I am working though the well known Cloud Resume Challenge and have a lot of my AWS setup automated with Terraform now but I am stuck on the OAC portion of the CloudFront distribution setup and haven't found much online/in documentation. Here's my current Terraform script:
locals {
s3_origin_id = aws_s3_bucket.gjd_crc_prod_bucket.bucket_regional_domain_name
}
resource "aws_cloudfront_origin_access_control" "crc_cf_oac" {
name = local.s3_origin_id
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
resource "aws_cloudfront_distribution" "crc_prod_cfdist" {
origin {
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_control.crc_cf_oac.id
}
domain_name = local.s3_origin_id
origin_id = local.s3_origin_id
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
default_cache_behavior {
cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
viewer_protocol_policy = "https-only"
compress = true
}
viewer_certificate {
cloudfront_default_certificate = true
}
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
}
The error I am getting when I go to apply via Terraform:
aws_cloudfront_distribution.crc_prod_cfdist: Modifying... [id=E2F87SH1SP8PTO]
╷
│ Error: updating CloudFront Distribution (E2F87SH1SP8PTO): InvalidOriginAccessIdentity: The specified origin access identity does not exist or is not valid.
│ status code: 400, request id: 927f5e89-4ee0-4fa0-99c6-776547f41e03
│
│ with aws_cloudfront_distribution.crc_prod_cfdist,
│ on cloudfront.tf line 12, in resource "aws_cloudfront_distribution" "crc_prod_cfdist":
│ 12: resource "aws_cloudfront_distribution" "crc_prod_cfdist" {
│
╵
All of the documentation I can find (which is not much tbh) is that OAC should be as simple as establishing an OAC resource and then referencing the ID of said resource in the distribution but it's acting like it doesn't exist/hasn't been created yet.
Any thoughts? I hate to have to resort to legacy/deprecated options.
Edit: wanted to add that this is just the CloudFront.tf script. I'm not sure what proper protocol is but I like keeping the services in separate scripts for readability. Happy to share any others if it seems necessary (such as the S3 bucket script which is fully functional)
Edit: SOLVED. Here's the updated code that uses an OAC resource but referenced using OAI:
resource "aws_cloudfront_distribution" "crc_prod_cfdist" {
origin {
origin_access_control_id = aws_cloudfront_origin_access_control.crc_cf_oac.id
domain_name = local.s3_origin_id
origin_id = local.s3_origin_id
}
Instead of aws_cloudfront_origin_access_control, you should be using aws_cloudfront_origin_access_identity.