feat(cloudfront): s3 origin access control L2 construct

[gracelu0]

Issue # (if applicable)

Closes #21771 .

Reason for this change

See RFC

Description of changes

See RFC

Description of how you validated changes

Unit tests and integration tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 5e5ffd5
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[GavinZZ]

Reviewed half of the changes. Left some questions.

[GavinZZ]

Suggested change

	If the feature flag is not enabled (i.e. set to `false`), an origin access identity will be created by default.
	If the feature flag is not enabled (`undefined` or set to `false`), an origin access identity will be created by default.

Or something along the line.

[GavinZZ]

Should we update the @default docstring?

[gracelu0]

Yes, will specify the feature flag behaviour for creating OAI by default

[GavinZZ]

nit: maybe mention that OAC will be created when FF is enabeld.

[GavinZZ]

This nested class looks weird to me. Can you instead split them out?

abstract class S3BucketOrigin extends cloudfront.OriginBase {
   ...
}

class OriginAccessIdentity extends S3BucketOrigin {
   ...
}

class OriginAccessControl extends S3BucketOrigin {
  ...
}

And on line 90~100, you can do

    else if (props.originAccessControl) {
      this.origin = new OriginAccessControl(bucket, props);
    } else if (props.originAccessIdentity) {
      this.origin = new OriginAccessIdentity(bucket, props);
    } else {
      this.origin = FeatureFlags.of(bucket.stack)
        .isEnabled(cxapi.CLOUDFRONT_USE_ORIGIN_ACCESS_CONTROL_BY_DEFAULT) ?
        OriginAccessControl(bucket, props) :
        new OriginAccessIdentity(bucket, props);
    }

[gracelu0]

This was one of the suggested changes from the RFC (see feedback). I agree the structure looks a bit unconventional, but what I like is that the API is very clear on lines 90-100:

else if (props.originAccessControl) {
      this.origin = S3BucketOrigin.withAccessControl(bucket, props);
    } else if (props.originAccessIdentity) {
      this.origin = S3BucketOrigin.withAccessIdentity(bucket, props);
    } else {
      this.origin = FeatureFlags.of(bucket.stack)
        .isEnabled(cxapi.CLOUDFRONT_USE_ORIGIN_ACCESS_CONTROL_BY_DEFAULT) ?
        S3BucketOrigin.withAccessControl(bucket, props) :
        S3BucketOrigin.withAccessIdentity(bucket, props);
    }

since it is a S3 origin with either OAI or OAC configured

[GavinZZ]

Should you check current stack or bucket stack for cross stack usage? IMO ideally it doesn't make a difference since the Feature flag is app-level not stack-level. Just want to confirm.

[GavinZZ]

Curious if the same bucket can be used by two differnt CloudFront distributions?

[gracelu0]

Yes, the same S3 origin can be used by multiple CloudFront distributions. Hmm might be tricky then to only remove the OAI associated with the distribution in the current stack if we don't have the OAI ID, is that your concern?

[watany-dev]

@gracelu0 @GavinZZ
I am one of the developers eagerly awaiting the implementation of this Construct. If you are too busy to continue, I would be delighted to fork this and take over the work.

[gracelu0]

@gracelu0 @GavinZZ I am one of the developers eagerly awaiting the implementation of this Construct. If you are too busy to continue, I would be delighted to fork this and take over the work.

Hi @watany-dev , we are continuing to work on this feature! There was some additional feedback on the RFC, so we will open a new PR for this once the RFC is approved.