From 0d7de2d44e3b35a71a9b9b727933d3f2f99fd337 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Ol=C3=A1h?= <jiriolah@Jiri--Notebook.local>
Date: Thu, 16 May 2024 18:37:34 +0200
Subject: [PATCH] SRE-12 - Migrate CF to S3 access from OAI to OAC and update
 S3 module version

---
 main.tf     | 31 ++++++++++++++++++++-----------
 versions.tf |  2 +-
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/main.tf b/main.tf
index b387db4..804755a 100644
--- a/main.tf
+++ b/main.tf
@@ -28,12 +28,17 @@ module "certificate" {
   tags = local.tags
 }
 
-resource "aws_cloudfront_origin_access_identity" "this" {
-  comment = "Access from CF to S3 - ${local.main_domain}"
+resource "aws_cloudfront_origin_access_control" "this" {
+  name                              = "Access from CF to S3 - ${local.main_domain}"
+  description                       = "Access from CF to S3 - ${local.main_domain}"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
 }
 
 data "aws_iam_policy_document" "bucket_policy" {
   statement {
+    sid = "AllowCloudFrontServicePrincipalReadOnly"
     actions = [
       "s3:GetObject",
     ]
@@ -43,18 +48,25 @@ data "aws_iam_policy_document" "bucket_policy" {
     ]
 
     principals {
-      type = "AWS"
+      type = "Service"
 
       identifiers = [
-        aws_cloudfront_origin_access_identity.this.iam_arn,
+        "cloudfront.amazonaws.com",
       ]
     }
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+      values   = [aws_cloudfront_distribution.this.arn]
+    }
+
   }
 }
 
 module "s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.15.1"
+  version = "4.1.2"
 
   bucket = var.s3_bucket_name
 
@@ -92,12 +104,9 @@ resource "aws_cloudfront_distribution" "this" {
   comment = local.main_domain
 
   origin {
-    domain_name = module.s3_bucket.s3_bucket_bucket_regional_domain_name
-    origin_id   = var.s3_bucket_name
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
-    }
+    domain_name              = module.s3_bucket.s3_bucket_bucket_regional_domain_name
+    origin_id                = var.s3_bucket_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.this.id
   }
 
   dynamic "origin" {
diff --git a/versions.tf b/versions.tf
index 66024cf..5138f14 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 5.0"
+      version               = "~> 5.27"
       configuration_aliases = [aws.us_east_1]
     }
   }