FEATURES PRICING ABOUT DOCS LOGIN

aws_cloudfront_origin_access_identity

Creates an Amazon CloudFront origin access identity.

For information about CloudFront distributions, see the Amazon CloudFront Developer Guide. For more information on generating origin access identities, see Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content.

Example Usage

The following example below creates a CloudFront origin access identity.

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
  comment = "Some comment"
}

Argument Reference

Attribute Reference

The following attributes are exported:

Using With CloudFront

Normally, when referencing an origin access identity in CloudFront, you need to prefix the ID with the origin-access-identity/cloudfront/ special path. The cloudfront_access_identity_path allows this to be circumvented. The below snippet demonstrates use with the s3_origin_config structure for the aws_cloudfront_web_distribution resource:

s3_origin_config {
  origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
}

Updating your bucket policy

Note that the AWS API may translate the s3_canonical_user_id CanonicalUser principal into an AWS IAM ARN principal when supplied in an aws_s3_bucket bucket policy, causing spurious diffs in Terraform. If you see this behaviour, use the iam_arn instead:

data "aws_iam_policy_document" "s3_policy" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${module.names.s3_endpoint_arn_base}/*"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }

  statement {
    actions   = ["s3:ListBucket"]
    resources = ["${module.names.s3_endpoint_arn_base}"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }
}

aws_s3_bucket "bucket" {
  ...
  policy = "${data.aws_iam_policy_document.s3_policy.json}"
}

Import

Cloudfront Origin Access Identities can be imported using the id, e.g.

$ terraform import aws_cloudfront_origin_access_identity.origin_access E74FTE3AEXAMPLE

See the source of this document at Terraform.io

REQUEST A DEMO