Hi
I need to select the option ‘Yes, update the bucket policy’ in the Legacy access identities for s3 origin in the AWS CloudFront.
Could you please provide the terraform code to check the option ‘Yes, update the bucket policy’.
Hi @Venkat1505,
I’m not very familiar with this feature of CloudFront, but based on the CloudFront API docs – CreateCloudFrontOriginAccessIdentity in particular – it seems that the option to “update the bucket policy” is something built in to the CloudFront UI that is not available in the API itself, and is therefore not directly available in the Terraform AWS provider either.
Presumably what that option does is automate calling s3:PutBucketPolicy to add a policy statement that allows access to the S3 bucket from the origin access identity’s principal ARN. If that’s true, then the Terraform equivalent would be what’s described in the Using With CloudFront section of the aws_cloudfront_origin_access_identity documentation.
The three main parts are:
- Declare the origin access identity itself.
- Associate the origin access identity with the CloudFront distribution’s origin.
- Create an S3 bucket resource policy which allows the origin access identity to retrieve objects from the bucket.
Each one of those corresponds with an AWS provider resource type. For example:
# 1. Declare the origin access identity itself
resource "aws_cloudfront_origin_access_identity" "example" {
comment = "example"
}
resource "aws_cloudfront_distribution" "example" {
# ... other configuration ...
origin {
s3_origin_config {
# 2. Associate the origin access identity with the CloudFront distribution's origin.
origin_access_identity = aws_cloudfront_origin_access_identity.example.cloudfront_access_identity_path
}
}
# The distribution won't actually work correctly
# until the S3 policy has been configured, but
# Terraform can't infer that automatically.
depends_on = [aws_s3_bucket_policy.example]
}
# 3. Create an S3 bucket resource policy which allows the origin access identity to retrieve objects from the bucket.
resource "aws_s3_bucket_policy" "example" {
# (this assumes you declared a resource "aws_s3_bucket" "example"
# somewhere else in your module, not shown here.)
bucket = aws_s3_bucket.example.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = "s3:GetObject"
Resource = aws_s3_bucket.example.arn
Principal = {
AWS = aws_cloudfront_origin_access_identity.example.iam_arn
}
},
]
})
}
The aws_cloudfront_origin_access_identity.example.iam_arn reference will produce the principal ARN to use when granting access to that origin access identity, so that the policy will allow that identity to access the bucket.
The AWS Console UI is able to “cheat” and make cross-service requests, such as here where the CloudFront UI seems to be secretly making requests to the S3 API. I suspect that the option you wanted to activate is, behind the scenes, declaring an S3 bucket resource policy just like the aws_s3_bucket_object resource above. Terraform’s AWS provider can only expose what the API exposes, so to implement the same effect with Terraform requires manually configuring the bucket policy, as I’ve shown above.