From 2291e3af8b02ff64949c0e758905f073c0bba5f0 Mon Sep 17 00:00:00 2001
From: Daniel Bartholomae <daniel.bartholomae@optilyz.com>
Date: Fri, 17 Jun 2022 10:45:29 +0200
Subject: [PATCH 1/4] fix(cloudfront): add from OriginAccessIdentityId

---
 .../aws-cloudfront/lib/origin-access-identity.ts   | 14 ++++++++++++--
 packages/@aws-cdk/aws-cloudfront/test/oai.test.ts  | 10 +++++++++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
index a6323d27a452f..52c0c74cd30fb 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
@@ -66,12 +66,22 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
     scope: Construct,
     id: string,
     originAccessIdentityName: string): IOriginAccessIdentity {
+    return OriginAccessIdentity.fromOriginAccessIdentityId(scope, id, originAccessIdentityName);
+  }
+
+  /**
+   * Creates a OriginAccessIdentity by providing the OriginAccessIdentityId.
+   */
+  public static fromOriginAccessIdentityId(
+    scope: Construct,
+    id: string,
+    originAccessIdentityId: string): IOriginAccessIdentity {
 
     class Import extends OriginAccessIdentityBase {
-      public readonly originAccessIdentityName = originAccessIdentityName;
+      public readonly originAccessIdentityName = originAccessIdentityId;
       public readonly grantPrincipal = new iam.ArnPrincipal(this.arn());
       constructor(s: Construct, i: string) {
-        super(s, i, { physicalName: originAccessIdentityName });
+        super(s, i, { physicalName: originAccessIdentityId });
       }
     }
 
diff --git a/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts b/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
index ad579cca681b0..82e190d015c35 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
@@ -61,11 +61,19 @@ describe('Origin Access Identity', () => {
     });
   });
 
-  test('Builds ARN of CloudFront user', () => {
+  test('Builds ARN of CloudFront user for fromOriginAccessIdentityName', () => {
     const stack = new cdk.Stack();
 
     const oai = OriginAccessIdentity.fromOriginAccessIdentityName(stack, 'OAI', 'OAITest');
 
     expect(oai.grantPrincipal.policyFragment.principalJson.AWS[0]).toMatch(/:iam::cloudfront:user\/CloudFront Origin Access Identity OAITest$/);
   });
+
+  test('Builds ARN of CloudFront user for fromOriginAccessIdentityId', () => {
+    const stack = new cdk.Stack();
+
+    const oai = OriginAccessIdentity.fromOriginAccessIdentityId(stack, 'OAI', 'OAITest');
+
+    expect(oai.grantPrincipal.policyFragment.principalJson.AWS[0]).toMatch(/:iam::cloudfront:user\/CloudFront Origin Access Identity OAITest$/);
+  });
 });

From 74f34a1d1d969bbc8a6342017e4144170ac783fa Mon Sep 17 00:00:00 2001
From: Daniel Bartholomae <daniel.bartholomae@optilyz.com>
Date: Fri, 17 Jun 2022 10:46:16 +0200
Subject: [PATCH 2/4] docs(cloudfront): deprecate fromOriginAccessIdentityName

---
 .../@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts    | 5 ++++-
 packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts | 2 +-
 packages/@aws-cdk/aws-cloudfront/test/oai.test.ts            | 3 ++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
index 52c0c74cd30fb..ad6fa6abbc0e6 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
@@ -60,7 +60,10 @@ abstract class OriginAccessIdentityBase extends cdk.Resource {
  */
 export class OriginAccessIdentity extends OriginAccessIdentityBase implements IOriginAccessIdentity {
   /**
-   * Creates a OriginAccessIdentity by providing the OriginAccessIdentityName
+   * Creates a OriginAccessIdentity by providing the OriginAccessIdentityId.
+   * It is misnamed and superseded by the correctly named fromOriginAccessIdentityId.
+   *
+   * @deprecated use `fromOriginAccessIdentityId`
    */
   public static fromOriginAccessIdentityName(
     scope: Construct,
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts
index 3880cadd7921f..b4f482ff2e90b 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts
@@ -12,7 +12,7 @@ const oai = new cloudfront.CfnCloudFrontOriginAccessIdentity(stack, 'OAI', {
   },
 });
 
