feat(cloudfront-origins): customize origin access identity in s3origin

packages/@aws-cdk/aws-cloudfront-origins/README.md

@@ -32,7 +32,7 @@ The above will treat the bucket differently based on if `IBucket.isWebsite` is s
 treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
 CloudFront's redirect and error handling will be used. In the latter case, the Origin wil create an origin access identity and grant it access to the
 underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly.
+URLs and not S3 URLs directly. Alternatively, a custom origin access identity can be passed to the S3 origin in the properties.
 
 ## ELBv2 Load Balancer
 

packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts

@@ -16,6 +16,12 @@ export interface S3OriginProps {
    * @default '/'
    */
   readonly originPath?: string;
+  /**
+   * An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+   *
+   * @default - An Origin Access Identity will be created.
+   */
+  readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
 }
 
 /**
@@ -50,10 +56,13 @@ export class S3Origin implements cloudfront.IOrigin {
  * Contains additional logic around bucket permissions and origin access identities.
  */
 class S3BucketOrigin extends cloudfront.OriginBase {
-  private originAccessIdentity!: cloudfront.OriginAccessIdentity;
+  private originAccessIdentity!: cloudfront.IOriginAccessIdentity;
 
-  constructor(private readonly bucket: s3.IBucket, props: S3OriginProps) {
+  constructor(private readonly bucket: s3.IBucket, { originAccessIdentity, ...props }: S3OriginProps) {
     super(bucket.bucketRegionalDomainName, props);
+    if (originAccessIdentity) {
+      this.originAccessIdentity = originAccessIdentity;
+    }
   }
 
   public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {

packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json

@@ -0,0 +1,58 @@
+{
+  "Resources": {
+    "Bucket83908E77": {
+      "Type": "AWS::S3::Bucket",
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
+    "OriginAccessIdentityDF1E3CAC": {
+      "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
+      "Properties": {
+        "CloudFrontOriginAccessIdentityConfig": {
+          "Comment": "Identity for bucket provided by test"
+        }
+      }
+    },
+    "Distribution830FAC52": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "DefaultCacheBehavior": {
+            "ForwardedValues": {
+              "QueryString": false
+            },
+            "TargetOriginId": "cloudfronts3originoaiDistributionOrigin1516C5A91",
+            "ViewerProtocolPolicy": "allow-all"
+          },
+          "Enabled": true,
+          "HttpVersion": "http2",
+          "IPV6Enabled": true,
+          "Origins": [
+            {
+              "DomainName": {
+                "Fn::GetAtt": [
+                  "Bucket83908E77",
+                  "RegionalDomainName"
+                ]
+              },
+              "Id": "cloudfronts3originoaiDistributionOrigin1516C5A91",
+              "S3OriginConfig": {
+                "OriginAccessIdentity": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "origin-access-identity/cloudfront/",
+                      {
+                        "Ref": "OriginAccessIdentityDF1E3CAC"
+                      }
+                    ]
+                  ]
+                }
+              }
+            }
+          ]
+        }
+      }
+    }
+  }
+}

packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts

@@ -0,0 +1,18 @@
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as s3 from '@aws-cdk/aws-s3';
+import * as cdk from '@aws-cdk/core';
+import * as origins from '../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oai');
+
+const bucket = new s3.Bucket(stack, 'Bucket');
+const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+  comment: 'Identity for bucket provided by test',
+});
+new cloudfront.Distribution(stack, 'Distribution', {
+  defaultBehavior: { origin: new origins.S3Origin(bucket, { originAccessIdentity }) },
+});
+
+app.synth();

packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts

@@ -34,7 +34,7 @@ describe('With bucket', () => {
     });
   });
 
-  test('can customize properties', () => {
+  test('can customize originPath property', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');
 
     const origin = new S3Origin(bucket, { originPath: '/assets' });
@@ -56,6 +56,23 @@ describe('With bucket', () => {
     });
   });
 
+  test('can customize OriginAccessIdentity property', () => {
+    const bucket = new s3.Bucket(stack, 'Bucket');
+
+    const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+      comment: 'Identity for bucket provided by test',
+    });
+
+    const origin = new S3Origin(bucket, { originAccessIdentity });
+    new cloudfront.Distribution(stack, 'Dist', { defaultBehavior: { origin } });
+
+    expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
+      CloudFrontOriginAccessIdentityConfig: {
+        Comment: 'Identity for bucket provided by test',
+      },
+    });
+  });
+
   test('creates an OriginAccessIdentity and grants read permissions on the bucket', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');