Skip to content

aws.cloudfront-origin-access-control resource

Description

OriginAccessControl manages a CloudFront origin access control: the signed identity a distribution uses to reach a private origin, such as an S3 bucket that blocks public access. All five settings live in one config struct and reconcile in place, so no field forces a replace. CloudFront guards an update or delete with the config's current version, an ETag, which the API returns only from a read, not from the create. So the create routes through a read to learn the ETag, and the ETag is an output the update and delete pass back as the IfMatch concurrency token.

Source: internal/service/cloudfront/origin_access_control_rsrc.go:23

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.cloudfront-origin-access-control {
    # Set input fields here.
  }
}

Inputs

name

string

required

Name identifies the origin access control. CloudFront limits it to 64 characters; the bound is checked in validate, since the constraint layer counts bytes rather than the characters CloudFront limits.

description

optional(string)

Description is optional but always sent, defaulting to the empty string, because CloudFront wants the field present in the config. It is at most 256 characters, checked in validate for the same byte-versus-character reason as the name.

origin-access-control-origin-type

string

required

signing-behavior

string

required

signing-protocol

string

required

Input Constraints

Origin access control origin type rules

origin-access-control-origin-type must be one of s3, mediastore, mediapackagev2, lambda.

Rule logic
Require
input.origin-access-control-origin-type == 's3'
|| input.origin-access-control-origin-type == 'mediastore'
|| input.origin-access-control-origin-type == 'mediapackagev2'
|| input.origin-access-control-origin-type == 'lambda'

Signing behavior rules

signing-behavior must be one of never, always, no-override.

Rule logic
Require
input.signing-behavior == 'never'
|| input.signing-behavior == 'always'
|| input.signing-behavior == 'no-override'

Signing protocol rules

signing-protocol must be sigv4.

Rule logic
Require
input.signing-protocol == 'sigv4'

Outputs

id

string

etag

string