Merge pull request #24382 from Aegon95/d_cloudfront_list_origin_acces…

…s_identities

Added new Datasource to list cloudfront origin access identities #24023

.changelog/24382.txt

@@ -0,0 +1,3 @@
+```release-note:new-data-source
+aws_cloudfront_origin_access_identities
+```

internal/provider/provider.go

@@ -454,6 +454,7 @@ func Provider() *schema.Provider {
 			"aws_cloudfront_distribution":                   cloudfront.DataSourceDistribution(),
 			"aws_cloudfront_function":                       cloudfront.DataSourceFunction(),
 			"aws_cloudfront_log_delivery_canonical_user_id": cloudfront.DataSourceLogDeliveryCanonicalUserID(),
+			"aws_cloudfront_origin_access_identities":       cloudfront.DataSourceOriginAccessIdentities(),
 			"aws_cloudfront_origin_access_identity":         cloudfront.DataSourceOriginAccessIdentity(),
 			"aws_cloudfront_origin_request_policy":          cloudfront.DataSourceOriginRequestPolicy(),
 			"aws_cloudfront_realtime_log_config":            cloudfront.DataSourceRealtimeLogConfig(),

internal/service/cloudfront/origin_access_identities_data_source.go

@@ -0,0 +1,101 @@
+package cloudfront
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+func DataSourceOriginAccessIdentities() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceOriginAccessIdentitiesRead,
+
+		Schema: map[string]*schema.Schema{
+			"comments": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"iam_arns": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"ids": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"s3_canonical_user_ids": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+		},
+	}
+}
+
+func dataSourceOriginAccessIdentitiesRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).CloudFrontConn
+
+	var comments []interface{}
+
+	if v, ok := d.GetOk("comments"); ok && v.(*schema.Set).Len() > 0 {
+		comments = v.(*schema.Set).List()
+	}
+
+	var output []*cloudfront.OriginAccessIdentitySummary
+
+	err := conn.ListCloudFrontOriginAccessIdentitiesPages(&cloudfront.ListCloudFrontOriginAccessIdentitiesInput{}, func(page *cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, lastPage bool) bool {
+		if page == nil {
+			return !lastPage
+		}
+
+		for _, v := range page.CloudFrontOriginAccessIdentityList.Items {
+			if v == nil {
+				continue
+			}
+
+			if len(comments) > 0 {
+				if _, ok := verify.SliceContainsString(comments, aws.StringValue(v.Comment)); !ok {
+					continue
+				}
+			}
+
+			output = append(output, v)
+		}
+
+		return !lastPage
+	})
+
+	if err != nil {
+		return fmt.Errorf("listing CloudFront origin access identities: %w", err)
+	}
+
+	var iamARNs, ids, s3CanonicalUserIDs []string
+
+	for _, v := range output {
+		// See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-updating-s3-bucket-policies-principal.
+		iamARN := arn.ARN{
+			Partition: meta.(*conns.AWSClient).Partition,
+			Service:   "iam",
+			AccountID: "cloudfront",
+			Resource:  fmt.Sprintf("user/CloudFront Origin Access Identity %s", *v.Id),
+		}.String()
+		iamARNs = append(iamARNs, iamARN)
+		ids = append(ids, aws.StringValue(v.Id))
+		s3CanonicalUserIDs = append(s3CanonicalUserIDs, aws.StringValue(v.S3CanonicalUserId))
+	}
+
+	d.SetId(meta.(*conns.AWSClient).AccountID)
+	d.Set("iam_arns", iamARNs)
+	d.Set("ids", ids)
+	d.Set("s3_canonical_user_ids", s3CanonicalUserIDs)
+
+	return nil
+}

