(cloudfront): Add L2 level construct for CfnOriginAccessControl

[kornicameister]

Describe the feature

https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/

---

Configuration OAC is really cumbersome in CDK at the moment mainly because no origin contains a reference to a node which makes using escape hatches impossible.

Use Case

• being able to use SSE-KMS in S3 bucket
• not being forced to deploy Lambad@Edge via experimental package
• having consistent experience when building origins that can use OAC

Proposed Solution

Add boolean property to S3Origin like origin_access_control_enabled: bool. If set to True a Origin Access Control is created and linked to origin via this property.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.45.0

Environment details (OS name and version, etc.)

MacOS

[kornicameister]

Changed to incurring breaking changes based on https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac

Seems like it is either OAC or OAI. However, if we stick to the property as in opt-in or do that via cdk.json it will not be a breaking change.

Also there are points around modifying bucket resource policy.

[kornicameister]

I am worried though that modifying resource policy of a bucket will be tricky for a use case like mine where I have a stack describing a storage and the other stack describing the CDN. CDN stack essentially imports S3 buckets and OAI.
However here we need to know distribution id to change the bucket's policy but that policy lives in Bucket's stack.

Circular dependency 101.

[kornicameister]

Also if you already have the bucket linked to the origin and try to add the OAC you will get an error:

Resource handler returned message: "Invalid request provided: Cannot use both Origin Access Control and Origin Access Identity on an origin (Service: CloudFront, Status Code: 400

[laurelmay]

There is a little bit of discussion on this at #21771 as well, including the issues with implementing this at the moment

[kornicameister]

I am closing down my issue in that case.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.