I have an IAM policy to allow my CloudFront to read and list objects in my S3 bucket specified as follows:
[...]
Effect = "Allow"
Principal = {
"CanonicalUser" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Action : [
"s3:GetObject",
"s3:ListBucket"
],
[...]
With this already applied, any time I run again terraform plan changes appear with regards to that Principal / CanonicalUser which is pretty inconvenient as blurs the rest of the output.
Any solution to that?
I managed to solve it replacing in the terraform configuration the CanonicalUser by a AWS type identifier:
So my policy above will be instead:
Principal = {
"AWS" : arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX
}
With this the plan shows no changes when nothing has changed