provider/aws: Require CloudFront S3 origin origin_access_identity

This fixes an issue where an empty s3_origin_config could be supplied to
aws_cloudfront_distribution, "correctly" setting an empty default value.
Unfortunately the rest of the CloudFront structure helper functions are
not equipped to deal with this kind of scenario, and TF produces
spurious diffs upon future runs.

This removes the default and makes origin_access_identity required when
specifying s3_origin_config.

Note that it has always been intended behaviour that if someone does not
want to use an origin access identity, that s3_origin_config should not
be specified at all. This behaviour still works, as should be evident by
the (still) passing tests.

Fixes hashicorp/terraform#7930.

builtin/providers/aws/resource_aws_cloudfront_distribution.go

@@ -355,8 +355,7 @@ func resourceAwsCloudFrontDistribution() *schema.Resource {
 								Schema: map[string]*schema.Schema{
 									"origin_access_identity": &schema.Schema{
 										Type:     schema.TypeString,
-										Optional: true,
-										Default:  "",
+										Required: true,
 									},
 								},
 							},