Add var.create_cloudfront_origin_access_identity

alexjurkiewicz · alexjurkiewicz · commit 36035c24e736 · 2022-08-29T15:36:41.000+10:00
In some circumstances, it wasn't possible to automatically determine if
an Origin Access Identity should be created. Because of this, Terraform
requires us to always explicitly specify if the OAI should be created.
diff --git a/main.tf b/main.tf
@@ -9,7 +9,7 @@ locals {
   s3_access_logging_enabled = local.enabled && (var.s3_access_logging_enabled == null ? length(var.s3_access_log_bucket_name) > 0 : var.s3_access_logging_enabled)
   create_cf_log_bucket      = local.cloudfront_access_logging_enabled && local.cloudfront_access_log_create_bucket
 
-  create_cloudfront_origin_access_identity = local.enabled && length(compact([var.cloudfront_origin_access_identity_iam_arn])) == 0 # "" or null
+  create_cloudfront_origin_access_identity = local.enabled && var.create_cloudfront_origin_access_identity
 
   origin_id   = module.this.id
   origin_path = coalesce(var.origin_path, "/")
diff --git a/variables.tf b/variables.tf
@@ -492,13 +492,13 @@ variable "deployment_actions" {
 variable "cloudfront_origin_access_identity_iam_arn" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy"
+  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy. If you set this, you must also set `cloudfront_origin_access_identity_path` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "cloudfront_origin_access_identity_path" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content"
+  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content. If you set this, you must also set `cloudfront_origin_access_identity_iam_arn` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "custom_origin_headers" {
@@ -662,3 +662,9 @@ variable "allow_ssl_requests_only" {
   default     = true
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
 }
+
+variable "create_cloudfront_origin_access_identity" {
+  type = bool
+  default = true
+  description = "Set to `true` to create a CloudFront Origin Access Identity. You should disable this if you set `cloudfront_origin_access_identity_iam_arn` and `cloudfront_origin_access_identity_path`"
+}