internal/service/cloudfront/origin_access_identities_data_source_test.go

@@ -0,0 +1,93 @@
+package cloudfront_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+	sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func TestAccCloudFrontOriginAccessIdentitiesDataSource_comments(t *testing.T) {
+	dataSourceName := "data.aws_cloudfront_origin_access_identities.test"
+	resourceName := "aws_cloudfront_origin_access_identity.test1"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(cloudfront.EndpointsID, t) },
+		ErrorCheck:   acctest.ErrorCheck(t, cloudfront.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckCloudFrontOriginAccessIdentityDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOriginAccessIdentitiesDataSourceCommentsConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataSourceName, "iam_arns.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "ids.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "s3_canonical_user_ids.#", "1"),
+					resource.TestCheckTypeSetElemAttrPair(dataSourceName, "iam_arns.*", resourceName, "iam_arn"),
+					resource.TestCheckTypeSetElemAttrPair(dataSourceName, "ids.*", resourceName, "id"),
+					resource.TestCheckTypeSetElemAttrPair(dataSourceName, "s3_canonical_user_ids.*", resourceName, "s3_canonical_user_id"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccCloudFrontOriginAccessIdentitiesDataSource_all(t *testing.T) {
+	dataSourceName := "data.aws_cloudfront_origin_access_identities.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(cloudfront.EndpointsID, t) },
+		ErrorCheck:   acctest.ErrorCheck(t, cloudfront.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckCloudFrontOriginAccessIdentityDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOriginAccessIdentitiesDataSourceNoCommentsConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					acctest.CheckResourceAttrGreaterThanValue(dataSourceName, "iam_arns.#", "1"),
+					acctest.CheckResourceAttrGreaterThanValue(dataSourceName, "ids.#", "1"),
+					acctest.CheckResourceAttrGreaterThanValue(dataSourceName, "s3_canonical_user_ids.#", "1"),
+				),
+			},
+		},
+	})
+}
+
+func testAccOriginAccessIdentitiesDataSourceCommentsConfig(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_cloudfront_origin_access_identity" "test1" {
+  comment = "%[1]s-1-comment"
+}
+
+resource "aws_cloudfront_origin_access_identity" "test2" {
+  comment = "%[1]s-2-comment"
+}
+
+data "aws_cloudfront_origin_access_identities" "test" {
+  comments = ["%[1]s-1-comment"]
+
+  depends_on = [aws_cloudfront_origin_access_identity.test1, aws_cloudfront_origin_access_identity.test2]
+}
+`, rName)
+}
+
+func testAccOriginAccessIdentitiesDataSourceNoCommentsConfig(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_cloudfront_origin_access_identity" "test1" {
+  comment = "%[1]s-1-comment"
+}
+
+resource "aws_cloudfront_origin_access_identity" "test2" {
+  comment = "%[1]s-2-comment"
+}
+
+data "aws_cloudfront_origin_access_identities" "test" {
+  depends_on = [aws_cloudfront_origin_access_identity.test1, aws_cloudfront_origin_access_identity.test2]
+}
+`, rName)
+}

website/docs/d/cloudfront_origin_access_identities.html.markdown

@@ -0,0 +1,42 @@
+---
+subcategory: "CloudFront"
+layout: "aws"
+page_title: "AWS: aws_cloudfront_origin_access_identities"
+description: |-
+  Use this data source to retrieve information about a set of Amazon CloudFront origin access identities.
+---
+
+# Data Source: aws_cloudfront_origin_access_identities
+
+Use this data source to get ARNs, ids and S3 canonical user IDs of Amazon CloudFront origin access identities.
+
+## Example Usage
+
+### All origin access identities in the account
+
+```terraform
+data "aws_cloudfront_origin_access_identities" "example" {}
+```
+
+### Origin access identities filtered by comment/name
+
+Origin access identities whose comments are `example-comment1`, `example-comment2`
+
+```terraform
+data "aws_cloudfront_origin_access_identities" "example" {
+  comments = ["example-comment1", "example-comment2"]
+}
+```
+
+## Argument Reference
+
+* `comments` (Optional) - Filter origin access identities by comment.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+
+* `iam_arns` - Set of ARNs of the matched origin access identities.
+* `ids` - Set of ids of the matched origin access identities.
+* `s3_canonical_user_ids` - Set of S3 canonical user IDs of the matched origin access identities.