diff --git a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go index 3895ad1d91ff..cd6f8d73beba 100644 --- a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go +++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go @@ -34,6 +34,10 @@ func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "iam_arn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, "s3_canonical_user_id": &schema.Schema{ Type: schema.TypeString, Computed: true, @@ -74,6 +78,7 @@ func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta d.Set("etag", resp.ETag) d.Set("s3_canonical_user_id", resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId) d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id)) + d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id)) return nil } diff --git a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go index d73b8e033242..518dda977e14 100644 --- a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go +++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go @@ -31,6 +31,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) { resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity", "cloudfront_access_identity_path", regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")), + resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity", + "iam_arn", + regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")), ), }, }, @@ -56,6 +59,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) { resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity", "cloudfront_access_identity_path", regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")), + resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity", + "iam_arn", + regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")), ), }, }, diff --git a/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown b/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown index df74f9d89828..ebc54775ae14 100644 --- a/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown +++ b/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown @@ -34,10 +34,18 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" { The following attributes are exported: * `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`. -* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity. -* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below. -* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL. -* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3. +* `caller_reference` - Internal value used by CloudFront to allow future + updates to the origin access identity. +* `cloudfront_access_identity_path` - A shortcut to the full path for the + origin access identity to use in CloudFront, see below. +* `etag` - The current version of the origin access identity's information. + For example: `E2QWRUHAPOMQZL`. +* `iam_arn` - A pre-generated ARN for use in S3 bucket policies (see below). + Example: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity + E2QWRUHAPOMQZL`. +* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin + access identity, which you use when giving the origin access identity read + permission to an object in Amazon S3. ## Using With CloudFront @@ -53,6 +61,43 @@ s3_origin_config { } ``` +### Updating your bucket policy + +Note that the AWS API may translate the `s3_canonical_user_id` `CanonicalUser` +principal into an `AWS` IAM ARN principal when supplied in an +[`aws_s3_bucket`][4] bucket policy, causing spurious diffs in Terraform. If +you see this behaviour, use the `iam_arn` instead: + +``` +data "aws_iam_policy_document" "s3_policy" { + statement { + actions = ["s3:GetObject"] + resources = ["${module.names.s3_endpoint_arn_base}/*"] + + principals { + type = "AWS" + identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"] + } + } + + statement { + actions = ["s3:ListBucket"] + resources = ["${module.names.s3_endpoint_arn_base}"] + + principals { + type = "AWS" + identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"] + } + } +} + +aws_s3_bucket "bucket" { + ... + policy = "${data.aws_iam_policy_document.s3_policy}" +} +``` + [1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html [2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html [3]: /docs/providers/aws/r/cloudfront_distribution.html +[4]: /docs/providers/aws/r/s3_bucket.html