Add var.create_cloudfront_origin_access_identity

In some circumstances, it wasn't possible to automatically determine if
an Origin Access Identity should be created. Because of this, Terraform
requires us to always explicitly specify if the OAI should be created.

Author: alexjurkiewicz

main.tf

@@ -9,7 +9,7 @@ locals {
   s3_access_logging_enabled = local.enabled && (var.s3_access_logging_enabled == null ? length(var.s3_access_log_bucket_name) > 0 : var.s3_access_logging_enabled)
   create_cf_log_bucket      = local.cloudfront_access_logging_enabled && local.cloudfront_access_log_create_bucket
 
-  create_cloudfront_origin_access_identity = local.enabled && length(compact([var.cloudfront_origin_access_identity_iam_arn])) == 0 # "" or null
+  create_cloudfront_origin_access_identity = local.enabled && var.create_cloudfront_origin_access_identity
 
   origin_id   = module.this.id
   origin_path = coalesce(var.origin_path, "/")

variables.tf

@@ -492,7 +492,7 @@ variable "deployment_actions" {
 variable "cloudfront_origin_access_identity_iam_arn" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy"
+  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy. If you set this, disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "cloudfront_origin_access_identity_path" {
@@ -662,3 +662,9 @@ variable "allow_ssl_requests_only" {
   default     = true
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
 }
+
+variable "create_cloudfront_origin_access_identity" {
+  type = bool
+  default = true
+  description = "Set to `true` to create a CloudFront Origin Access Identity. You should disable this if you set `cloudfront_origin_access_identity_iam_arn`"
+}