "origin_access_control_id", null)
       dynamic "custom_header" {
         for_each = lookup(origin.value, "custom_headers", [])
         content {
diff --git a/variables.tf b/variables.tf
index 0e5bf1a5..13a75770 100644
--- a/variables.tf
+++ b/variables.tf
@@ -446,9 +446,10 @@ variable "ordered_cache" {
 
 variable "custom_origins" {
   type = list(object({
-    domain_name = string
-    origin_id   = string
-    origin_path = string
+    domain_name              = string
+    origin_id                = string
+    origin_path              = string
+    origin_access_control_id = string
     custom_headers = list(object({
       name  = string
       value = string

From ea81dad1c935b5017bec755465d0b17cb6afa4e3 Mon Sep 17 00:00:00 2001
From: jjchiw <jjchiw@gmail.com>
Date: Fri, 1 Nov 2024 19:32:04 +0100
Subject: [PATCH 2/2] Setting origin_access_control_id to empty string instead
 of null

coderabbitai suggestions
---
 examples/complete/custom-origins.tf | 8 +++++---
 variables.tf                        | 4 +++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/examples/complete/custom-origins.tf b/examples/complete/custom-origins.tf
index 2a961dd5..f4bfe032 100644
--- a/examples/complete/custom-origins.tf
+++ b/examples/complete/custom-origins.tf
@@ -1,9 +1,11 @@
 locals {
   additional_custom_origins_enabled = local.enabled && var.additional_custom_origins_enabled
   default_custom_origin_configuration = {
-    domain_name              = null
-    origin_id                = null
-    origin_path              = null
+    domain_name = null
+    origin_id   = null
+    origin_path = null
+    # Example configuration with Origin Access Control for Lambda@Edge:
+    # origin_access_control_id = aws_cloudfront_origin_access_control.example.id
     origin_access_control_id = null
     custom_headers           = []
     custom_origin_config = {
diff --git a/variables.tf b/variables.tf
index 13a75770..f0380952 100644
--- a/variables.tf
+++ b/variables.tf
@@ -449,7 +449,7 @@ variable "custom_origins" {
     domain_name              = string
     origin_id                = string
     origin_path              = string
-    origin_access_control_id = string
+    origin_access_control_id = optional(string)
     custom_headers = list(object({
       name  = string
       value = string
@@ -466,6 +466,8 @@ variable "custom_origins" {
   default     = []
   description = <<-EOT
     A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution.
+    The `origin_access_control_id` field specifies the Origin Access Control configuration to use for this origin.
+    This is used to configure secure access between CloudFront and the origin.
     EOT
 }