SRE-12 - Migrate CF to S3 access from OAI to OAC and update S3 module version

Jiří Oláh · jindrichskupa · commit 0d7de2d44e3b · 2024-05-17T16:07:07.000+02:00
diff --git a/main.tf b/main.tf
@@ -28,12 +28,17 @@ module "certificate" {
   tags = local.tags
 }
 
-resource "aws_cloudfront_origin_access_identity" "this" {
-  comment = "Access from CF to S3 - ${local.main_domain}"
+resource "aws_cloudfront_origin_access_control" "this" {
+  name                              = "Access from CF to S3 - ${local.main_domain}"
+  description                       = "Access from CF to S3 - ${local.main_domain}"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
 }
 
 data "aws_iam_policy_document" "bucket_policy" {
   statement {
+    sid = "AllowCloudFrontServicePrincipalReadOnly"
     actions = [
       "s3:GetObject",
     ]
@@ -43,18 +48,25 @@ data "aws_iam_policy_document" "bucket_policy" {
     ]
 
     principals {
-      type = "AWS"
+      type = "Service"
 
       identifiers = [
-        aws_cloudfront_origin_access_identity.this.iam_arn,
+        "cloudfront.amazonaws.com",
       ]
     }
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+      values   = [aws_cloudfront_distribution.this.arn]
+    }
+
   }
 }
 
 module "s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.15.1"
+  version = "4.1.2"
 
   bucket = var.s3_bucket_name
 
@@ -92,12 +104,9 @@ resource "aws_cloudfront_distribution" "this" {
   comment = local.main_domain
 
   origin {
-    domain_name = module.s3_bucket.s3_bucket_bucket_regional_domain_name
-    origin_id   = var.s3_bucket_name
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
-    }
+    domain_name              = module.s3_bucket.s3_bucket_bucket_regional_domain_name
+    origin_id                = var.s3_bucket_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.this.id
   }
 
   dynamic "origin" {
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 5.0"
+      version               = "~> 5.27"
       configuration_aliases = [aws.us_east_1]
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = "~> 5.0"`
	`7`	`+ version = "~> 5.27"`
`8`	`8`	`configuration_aliases = [aws.us_east_1]`
`9`	`9`	`}`
`10`	`10`	`}`