Add support for origin-access-control (#319)

* add `origin_access_control` feature

* update docs

* update example

* fix terratest resource creation

* fix: tf lint formatting

* add version constraint to local TF provider

---------

Co-authored-by: Matt Gowie <[email protected]>
Co-authored-by: Jeremy White <[email protected]>

Author: 3 people

README.md

@@ -425,6 +425,7 @@ Available targets:
 | Name | Type |
 |------|------|
 | [aws_cloudfront_distribution.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_origin_access_control.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
 | [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
@@ -436,9 +437,11 @@ Available targets:
 | [aws_s3_bucket_versioning.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [random_password.referer](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3_origin_access_control](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3_origin_access_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_ssl_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_website_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -467,6 +470,7 @@ Available targets:
 | <a name="input_cloudfront_access_log_include_cookies"></a> [cloudfront\_access\_log\_include\_cookies](#input\_cloudfront\_access\_log\_include\_cookies) | Set true to include cookies in Cloudfront Access Logs | `bool` | `false` | no |
 | <a name="input_cloudfront_access_log_prefix"></a> [cloudfront\_access\_log\_prefix](#input\_cloudfront\_access\_log\_prefix) | Prefix to use for Cloudfront Access Log object keys. Defaults to no prefix. | `string` | `""` | no |
 | <a name="input_cloudfront_access_logging_enabled"></a> [cloudfront\_access\_logging\_enabled](#input\_cloudfront\_access\_logging\_enabled) | Set true to enable delivery of Cloudfront Access Logs to an S3 bucket | `bool` | `true` | no |
+| <a name="input_cloudfront_origin_access_control_id"></a> [cloudfront\_origin\_access\_control\_id](#input\_cloudfront\_origin\_access\_control\_id) | CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) and origin access identity (OAI). OAC helps you secure your origins, such as for Amazon S3. | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_iam_arn"></a> [cloudfront\_origin\_access\_identity\_iam\_arn](#input\_cloudfront\_origin\_access\_identity\_iam\_arn) | Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_path"></a> [cloudfront\_origin\_access\_identity\_path](#input\_cloudfront\_origin\_access\_identity\_path) | Existing cloudfront origin access identity path used in the cloudfront distribution's s3\_origin\_config content | `string` | `""` | no |
 | <a name="input_comment"></a> [comment](#input\_comment) | Comment for the CloudFront distribution | `string` | `"Managed by Terraform"` | no |
@@ -524,6 +528,8 @@ Available targets:
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br/>This is the only ID element not also included as a `tag`.<br/>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br/>List in order of precedence (first match wins). This is in addition to the default cache policy.<br/>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | <pre>list(object({<br/>    target_origin_id = string<br/>    path_pattern     = string<br/><br/>    allowed_methods    = list(string)<br/>    cached_methods     = list(string)<br/>    compress           = bool<br/>    trusted_signers    = list(string)<br/>    trusted_key_groups = list(string)<br/><br/>    cache_policy_id          = string<br/>    origin_request_policy_id = string<br/>    realtime_log_config_arn  = optional(string)<br/><br/>    viewer_protocol_policy     = string<br/>    min_ttl                    = number<br/>    default_ttl                = number<br/>    max_ttl                    = number<br/>    response_headers_policy_id = string<br/><br/>    forward_query_string              = bool<br/>    forward_header_values             = list(string)<br/>    forward_cookies                   = string<br/>    forward_cookies_whitelisted_names = list(string)<br/><br/>    lambda_function_association = list(object({<br/>      event_type   = string<br/>      include_body = bool<br/>      lambda_arn   = string<br/>    }))<br/><br/>    function_association = list(object({<br/>      event_type   = string<br/>      function_arn = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_origin_access_control_signing_behavior"></a> [origin\_access\_control\_signing\_behavior](#input\_origin\_access\_control\_signing\_behavior) | Specifies which requests CloudFront signs. Specify always for the most common use case. Allowed values: always, never, and no-override. | `string` | `"always"` | no |
