From 40e08772fbcb0d60af662ffc12582dbc0dbabe94 Mon Sep 17 00:00:00 2001
From: Connor Kirkpatrick <ckp@amazon.com>
Date: Thu, 10 Aug 2023 12:43:08 +0100
Subject: [PATCH] Use Origin Access Control (#65)

Use Origin Access Control

* Swap from Origin Access Identity to Origin Access Control
* Bump version

Issue #63
---
 templates/cloudfront-site.yaml | 25 +++++++++++++++----------
 templates/main.yaml            |  2 +-
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/templates/cloudfront-site.yaml b/templates/cloudfront-site.yaml
index 8c225d8..867ed29 100644
--- a/templates/cloudfront-site.yaml
+++ b/templates/cloudfront-site.yaml
@@ -43,12 +43,14 @@ Resources:
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
-          - Action:
-              - s3:GetObject
+          - Action: s3:GetObject
+            Principal:
+              Service: 'cloudfront.amazonaws.com'
             Effect: Allow
             Resource: !Sub '${S3BucketRootArn}/*'
-            Principal:
-              CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
+            Condition:
+              StringEquals:
+                'AWS:SourceArn': !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}'
 
   CloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
@@ -86,8 +88,8 @@ Resources:
         Origins:
           - DomainName: !Ref 'S3BucketRootName'
             Id: !Sub 'S3-${AWS::StackName}-root'
-            S3OriginConfig:
-              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
+            OriginAccessControlId: !Ref OriginAccessControl
+            S3OriginConfig: {}
         PriceClass: 'PriceClass_All'
         ViewerCertificate:
           AcmCertificateArn: !Ref 'CertificateArn'
@@ -97,11 +99,14 @@ Resources:
         - Key: Solution
           Value: ACFS3
 
-  CloudFrontOriginAccessIdentity:
-    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
+  OriginAccessControl:
+    Type: AWS::CloudFront::OriginAccessControl
     Properties:
-      CloudFrontOriginAccessIdentityConfig:
-        Comment: !Sub 'CloudFront OAI for ${SubDomain}.${DomainName}'
+      OriginAccessControlConfig:
+        Name: !Sub 'oac-${AWS::StackName}-${AWS::Region}'
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
 
   Route53RecordSetGroup:
     Type: AWS::Route53::RecordSetGroup
diff --git a/templates/main.yaml b/templates/main.yaml
index 713a29b..d158fe1 100644
--- a/templates/main.yaml
+++ b/templates/main.yaml
@@ -13,7 +13,7 @@ Metadata:
 Mappings:
   Solution:
     Constants:
-      Version: 'v0.9'
+      Version: 'v0.10'
 
 Rules:
   OnlyUsEast1: