provider/aws: Add iam_arn to aws_cloudfront_origin_access_identity

Add the iam_arn attribute to aws_cloudfront_origin_access_identity,
which computes the IAM ARN for a certain CloudFront origin access
identity.

This is necessary because S3 modifies the bucket policy if CanonicalUser
is sent, causing spurious diffs with aws_s3_bucket resources.
This commit is contained in:
Chris Marchesi 2016-05-31 11:23:28 -07:00
parent de0c6c89d3
commit 65824c7725
3 changed files with 60 additions and 4 deletions

View File

@ -34,6 +34,10 @@ func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource {
Type: schema.TypeString,
Computed: true,
},
"iam_arn": &schema.Schema{
Type: schema.TypeString,
Computed: true,
},
"s3_canonical_user_id": &schema.Schema{
Type: schema.TypeString,
Computed: true,
@ -74,6 +78,7 @@ func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta
d.Set("etag", resp.ETag)
d.Set("s3_canonical_user_id", resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId)
d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id))
d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
return nil
}

View File

@ -31,6 +31,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) {
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"cloudfront_access_identity_path",
regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"iam_arn",
regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
),
},
},
@ -56,6 +59,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) {
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"cloudfront_access_identity_path",
regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
"iam_arn",
regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
),
},
},

View File

@ -34,10 +34,18 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
The following attributes are exported:
* `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity.
* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below.
* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL.
* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
* `caller_reference` - Internal value used by CloudFront to allow future
updates to the origin access identity.
* `cloudfront_access_identity_path` - A shortcut to the full path for the
origin access identity to use in CloudFront, see below.
* `etag` - The current version of the origin access identity's information.
For example: `E2QWRUHAPOMQZL`.
* `iam_arn` - A pre-generated ARN for use in S3 bucket policies (see below).
Example: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
E2QWRUHAPOMQZL`.
* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin
access identity, which you use when giving the origin access identity read
permission to an object in Amazon S3.
## Using With CloudFront
@ -53,6 +61,43 @@ s3_origin_config {
}
```
### Updating your bucket policy
Note that the AWS API may translate the `s3_canonical_user_id` `CanonicalUser`
principal into an `AWS` IAM ARN principal when supplied in an
[`aws_s3_bucket`][4] bucket policy, causing spurious diffs in Terraform. If
you see this behaviour, use the `iam_arn` instead:
```
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${module.names.s3_endpoint_arn_base}/*"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
statement {
actions = ["s3:ListBucket"]
resources = ["${module.names.s3_endpoint_arn_base}"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
}
aws_s3_bucket "bucket" {
...
policy = "${data.aws_iam_policy_document.s3_policy}"
}
```
[1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
[2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
[3]: /docs/providers/aws/r/cloudfront_distribution.html
[4]: /docs/providers/aws/r/s3_bucket.html