provider/aws: Add iam_arn to aws_cloudfront_origin_access_identity

Add the iam_arn attribute to aws_cloudfront_origin_access_identity, which computes the IAM ARN for a certain CloudFront origin access identity. This is necessary because S3 modifies the bucket policy if CanonicalUser is sent, causing spurious diffs with aws_s3_bucket resources.
2016-05-31 11:23:28 -07:00 · 2016-05-31 11:23:28 -07:00 · 65824c7725
parent de0c6c89d3
commit 65824c7725
3 changed files with 60 additions and 4 deletions
--- a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go
+++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go
@ -34,6 +34,10 @@ func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"iam_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"s3_canonical_user_id": &schema.Schema{
 				Type:     schema.TypeString,
 				Computed: true,
@ -74,6 +78,7 @@ func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta
 	d.Set("etag", resp.ETag)
 	d.Set("s3_canonical_user_id", resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId)
 	d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id))
+	d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
 	return nil
 }

--- a/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go
+++ b/builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go
@ -31,6 +31,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) {
 					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
 						"cloudfront_access_identity_path",
 						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"iam_arn",
+						regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
 				),
 			},
 		},
@ -56,6 +59,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) {
 					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
 						"cloudfront_access_identity_path",
 						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"iam_arn",
+						regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
 				),
 			},
 		},
--- a/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown
+++ b/website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown
@ -34,10 +34,18 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
 The following attributes are exported:

 * `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
-* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity.
-* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below.
-* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL.
-* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
+* `caller_reference` - Internal value used by CloudFront to allow future
+   updates to the origin access identity.
+* `cloudfront_access_identity_path` - A shortcut to the full path for the
+   origin access identity to use in CloudFront, see below.
+* `etag` - The current version of the origin access identity's information.
+   For example: `E2QWRUHAPOMQZL`.
+* `iam_arn` - A pre-generated ARN for use in S3 bucket policies (see below).
+   Example: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
+   E2QWRUHAPOMQZL`.
+* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin
+   access identity, which you use when giving the origin access identity read
+   permission to an object in Amazon S3.

 ## Using With CloudFront

@ -53,6 +61,43 @@ s3_origin_config {
 }
 ```

+### Updating your bucket policy
+
+Note that the AWS API may translate the `s3_canonical_user_id` `CanonicalUser`
+principal into an `AWS` IAM ARN principal when supplied in an
+[`aws_s3_bucket`][4] bucket policy, causing spurious diffs in Terraform. If
+you see this behaviour, use the `iam_arn` instead:
+
+```
+data "aws_iam_policy_document" "s3_policy" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${module.names.s3_endpoint_arn_base}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
+    }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["${module.names.s3_endpoint_arn_base}"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
+    }
+  }
+}
+
+aws_s3_bucket "bucket" {
+  ...
+  policy = "${data.aws_iam_policy_document.s3_policy}"
+}
+```
+
 [1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
 [2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
 [3]: /docs/providers/aws/r/cloudfront_distribution.html
+[4]: /docs/providers/aws/r/s3_bucket.html