feat: enabling support for S3 access (#3670)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: czi-github-helper[bot] <czi-github-helper[bot]@users.noreply.github.com>
chanzuckerberg · Nov 22, 2024 · f435f63 · f435f63
1 parent f65e6df
commit f435f63
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/terraform/modules/happy-cloudfront/README.md b/terraform/modules/happy-cloudfront/README.md
@@ -38,7 +38,7 @@
 | <a name="input_frontend"></a> [frontend](#input\_frontend) | The domain name and zone ID the user will see. | <pre>object({<br>    domain_name = string<br>    zone_id     = string<br>  })</pre> | n/a | yes |
 | <a name="input_geo_restriction_locations"></a> [geo\_restriction\_locations](#input\_geo\_restriction\_locations) | The countries to whitelist for the CloudFront distribution. | `set(string)` | <pre>[<br>  "US"<br>]</pre> | no |
 | <a name="input_origin_request_policy_id"></a> [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | The origin request policy ID for the CloudFront distribution. | `string` | `"b689b0a8-53d0-40ab-baf2-68738e2966ac"` | no |
-| <a name="input_origins"></a> [origins](#input\_origins) | The domain names and the path used for the origin. | <pre>list(object({<br>    domain_name  = string<br>    path_pattern = string<br>  }))</pre> | n/a | yes |
+| <a name="input_origins"></a> [origins](#input\_origins) | The domain names and the path used for the origin. | <pre>list(object({<br>    domain_name      = string<br>    path_pattern     = string<br>    s3_origin_config = optional(object({ origin_access_identity = string }))<br>  }))</pre> | n/a | yes |
 | <a name="input_price_class"></a> [price\_class](#input\_price\_class) | The price class for the CloudFront distribution. | `string` | `"PriceClass_100"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to associate with env resources | `map(string)` | n/a | yes |
 

diff --git a/terraform/modules/happy-cloudfront/main.tf b/terraform/modules/happy-cloudfront/main.tf
@@ -28,11 +28,20 @@ resource "aws_cloudfront_distribution" "this" {
     content {
       domain_name = origin.value.domain_name
       origin_id   = origin.value.domain_name
-      custom_origin_config {
-        http_port              = "80"
-        https_port             = "443"
-        origin_protocol_policy = "https-only"
-        origin_ssl_protocols   = ["TLSv1.2"]
+      dynamic "s3_origin_config" {
+        for_each = origin.value.s3_origin_config != null ? [origin.value.s3_origin_config] : []
+        content {
+          origin_access_identity = s3_origin_config.value.origin_access_identity
+        }
+      }
+      dynamic "custom_origin_config" {
+        for_each = origin.value.s3_origin_config == null ? [1] : []
+        content {
+          http_port              = "80"
+          https_port             = "443"
+          origin_protocol_policy = "https-only"
+          origin_ssl_protocols   = ["TLSv1.2"]
+        }
       }
     }
   }

diff --git a/terraform/modules/happy-cloudfront/variables.tf b/terraform/modules/happy-cloudfront/variables.tf
@@ -8,8 +8,9 @@ variable "frontend" {
 
 variable "origins" {
   type = list(object({
-    domain_name  = string
-    path_pattern = string
+    domain_name      = string
+    path_pattern     = string
+    s3_origin_config = optional(object({ origin_access_identity = string }))
   }))
   description = "The domain names and the path used for the origin."
   validation {