CloudFront "Public" / "Don't use OAI" option in S3 origin

[JackPriceBurns]

I'm using the Go CDK and when I omit the OriginAccessIdentity when creating an S3 origin on a CloudFront distribution, it seems to create one anyway instead of not setting it which is what I actually wanted.

An issue was raised about this however it was closed.

When I run this

	jacksBucket := awss3.Bucket_FromBucketName(stack, jsii.String("JacksBucket"), jsii.String(bucketName))

	// Create new origin
	jacksOrigin := awscloudfrontorigins.NewS3Origin(jacksBucket, &awscloudfrontorigins.S3OriginProps{
		// Get content from the / directory in the bucket.
		OriginPath: jsii.String("/"),
		// OriginAccessIdentity: would normally be set here, I've omitted it
	})

	// Create new behaviour
	cf.AddBehavior(jsii.String("/bucket*"), jacksOrigin, &awscloudfront.AddBehaviorOptions{
		AllowedMethods:       awscloudfront.AllowedMethods_ALLOW_GET_HEAD_OPTIONS(),
		CachedMethods:        awscloudfront.CachedMethods_CACHE_GET_HEAD(),
		CachePolicy:          awscloudfront.CachePolicy_CACHING_DISABLED(),
		Compress:             jsii.Bool(true),
		OriginRequestPolicy:  awscloudfront.OriginRequestPolicy_ALL_VIEWER(),
		ViewerProtocolPolicy: awscloudfront.ViewerProtocolPolicy_REDIRECT_TO_HTTPS,
	})

Since I have not specified an OriginAccessIdentity in the S3Origin I would expect to see this

However, I see this

The AWS Management Console makes it easy to just select "Public" which removes the OAI and in CloudFormation it also states that leaving this empty means that it doesn't use an OAI, so this feels like an issue with the CDK.

The reason I put this as a discussion is that I'm unsure if this is a bug or if I'm using the CDK wrong? Should I be explicitly setting the origin access to Public some other way? I've looked through all the properties for creating an S3 origin and access identity but can't see anything obvious that would indicate this.

[JackPriceBurns]

I've found a way around this issue by using cfn override... However, this is not ideal. This references the origin by an index which could change if anyone adds more origins. I can't seem to find any other way to solve this, I'm open to any suggestions.

	// Delete the S3OriginConfig as CDK generates it when we don't want it.
	cfnDistribution := cf.Node().DefaultChild().(awscloudfront.CfnDistribution)
	cfnDistribution.AddPropertyOverride(jsii.String("DistributionConfig.Origins.1.S3OriginConfig.OriginAccessIdentity"), "")

I think this warrants an issue being created as this is functionality provided by both the management console and CloudFormation that isn't possible without a hacky override.

[peterwoodworth]

Thanks for creating this discussion @JackPriceBurns, there doesn't seem to be a clear way to do this without overrides.

I've reopened the original issue, let's keep the discussion there 🙂