Add support of CloudFront delivery policy

[ajax-mykhailo-oleksiuk]

Is your request related to a problem? Please describe.

The current module contains a very useful inputs that attach all required policies to start deliver access logs from different AWS services, like:

• attach_elb_log_delivery_policy
• attach_lb_log_delivery_policy
• attach_access_log_delivery_policy

But it doesn't support attaching a policy to start delivering CloudFront logs to it.
I mean this policy from this doc:

{
    "Sid": "AWSLogsDeliveryWrite",
    "Effect": "Allow",
    "Principal": {"Service": "delivery.logs.amazonaws.com"},
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::amzn-s3-demo-bucket-cloudfront-logs/*",
    "Condition": {
        "StringEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control",
            "aws:SourceAccount": "111111111111"
        },
        "ArnLike": {"aws:SourceArn": "arn:aws:logs:us-east-1:111111111111:delivery-source:*"}
    }
}

Describe the solution you'd like.

As I see from source code there is a policy for log delivery but it's about S3 delivery.

So, probably it would be great to introduce a similar input - attach_cloudfront_log_delivery_policy that will add a required policy.

Describe alternatives you've considered.

I plan to use the policy variable to pass it by myself.

[antonbabenko]

Hi @ajax-mykhailo-oleksiuk !

Sounds like a missing feature, so a pull request is very much welcome.

PS: I have been using the grant argument of this module to allow CloudFront logs:

grant = [{
      type       = "CanonicalUser"
      permission = "FULL_CONTROL"
      id         = data.aws_canonical_user_id.current.id
      }, {
      type       = "CanonicalUser"
      permission = "FULL_CONTROL"
      id         = data.aws_cloudfront_log_delivery_canonical_user_id.cloudfront.id
}]

[ajax-mykhailo-oleksiuk]

Great @antonbabenko,

I'll try to implement it, thanks for your feedback.