Add var.create_cloudfront_origin_access_identity

In some circumstances, it wasn't possible to automatically determine if an Origin Access Identity should be created. Because of this, Terraform requires us to always explicitly specify if the OAI should be created.
cloudposse · Aug 29, 2022 · 36035c2 · 36035c2
1 parent 2802ae3
commit 36035c2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/main.tf b/main.tf
@@ -9,7 +9,7 @@ locals {
   s3_access_logging_enabled = local.enabled && (var.s3_access_logging_enabled == null ? length(var.s3_access_log_bucket_name) > 0 : var.s3_access_logging_enabled)
   create_cf_log_bucket      = local.cloudfront_access_logging_enabled && local.cloudfront_access_log_create_bucket
 
-  create_cloudfront_origin_access_identity = local.enabled && length(compact([var.cloudfront_origin_access_identity_iam_arn])) == 0 # "" or null
+  create_cloudfront_origin_access_identity = local.enabled && var.create_cloudfront_origin_access_identity
 
   origin_id   = module.this.id
   origin_path = coalesce(var.origin_path, "/")

diff --git a/variables.tf b/variables.tf
@@ -492,13 +492,13 @@ variable "deployment_actions" {
 variable "cloudfront_origin_access_identity_iam_arn" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy"
+  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy. If you set this, you must also set `cloudfront_origin_access_identity_path` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "cloudfront_origin_access_identity_path" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content"
+  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content. If you set this, you must also set `cloudfront_origin_access_identity_iam_arn` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "custom_origin_headers" {
@@ -662,3 +662,9 @@ variable "allow_ssl_requests_only" {
   default     = true
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
 }
+
+variable "create_cloudfront_origin_access_identity" {
+  type = bool
+  default = true
+  description = "Set to `true` to create a CloudFront Origin Access Identity. You should disable this if you set `cloudfront_origin_access_identity_iam_arn` and `cloudfront_origin_access_identity_path`"
+}