Skip to content

Commit

Permalink
Merge pull request #6955 from paybyphone/paybyphone_cloudfront_origin…
Browse files Browse the repository at this point in the history
…_access_identity_arn

provider/aws: Add iam_arn to aws_cloudfront_origin_access_identity
  • Loading branch information
catsby committed Jun 1, 2016
2 parents 0075bd7 + 65824c7 commit d723e1c
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource {
Type: schema.TypeString,
Computed: true,
},
"iam_arn": &schema.Schema{
Type: schema.TypeString,
Computed: true,
},
"s3_canonical_user_id": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -74,6 +78,7 @@ func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta
d.Set("etag", resp.ETag)
d.Set("s3_canonical_user_id", resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId)
d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id))
d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
return nil
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) {
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"cloudfront_access_identity_path",
regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"iam_arn",
regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
),
},
},
Expand All @@ -56,6 +59,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) {
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"cloudfront_access_identity_path",
regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"iam_arn",
regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
),
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,18 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
The following attributes are exported:

* `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity.
* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below.
* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL.
* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
* `caller_reference` - Internal value used by CloudFront to allow future
updates to the origin access identity.
* `cloudfront_access_identity_path` - A shortcut to the full path for the
origin access identity to use in CloudFront, see below.
* `etag` - The current version of the origin access identity's information.
For example: `E2QWRUHAPOMQZL`.
* `iam_arn` - A pre-generated ARN for use in S3 bucket policies (see below).
Example: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
E2QWRUHAPOMQZL`.
* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin
access identity, which you use when giving the origin access identity read
permission to an object in Amazon S3.

## Using With CloudFront

Expand All @@ -53,6 +61,43 @@ s3_origin_config {
}
```

### Updating your bucket policy

Note that the AWS API may translate the `s3_canonical_user_id` `CanonicalUser`
principal into an `AWS` IAM ARN principal when supplied in an
[`aws_s3_bucket`][4] bucket policy, causing spurious diffs in Terraform. If
you see this behaviour, use the `iam_arn` instead:

```
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${module.names.s3_endpoint_arn_base}/*"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
statement {
actions = ["s3:ListBucket"]
resources = ["${module.names.s3_endpoint_arn_base}"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
}
aws_s3_bucket "bucket" {
...
policy = "${data.aws_iam_policy_document.s3_policy}"
}
```

[1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
[2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
[3]: /docs/providers/aws/r/cloudfront_distribution.html
[4]: /docs/providers/aws/r/s3_bucket.html

0 comments on commit d723e1c

Please sign in to comment.