provider/aws: Add iam_arn to aws_cloudfront_origin_access_identity

Add the iam_arn attribute to aws_cloudfront_origin_access_identity,
which computes the IAM ARN for a certain CloudFront origin access
identity.

This is necessary because S3 modifies the bucket policy if CanonicalUser
is sent, causing spurious diffs with aws_s3_bucket resources.

builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go

@@ -34,6 +34,10 @@ func resourceAwsCloudFrontOriginAccessIdentity() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"iam_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"s3_canonical_user_id": &schema.Schema{
 				Type:     schema.TypeString,
 				Computed: true,
@@ -74,6 +78,7 @@ func resourceAwsCloudFrontOriginAccessIdentityRead(d *schema.ResourceData, meta
 	d.Set("etag", resp.ETag)
 	d.Set("s3_canonical_user_id", resp.CloudFrontOriginAccessIdentity.S3CanonicalUserId)
 	d.Set("cloudfront_access_identity_path", fmt.Sprintf("origin-access-identity/cloudfront/%s", *resp.CloudFrontOriginAccessIdentity.Id))
+	d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
 	return nil
 }
 

builtin/providers/aws/resource_aws_cloudfront_origin_access_identity_test.go

@@ -31,6 +31,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_basic(t *testing.T) {
 					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
 						"cloudfront_access_identity_path",
 						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"iam_arn",
+						regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
 				),
 			},
 		},
@@ -56,6 +59,9 @@ func TestAccAWSCloudFrontOriginAccessIdentity_noComment(t *testing.T) {
 					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
 						"cloudfront_access_identity_path",
 						regexp.MustCompile("^origin-access-identity/cloudfront/[A-Z0-9]+")),
+					resource.TestMatchResourceAttr("aws_cloudfront_origin_access_identity.origin_access_identity",
+						"iam_arn",
+						regexp.MustCompile("^arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+")),
 				),
 			},
 		},

website/source/docs/providers/aws/r/cloudfront_origin_access_identity.html.markdown

@@ -34,10 +34,18 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
 The following attributes are exported:
 
 * `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
-* `caller_reference` - Internal value used by CloudFront to allow future updates to the origin access identity.
+* `caller_reference` - Internal value used by CloudFront to allow future
-* `cloudfront_access_identity_path` - A shortcut to the full path for the origin access identity to use in CloudFront, see below.
+   updates to the origin access identity.
-* `etag` - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL.
+* `cloudfront_access_identity_path` - A shortcut to the full path for the
-* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
+   origin access identity to use in CloudFront, see below.
+* `etag` - The current version of the origin access identity's information.
+   For example: `E2QWRUHAPOMQZL`.
+* `iam_arn` - A pre-generated ARN for use in S3 bucket policies (see below).
+   Example: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
+   E2QWRUHAPOMQZL`.
+* `s3_canonical_user_id` - The Amazon S3 canonical user ID for the origin
+   access identity, which you use when giving the origin access identity read
+   permission to an object in Amazon S3.
 
 ## Using With CloudFront
 
@@ -53,6 +61,43 @@ s3_origin_config {
 }
 ```
 
+### Updating your bucket policy
+
+Note that the AWS API may translate the `s3_canonical_user_id` `CanonicalUser`
+principal into an `AWS` IAM ARN principal when supplied in an
+[`aws_s3_bucket`][4] bucket policy, causing spurious diffs in Terraform. If
+you see this behaviour, use the `iam_arn` instead:
+
+```
+data "aws_iam_policy_document" "s3_policy" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${module.names.s3_endpoint_arn_base}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
+    }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["${module.names.s3_endpoint_arn_base}"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
+    }
+  }
+}
+
+aws_s3_bucket "bucket" {
+  ...
+  policy = "${data.aws_iam_policy_document.s3_policy}"
+}
+```
+
 [1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
 [2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
 [3]: /docs/providers/aws/r/cloudfront_distribution.html
+[4]: /docs/providers/aws/r/s3_bucket.html