Skip to content

awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied #983

New issue
New issue
Open
Open
awscc_cloudfront_distribution - Origin access control / Origin access identity configuration are not getting applied#983
Labels
bugupstream-awsUnable to proceed due to missing or broken functionality from an AWS dependency.
@pkrishjobs

Description

@pkrishjobs
pkrishjobs
opened on Jun 9, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

awscc v0.52.0

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

S3 Bucket

resource "aws_s3_bucket" "s3_origin" {
bucket = "sampleawsccbucket345"
}

Block public access to S3 bucket

resource "aws_s3_bucket_public_access_block" "s3_block_public_access" {
bucket = aws_s3_bucket.s3_origin.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

Attach bucket policy with object access to cloudfront origin

resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
bucket = aws_s3_bucket.s3_origin.id
policy = data.aws_iam_policy_document.bucket_policy.json
}

Cloudfront origin access identity

resource "awscc_cloudfront_cloudfront_origin_access_identity" "cf_oai" {
cloudfront_origin_access_identity_config = {
comment = "SampleCloudFrontOAI"
}
}

IAM policy document to allow S3 bucket read access to cloudfront origin access identity

data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "CanonicalUser"
identifiers = [awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.s3_canonical_user_id]
}
effect = "Allow"
actions = [
"s3:GetObject",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*"
]
}
}

Cloudfront distribution with S3 origin config using OAI

resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" {
distribution_config = {
enabled = true
compress = true
default_root_object = "index.html"
comment = "Sample Cloudfront Distribution using AWSCC provider"
default_cache_behavior = {
target_origin_id = aws_s3_bucket.s3_origin.id
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
min_ttl = 0
default_ttl = 5 * 60
max_ttl = 60 * 60
}
restrictions = {
geo_restriction = {
restriction_type = "none"
}
}
viewer_certificate = {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1.2_2018"
}
s3_origin = {
dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name
}
origins = [{
domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name
id = "SampleCloudfrontOrigin"
s3_origin_config = {
origin_access_identity = awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.id
}
}]
}
tags = [{
key = "Name"
value = "Cloudfront Distribution with S3 Origin"
}]
}

Debug Output

Terraform resources getting created without errors.

Panic Output

Expected Behavior

Origin access settings on the cloudfront distribution should have used the Origin Access Identity (OAI) option selected with the OAI resource which was created part of the terraform resource configuration

Actual Behavior

Origin access settings on the cloudfront distribution uses the default setting [i.e., expects S3 public access] and did not use the OAI option using the OAI resource which was created.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

#977 (comment)

  • #0000

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugupstream-awsUnable to proceed due to missing or broken functionality from an AWS dependency.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions