Add origin-access-control module

.github/labeler.yaml

@@ -3,6 +3,8 @@
 - modules/distribution/**/*
 ":floppy_disk: cache-policy":
 - modules/cache-policy/**/*
+":floppy_disk: origin-access-control":
+- modules/origin-access-control/**/*
 ":floppy_disk: origin-request-policy":
 - modules/origin-request-policy/**/*
 ":floppy_disk: response-headers-policy":

.github/labels.yaml

@@ -46,6 +46,9 @@
 - color: "fbca04"
   description: "This issue or pull request is related to cache-policy module."
   name: ":floppy_disk: cache-policy"
+- color: "fbca04"
+  description: "This issue or pull request is related to origin-access-control module."
+  name: ":floppy_disk: origin-access-control"
 - color: "fbca04"
   description: "This issue or pull request is related to origin-request-policy module."
   name: ":floppy_disk: origin-request-policy"

README.md

@@ -8,6 +8,7 @@ Terraform module which creates CloudFront related resources on AWS.
 
 - [cache-policy](./modules/cache-policy)
 - [distribution](./modules/distribution)
+- [origin-access-control](./modules/origin-access-control)
 - [origin-request-policy](./modules/origin-request-policy)
 - [response-headers-policy](./modules/response-headers-policy)
 
@@ -19,6 +20,8 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
 - **AWS CloudFront**
   - Distribution
   - Real-time Log Configuration (Comming soon!)
+  - Origin Access
+    - Origin Access Control
   - Policies
     - Cache Policy
     - Origin Request Policy

modules/origin-access-control/README.md

@@ -0,0 +1,51 @@
+# origin-access-control
+
+This module creates following resources.
+
+- `aws_cloudfront_origin_access_control`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.19 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.26.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | (Required) A name to identify the origin access control. | `string` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | (Optional) A description of the origin access control. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_origin_type"></a> [origin\_type](#input\_origin\_type) | (Optional) The type of origin that this origin access control is for. Valid values are `S3` and `MEDIASTORE`. Defaults to `S3`. | `string` | `"S3"` | no |
+| <a name="input_signing_behavior"></a> [signing\_behavior](#input\_signing\_behavior) | (Optional) Specify which requests CloudFront signs (adds authentication information to). Valid values are `ALWAYS`, `NEVER`, `NO_OVERRIDE`. Defaults to `ALWAYS`.<br>    `ALWAYS` - CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.<br>    `NEVER` - CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.<br>    `NO_OVERRIDE` - If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the Authorization header, then CloudFront doesn't sign the origin request and instead passes along the Authorization header from the viewer request. | `string` | `"ALWAYS"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_description"></a> [description](#output\_description) | The description of the origin access control. |
+| <a name="output_etag"></a> [etag](#output\_etag) | The current version of the origin access control. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the origin access control. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the CloudFront origin access control. |
+| <a name="output_origin_type"></a> [origin\_type](#output\_origin\_type) | The type of origin that this origin access control is for. |
+| <a name="output_signing_behavior"></a> [signing\_behavior](#output\_signing\_behavior) | Specify which requests CloudFront signs (adds authentication information to). |
+| <a name="output_signing_protocol"></a> [signing\_protocol](#output\_signing\_protocol) | The signing protocol of the origin access control. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/origin-access-control/main.tf

@@ -0,0 +1,30 @@
+locals {
+  metadata = {
+    package = "terraform-aws-cloudfront"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+}
+
+locals {
+  signing_behaviors = {
+    "ALWAYS"      = "always"
+    "NEVER"       = "never"
+    "NO_OVERRIDE" = "no-override"
+  }
+}
+
+
+###################################################
+# Origin Access Control for CloudFront Distribution
+###################################################
+
+resource "aws_cloudfront_origin_access_control" "this" {
+  name        = var.name
+  description = var.description
+
+  origin_access_control_origin_type = lower(var.origin_type)
+  signing_behavior                  = local.signing_behaviors[var.signing_behavior]
+  signing_protocol                  = "sigv4"
+}

modules/origin-access-control/outputs.tf

@@ -0,0 +1,37 @@
+output "id" {
+  description = "The ID of the origin access control."
+  value       = aws_cloudfront_origin_access_control.this.id
+}
+
+output "etag" {
+  description = "The current version of the origin access control."
+  value       = aws_cloudfront_origin_access_control.this.etag
+}
+
+output "name" {
+  description = "The name of the CloudFront origin access control."
+  value       = aws_cloudfront_origin_access_control.this.name
+}
+
+output "description" {
+  description = "The description of the origin access control."
+  value       = aws_cloudfront_origin_access_control.this.description
+}
+
+output "origin_type" {
+  description = "The type of origin that this origin access control is for."
+  value       = upper(aws_cloudfront_origin_access_control.this.origin_access_control_origin_type)
+}
+
+output "signing_behavior" {
+  description = "Specify which requests CloudFront signs (adds authentication information to)."
+  value = {
+    for k, v in local.signing_behaviors :
+    v => k
+  }[aws_cloudfront_origin_access_control.this.signing_behavior]
+}
+
+output "signing_protocol" {
+  description = "The signing protocol of the origin access control."
+  value       = upper(aws_cloudfront_origin_access_control.this.signing_protocol)
+}

modules/origin-access-control/variables.tf

@@ -0,0 +1,41 @@
+variable "name" {
+  description = "(Required) A name to identify the origin access control."
+  type        = string
+  nullable    = false
+}
+
+variable "description" {
+  description = "(Optional) A description of the origin access control."
+  type        = string
+  default     = "Managed by Terraform."
+  nullable    = false
+}
+
+variable "origin_type" {
+  description = "(Optional) The type of origin that this origin access control is for. Valid values are `S3` and `MEDIASTORE`. Defaults to `S3`."
+  type        = string
+  default     = "S3"
+  nullable    = false
+
+  validation {
+    condition     = contains(["S3", "MEDIASTORE"], var.origin_type)
+    error_message = "Valid values for `origin_type` are `S3` and `MEDIASTORE`."
+  }
+}
+
+variable "signing_behavior" {
+  description = <<EOF
+  (Optional) Specify which requests CloudFront signs (adds authentication information to). Valid values are `ALWAYS`, `NEVER`, `NO_OVERRIDE`. Defaults to `ALWAYS`.
+    `ALWAYS` - CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.
+    `NEVER` - CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.
+    `NO_OVERRIDE` - If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the Authorization header, then CloudFront doesn't sign the origin request and instead passes along the Authorization header from the viewer request.
+  EOF
+  type        = string
+  default     = "ALWAYS"
+  nullable    = false
+
+  validation {
+    condition     = contains(["ALWAYS", "NEVER", "NO_OVERRIDE"], var.signing_behavior)
+    error_message = "Valid values for `signing_behavior` are `ALWAYS`, `NEVER` and `NO_OVERRIDE`."
+  }
+}

modules/origin-access-control/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.19"
+    }
+  }
+}