Hi. I just successfully created an OAC using the CDKTF via Typescript.
I starting working with OAC from this tutorial:
To add an origin access control to an S3 origin in a distribution
Open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home.
Choose a distribution with an S3 origin that you want to add the OAC to, then choose the Origins tab.
Select the S3 origin that you want to add the OAC to, then choose Edit.
In the Origin access section, choose Origin access control settings (recommended).
In the Origin access control dropdown menu, choose the OAC that you want to use.
Choose Save changes.
I discovered the originAccessControlId field on the distribution config is used to associate the OAC with the Cloudfront Distribution.
When simply trying to migrate from OAI to OAC, like in the following,
{
domainName: bucket.bucketRegionalDomainName,
originId: config.params.bucketName,
originAccessControlId: OAC.id,
// s3OriginConfig: {
// originAccessIdentity: `origin-access-identity/cloudfront/${originAccessIdentity.id}`,
// },
}
I get this error:
│ Error: CloudFrontOriginAccessIdentityInUse: The CloudFront origin access identity is still being used.
│ status code: 409, request id: <redacted>
I did discover a workaround. If I do a deploy with only creating the OAC, but not using it, then I can do a follow up deploy swapping the OAI for the OAC as shown above. Unfortunately this makes for fragile work when promoting my infra to higher environments.