+| <a name="input_origin_access_type"></a> [origin\_access\_type](#input\_origin\_access\_type) | Choose to use `origin_access_control` or `orgin_access_identity` | `string` | `"origin_access_identity"` | no |
 | <a name="input_origin_bucket"></a> [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, it will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
 | <a name="input_origin_force_destroy"></a> [origin\_force\_destroy](#input\_origin\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no |
 | <a name="input_origin_groups"></a> [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.<br/>The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.<br/><br/>If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.<br/>This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | <pre>list(object({<br/>    primary_origin_id  = string<br/>    failover_origin_id = string<br/>    failover_criteria  = list(string)<br/>  }))</pre> | `[]` | no |
@@ -545,7 +551,7 @@ Available targets:
 | <a name="input_s3_access_log_prefix"></a> [s3\_access\_log\_prefix](#input\_s3\_access\_log\_prefix) | Prefix to use for S3 Access Log object keys. Defaults to `logs/${module.this.id}` | `string` | `""` | no |
 | <a name="input_s3_access_logging_enabled"></a> [s3\_access\_logging\_enabled](#input\_s3\_access\_logging\_enabled) | Set `true` to deliver S3 Access Logs to the `s3_access_log_bucket_name` bucket.<br/>Defaults to `false` if `s3_access_log_bucket_name` is empty (the default), `true` otherwise.<br/>Must be set explicitly if the access log bucket is being created at the same time as this module is being invoked. | `bool` | `null` | no |
 | <a name="input_s3_object_ownership"></a> [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control on the origin bucket. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'. | `string` | `"ObjectWriter"` | no |
-| <a name="input_s3_origins"></a> [s3\_origins](#input\_s3\_origins) | A list of S3 [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) (in addition to the one created by this module) for this distribution.<br/>S3 buckets configured as websites are `custom_origins`, not `s3_origins`.<br/>Specifying `s3_origin_config.origin_access_identity` as `null` or `""` will have it translated to the `origin_access_identity` used by the origin created by the module. | <pre>list(object({<br/>    domain_name = string<br/>    origin_id   = string<br/>    origin_path = string<br/>    s3_origin_config = object({<br/>      origin_access_identity = string<br/>    })<br/>  }))</pre> | `[]` | no |
+| <a name="input_s3_origins"></a> [s3\_origins](#input\_s3\_origins) | A list of S3 [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) (in addition to the one created by this module) for this distribution.<br/>S3 buckets configured as websites are `custom_origins`, not `s3_origins`.<br/>Specifying `s3_origin_config.origin_access_identity` as `null` or `""` will have it translated to the `origin_access_identity` used by the origin created by the module. | <pre>list(object({<br/>    domain_name = string<br/>    origin_id   = string<br/>    origin_path = string<br>    origin_access_control_id = string<br/>    s3_origin_config = object({<br/>      origin_access_identity = string<br/>    })<br/>  }))</pre> | `[]` | no |
 | <a name="input_s3_website_password_enabled"></a> [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `website_enabled` is also true, a password will be required in the `Referrer` field of the<br/>HTTP request in order to access the website, and Cloudfront will be configured to pass this password in its requests.<br/>This will make it much harder for people to bypass Cloudfront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br/>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
@@ -563,6 +569,7 @@ Available targets:
 | Name | Description |
 |------|-------------|
 | <a name="output_aliases"></a> [aliases](#output\_aliases) | Aliases of the CloudFront distribution. |
+| <a name="output_cf_access_control_id"></a> [cf\_access\_control\_id](#output\_cf\_access\_control\_id) | CloudFront Origin Access Control ID |
 | <a name="output_cf_arn"></a> [cf\_arn](#output\_cf\_arn) | ARN of AWS CloudFront distribution |
 | <a name="output_cf_domain_name"></a> [cf\_domain\_name](#output\_cf\_domain\_name) | Domain name corresponding to the distribution |
 | <a name="output_cf_etag"></a> [cf\_etag](#output\_cf\_etag) | Current version of the distribution's information |