Merge pull request #5 from cullancarey/cforigin

updating cf origin config to use new origin access control
cullancarey · Nov 4, 2022 · 5e4f130 · 5e4f130
2 parents 138692b + e44f591
commit 5e4f130
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 39 deletions.
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -1,24 +1,22 @@
-resource "aws_cloudfront_origin_access_identity" "website_OAI" {
-  comment = "The OAI used to access our website buckets."
+resource "aws_cloudfront_origin_access_control" "website_origin_access_control" {
+  name                              = "${var.root_domain_name} Access Control Policy"
+  description                       = "Cloudfront access control policy for the ${var.root_domain_name} distribution."
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
 }
 
 resource "aws_cloudfront_distribution" "website_distribution" {
   origin {
-    domain_name = aws_s3_bucket.website.bucket_regional_domain_name
-    origin_id   = local.primary_s3_origin
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.website_OAI.cloudfront_access_identity_path
-    }
+    domain_name              = aws_s3_bucket.website.bucket_regional_domain_name
+    origin_id                = local.primary_s3_origin
+    origin_access_control_id = aws_cloudfront_origin_access_control.website_origin_access_control.id
   }
 
   origin {
-    domain_name = aws_s3_bucket.backup-website.bucket_regional_domain_name
-    origin_id   = local.backup_s3_origin
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.website_OAI.cloudfront_access_identity_path
-    }
+    domain_name              = aws_s3_bucket.backup-website.bucket_regional_domain_name
+    origin_id                = local.backup_s3_origin
+    origin_access_control_id = aws_cloudfront_origin_access_control.website_origin_access_control.id
   }
 
   origin_group {

diff --git a/s3.tf b/s3.tf
@@ -61,21 +61,28 @@ resource "aws_s3_bucket_lifecycle_configuration" "website-bucket-lifecycle-rule"
   }
 }
 
-data "aws_iam_policy_document" "primary_s3_policy" {
-  statement {
-    actions   = ["s3:GetObject"]
-    resources = ["${aws_s3_bucket.website.arn}/*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = [aws_cloudfront_origin_access_identity.website_OAI.iam_arn]
+resource "aws_s3_bucket_policy" "website-bucket-policy" {
+  bucket = aws_s3_bucket.website.id
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudfront.amazonaws.com"
+        },
+        "Action": "s3:GetObject",
+        "Resource": "${aws_s3_bucket.website.arn}/*",
+        "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "${aws_cloudfront_distribution.website_distribution.arn}"
+            }
+        }
     }
-  }
 }
 
-resource "aws_s3_bucket_policy" "website-bucket-policy" {
-  bucket = aws_s3_bucket.website.id
-  policy = data.aws_iam_policy_document.primary_s3_policy.json
+POLICY
 }
 
 ################################################################################################################################################
@@ -137,22 +144,29 @@ resource "aws_s3_bucket_lifecycle_configuration" "website-backup-bucket-lifecycl
   }
 }
 
-data "aws_iam_policy_document" "backup_s3_policy" {
-  statement {
-    actions   = ["s3:GetObject"]
-    resources = ["${aws_s3_bucket.backup-website.arn}/*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = [aws_cloudfront_origin_access_identity.website_OAI.iam_arn]
-    }
-  }
-}
-
 resource "aws_s3_bucket_policy" "backup-website-bucket-policy" {
   bucket   = aws_s3_bucket.backup-website.id
   provider = aws.backup-website-region
-  policy   = data.aws_iam_policy_document.backup_s3_policy.json
+  policy   = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudfront.amazonaws.com"
+        },
+        "Action": "s3:GetObject",
+        "Resource": "${aws_s3_bucket.backup-website.arn}/*",
+        "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "${aws_cloudfront_distribution.website_distribution.arn}"
+            }
+        }
+    }
+}
+
+POLICY
 }