From dbb7e34eeb9f396003522fbee52f63f985826f70 Mon Sep 17 00:00:00 2001
From: wtho <thomas@wtho.de>
Date: Wed, 7 Oct 2020 14:09:55 +0200
Subject: [PATCH] feat(cloudfront-origins): customize origin access identity in
 s3origin (#10491)

Adds support for passing in a identity as it is possible in the CloudFrontWebDistribution

closes #9859


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../@aws-cdk/aws-cloudfront-origins/README.md |  2 +-
 .../aws-cloudfront-origins/lib/s3-origin.ts   | 13 ++++-
 .../test/integ.s3-origin-oai.expected.json    | 58 +++++++++++++++++++
 .../test/integ.s3-origin-oai.ts               | 18 ++++++
 .../test/s3-origin.test.ts                    | 19 +++++-
 5 files changed, 106 insertions(+), 4 deletions(-)
 create mode 100644 packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
 create mode 100644 packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts

diff --git a/packages/@aws-cdk/aws-cloudfront-origins/README.md b/packages/@aws-cdk/aws-cloudfront-origins/README.md
index 614a089247459..1fe19e77ebf1b 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/README.md
+++ b/packages/@aws-cdk/aws-cloudfront-origins/README.md
@@ -32,7 +32,7 @@ The above will treat the bucket differently based on if `IBucket.isWebsite` is s
 treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
 CloudFront's redirect and error handling will be used. In the latter case, the Origin wil create an origin access identity and grant it access to the
 underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly.
+URLs and not S3 URLs directly. Alternatively, a custom origin access identity can be passed to the S3 origin in the properties.
 
 ## ELBv2 Load Balancer
 
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
index 9159bc1f545ed..c6e0f83d0c15a 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
+++ b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
@@ -16,6 +16,12 @@ export interface S3OriginProps {
    * @default '/'
    */
   readonly originPath?: string;
+  /**
+   * An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+   *
+   * @default - An Origin Access Identity will be created.
+   */
+  readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
 }
 
 /**
@@ -50,10 +56,13 @@ export class S3Origin implements cloudfront.IOrigin {
  * Contains additional logic around bucket permissions and origin access identities.
  */
 class S3BucketOrigin extends cloudfront.OriginBase {
-  private originAccessIdentity!: cloudfront.OriginAccessIdentity;
+  private originAccessIdentity!: cloudfront.IOriginAccessIdentity;
 
-  constructor(private readonly bucket: s3.IBucket, props: S3OriginProps) {
+  constructor(private readonly bucket: s3.IBucket, { originAccessIdentity, ...props }: S3OriginProps) {
     super(bucket.bucketRegionalDomainName, props);
+    if (originAccessIdentity) {
+      this.originAccessIdentity = originAccessIdentity;
+    }
   }
 
   public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
new file mode 100644
index 0000000000000..7783c6d9da969
--- /dev/null
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
@@ -0,0 +1,58 @@
+{
+  "Resources": {
+    "Bucket83908E77": {
+      "Type": "AWS::S3::Bucket",
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
+    "OriginAccessIdentityDF1E3CAC": {
+      "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
+      "Properties": {
+        "CloudFrontOriginAccessIdentityConfig": {
+          "Comment": "Identity for bucket provided by test"
+        }
+      }
+    },
+    "Distribution830FAC52": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "DefaultCacheBehavior": {
+            "ForwardedValues": {
+              "QueryString": false
+            },
+            "TargetOriginId": "cloudfronts3originoaiDistributionOrigin1516C5A91",
+            "ViewerProtocolPolicy": "allow-all"
+          },
+          "Enabled": true,
+          "HttpVersion": "http2",
+          "IPV6Enabled": true,
+          "Origins": [
+            {
+              "DomainName": {
+                "Fn::GetAtt": [
+                  "Bucket83908E77",
+                  "RegionalDomainName"
+                ]
+              },
+              "Id": "cloudfronts3originoaiDistributionOrigin1516C5A91",
+              "S3OriginConfig": {
+                "OriginAccessIdentity": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "origin-access-identity/cloudfront/",
+                      {
+                        "Ref": "OriginAccessIdentityDF1E3CAC"
+                      }
+                    ]
+                  ]
+                }
+              }
+            }
+          ]
+        }
+      }
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts
new file mode 100644
index 0000000000000..d7331a160abcd
--- /dev/null
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts
@@ -0,0 +1,18 @@
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as s3 from '@aws-cdk/aws-s3';
+import * as cdk from '@aws-cdk/core';
+import * as origins from '../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oai');
+
+const bucket = new s3.Bucket(stack, 'Bucket');
+const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+  comment: 'Identity for bucket provided by test',
+});
+new cloudfront.Distribution(stack, 'Distribution', {
+  defaultBehavior: { origin: new origins.S3Origin(bucket, { originAccessIdentity }) },
+});
+
+app.synth();
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
index 7545135e4fb0e..75770ce250ce1 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
@@ -34,7 +34,7 @@ describe('With bucket', () => {
     });
   });
 
-  test('can customize properties', () => {
+  test('can customize originPath property', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');
 
     const origin = new S3Origin(bucket, { originPath: '/assets' });
@@ -56,6 +56,23 @@ describe('With bucket', () => {
     });
   });
 
+  test('can customize OriginAccessIdentity property', () => {
+    const bucket = new s3.Bucket(stack, 'Bucket');
+
+    const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+      comment: 'Identity for bucket provided by test',
+    });
+
+    const origin = new S3Origin(bucket, { originAccessIdentity });
+    new cloudfront.Distribution(stack, 'Dist', { defaultBehavior: { origin } });
+
+    expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
+      CloudFrontOriginAccessIdentityConfig: {
+        Comment: 'Identity for bucket provided by test',
+      },
+    });
+  });
+
   test('creates an OriginAccessIdentity and grants read permissions on the bucket', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');