Use Origin Access Control (#65)

Use Origin Access Control * Swap from Origin Access Identity to Origin Access Control * Bump version Issue #63
aws-samples · Aug 10, 2023 · 40e0877 · 40e0877
1 parent 2f5fe54
commit 40e0877
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/templates/cloudfront-site.yaml b/templates/cloudfront-site.yaml
@@ -43,12 +43,14 @@ Resources:
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
-          - Action:
-              - s3:GetObject
+          - Action: s3:GetObject
+            Principal:
+              Service: 'cloudfront.amazonaws.com'
             Effect: Allow
             Resource: !Sub '${S3BucketRootArn}/*'
-            Principal:
-              CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
+            Condition:
+              StringEquals:
+                'AWS:SourceArn': !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}'
 
   CloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
@@ -86,8 +88,8 @@ Resources:
         Origins:
           - DomainName: !Ref 'S3BucketRootName'
             Id: !Sub 'S3-${AWS::StackName}-root'
-            S3OriginConfig:
-              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
+            OriginAccessControlId: !Ref OriginAccessControl
+            S3OriginConfig: {}
         PriceClass: 'PriceClass_All'
         ViewerCertificate:
           AcmCertificateArn: !Ref 'CertificateArn'
@@ -97,11 +99,14 @@ Resources:
         - Key: Solution
           Value: ACFS3
 
-  CloudFrontOriginAccessIdentity:
-    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
+  OriginAccessControl:
+    Type: AWS::CloudFront::OriginAccessControl
     Properties:
-      CloudFrontOriginAccessIdentityConfig:
-        Comment: !Sub 'CloudFront OAI for ${SubDomain}.${DomainName}'
+      OriginAccessControlConfig:
+        Name: !Sub 'oac-${AWS::StackName}-${AWS::Region}'
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
 
   Route53RecordSetGroup:
     Type: AWS::Route53::RecordSetGroup

diff --git a/templates/main.yaml b/templates/main.yaml
@@ -13,7 +13,7 @@ Metadata:
 Mappings:
   Solution:
     Constants:
-      Version: 'v0.9'
+      Version: 'v0.10'
 
 Rules:
   OnlyUsEast1: