diff --git a/.github/labeler.yaml b/.github/labeler.yaml
index f6a9376..2628d4d 100644
--- a/.github/labeler.yaml
+++ b/.github/labeler.yaml
@@ -3,6 +3,8 @@
- modules/distribution/**/*
":floppy_disk: cache-policy":
- modules/cache-policy/**/*
+":floppy_disk: origin-access-control":
+- modules/origin-access-control/**/*
":floppy_disk: origin-request-policy":
- modules/origin-request-policy/**/*
":floppy_disk: response-headers-policy":
diff --git a/.github/labels.yaml b/.github/labels.yaml
index 13428e8..7ea5502 100644
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -46,6 +46,9 @@
- color: "fbca04"
description: "This issue or pull request is related to cache-policy module."
name: ":floppy_disk: cache-policy"
+- color: "fbca04"
+ description: "This issue or pull request is related to origin-access-control module."
+ name: ":floppy_disk: origin-access-control"
- color: "fbca04"
description: "This issue or pull request is related to origin-request-policy module."
name: ":floppy_disk: origin-request-policy"
diff --git a/README.md b/README.md
index eb25ce9..527b028 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ Terraform module which creates CloudFront related resources on AWS.
- [cache-policy](./modules/cache-policy)
- [distribution](./modules/distribution)
+- [origin-access-control](./modules/origin-access-control)
- [origin-request-policy](./modules/origin-request-policy)
- [response-headers-policy](./modules/response-headers-policy)
@@ -19,6 +20,8 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
- **AWS CloudFront**
- Distribution
- Real-time Log Configuration (Comming soon!)
+ - Origin Access
+ - Origin Access Control
- Policies
- Cache Policy
- Origin Request Policy
diff --git a/modules/origin-access-control/README.md b/modules/origin-access-control/README.md
new file mode 100644
index 0000000..5568ae9
--- /dev/null
+++ b/modules/origin-access-control/README.md
@@ -0,0 +1,51 @@
+# origin-access-control
+
+This module creates following resources.
+
+- `aws_cloudfront_origin_access_control`
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.6 |
+| [aws](#requirement\_aws) | >= 5.19 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 5.26.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [name](#input\_name) | (Required) A name to identify the origin access control. | `string` | n/a | yes |
+| [description](#input\_description) | (Optional) A description of the origin access control. | `string` | `"Managed by Terraform."` | no |
+| [origin\_type](#input\_origin\_type) | (Optional) The type of origin that this origin access control is for. Valid values are `S3` and `MEDIASTORE`. Defaults to `S3`. | `string` | `"S3"` | no |
+| [signing\_behavior](#input\_signing\_behavior) | (Optional) Specify which requests CloudFront signs (adds authentication information to). Valid values are `ALWAYS`, `NEVER`, `NO_OVERRIDE`. Defaults to `ALWAYS`.
`ALWAYS` - CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.
`NEVER` - CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.
`NO_OVERRIDE` - If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the Authorization header, then CloudFront doesn't sign the origin request and instead passes along the Authorization header from the viewer request. | `string` | `"ALWAYS"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [description](#output\_description) | The description of the origin access control. |
+| [etag](#output\_etag) | The current version of the origin access control. |
+| [id](#output\_id) | The ID of the origin access control. |
+| [name](#output\_name) | The name of the CloudFront origin access control. |
+| [origin\_type](#output\_origin\_type) | The type of origin that this origin access control is for. |
+| [signing\_behavior](#output\_signing\_behavior) | Specify which requests CloudFront signs (adds authentication information to). |
+| [signing\_protocol](#output\_signing\_protocol) | The signing protocol of the origin access control. |
+
diff --git a/modules/origin-access-control/main.tf b/modules/origin-access-control/main.tf
new file mode 100644
index 0000000..cb4f56b
--- /dev/null
+++ b/modules/origin-access-control/main.tf
@@ -0,0 +1,30 @@
+locals {
+ metadata = {
+ package = "terraform-aws-cloudfront"
+ version = trimspace(file("${path.module}/../../VERSION"))
+ module = basename(path.module)
+ name = var.name
+ }
+}
+
+locals {
+ signing_behaviors = {
+ "ALWAYS" = "always"
+ "NEVER" = "never"
+ "NO_OVERRIDE" = "no-override"
+ }
+}
+
+
+###################################################
+# Origin Access Control for CloudFront Distribution
+###################################################
+
+resource "aws_cloudfront_origin_access_control" "this" {
+ name = var.name
+ description = var.description
+
+ origin_access_control_origin_type = lower(var.origin_type)
+ signing_behavior = local.signing_behaviors[var.signing_behavior]
+ signing_protocol = "sigv4"
+}
diff --git a/modules/origin-access-control/outputs.tf b/modules/origin-access-control/outputs.tf
new file mode 100644
index 0000000..90075ad
--- /dev/null
+++ b/modules/origin-access-control/outputs.tf
@@ -0,0 +1,37 @@
+output "id" {
+ description = "The ID of the origin access control."
+ value = aws_cloudfront_origin_access_control.this.id
+}
+
+output "etag" {
+ description = "The current version of the origin access control."
+ value = aws_cloudfront_origin_access_control.this.etag
+}
+
+output "name" {
+ description = "The name of the CloudFront origin access control."
+ value = aws_cloudfront_origin_access_control.this.name
+}
+
+output "description" {
+ description = "The description of the origin access control."
+ value = aws_cloudfront_origin_access_control.this.description
+}
+
+output "origin_type" {
+ description = "The type of origin that this origin access control is for."
+ value = upper(aws_cloudfront_origin_access_control.this.origin_access_control_origin_type)
+}
+
+output "signing_behavior" {
+ description = "Specify which requests CloudFront signs (adds authentication information to)."
+ value = {
+ for k, v in local.signing_behaviors :
+ v => k
+ }[aws_cloudfront_origin_access_control.this.signing_behavior]
+}
+
+output "signing_protocol" {
+ description = "The signing protocol of the origin access control."
+ value = upper(aws_cloudfront_origin_access_control.this.signing_protocol)
+}
diff --git a/modules/origin-access-control/variables.tf b/modules/origin-access-control/variables.tf
new file mode 100644
index 0000000..00138b7
--- /dev/null
+++ b/modules/origin-access-control/variables.tf
@@ -0,0 +1,41 @@
+variable "name" {
+ description = "(Required) A name to identify the origin access control."
+ type = string
+ nullable = false
+}
+
+variable "description" {
+ description = "(Optional) A description of the origin access control."
+ type = string
+ default = "Managed by Terraform."
+ nullable = false
+}
+
+variable "origin_type" {
+ description = "(Optional) The type of origin that this origin access control is for. Valid values are `S3` and `MEDIASTORE`. Defaults to `S3`."
+ type = string
+ default = "S3"
+ nullable = false
+
+ validation {
+ condition = contains(["S3", "MEDIASTORE"], var.origin_type)
+ error_message = "Valid values for `origin_type` are `S3` and `MEDIASTORE`."
+ }
+}
+
+variable "signing_behavior" {
+ description = <