-const oaiImported = cloudfront.OriginAccessIdentity.fromOriginAccessIdentityName(
+const oaiImported = cloudfront.OriginAccessIdentity.fromOriginAccessIdentityId(
   stack,
   'OAIImported',
   oai.ref,
diff --git a/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts b/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
index 82e190d015c35..63bb07be21a1d 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
@@ -1,5 +1,6 @@
 import { Template } from '@aws-cdk/assertions';
 import * as cdk from '@aws-cdk/core';
+import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { OriginAccessIdentity } from '../lib';
 
 describe('Origin Access Identity', () => {
@@ -61,7 +62,7 @@ describe('Origin Access Identity', () => {
     });
   });
 
-  test('Builds ARN of CloudFront user for fromOriginAccessIdentityName', () => {
+  testDeprecated('Builds ARN of CloudFront user for fromOriginAccessIdentityName', () => {
     const stack = new cdk.Stack();
 
     const oai = OriginAccessIdentity.fromOriginAccessIdentityName(stack, 'OAI', 'OAITest');

From b2e7bf1fde01233a7fcb8a0eeddd827eb4a0993a Mon Sep 17 00:00:00 2001
From: Daniel Bartholomae <daniel.bartholomae@optilyz.com>
Date: Fri, 17 Jun 2022 11:11:27 +0200
Subject: [PATCH 3/4] fix(cloudfront): add originAccessIdentityId property

---
 .../lib/origin-access-identity.ts             | 32 ++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
index ad6fa6abbc0e6..5cef00c1c1d8c 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
@@ -23,6 +23,12 @@ export interface IOriginAccessIdentity extends cdk.IResource, iam.IGrantable {
    * The Origin Access Identity Name
    */
   readonly originAccessIdentityName: string;
+
+  /**
+   * The Origin Access Identity Id (physical id)
+   * This was called originAccessIdentityName before
+   */
+  readonly originAccessIdentityId: string;
 }
 
 abstract class OriginAccessIdentityBase extends cdk.Resource {
@@ -30,6 +36,13 @@ abstract class OriginAccessIdentityBase extends cdk.Resource {
    * The Origin Access Identity Name (physical id)
    */
   public abstract readonly originAccessIdentityName: string;
+
+  /**
+   * The Origin Access Identity Id (physical id)
+   * This was called originAccessIdentityName before
+   */
+  public abstract readonly originAccessIdentityId: string;
+
   /**
    * Derived principal value for bucket access
    */
@@ -45,7 +58,7 @@ abstract class OriginAccessIdentityBase extends cdk.Resource {
         region: '', // global
         account: 'cloudfront',
         resource: 'user',
-        resourceName: `CloudFront Origin Access Identity ${this.originAccessIdentityName}`,
+        resourceName: `CloudFront Origin Access Identity ${this.originAccessIdentityId}`,
       },
     );
   }
@@ -81,6 +94,7 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
     originAccessIdentityId: string): IOriginAccessIdentity {
 
     class Import extends OriginAccessIdentityBase {
+      public readonly originAccessIdentityId = originAccessIdentityId;
       public readonly originAccessIdentityName = originAccessIdentityId;
       public readonly grantPrincipal = new iam.ArnPrincipal(this.arn());
       constructor(s: Construct, i: string) {
@@ -110,7 +124,17 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
    *
    * @attribute
    */
-  public readonly originAccessIdentityName: string;
+  public get originAccessIdentityName() {
+    return this.originAccessIdentityId;
+  }
+
+  /**
+   * The Origin Access Identity Id (physical id)
+   * This was called originAccessIdentityName before
+   *
+   * @attribute
+   */
+  public readonly originAccessIdentityId: string;
 
   /**
    * CDK L1 resource
@@ -125,8 +149,8 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
     this.resource = new CfnCloudFrontOriginAccessIdentity(this, 'Resource', {
       cloudFrontOriginAccessIdentityConfig: { comment },
     });
-    // physical id - OAI name
-    this.originAccessIdentityName = this.getResourceNameAttribute(this.resource.ref);
+    // physical id - OAI Id
+    this.originAccessIdentityId = this.getResourceNameAttribute(this.resource.ref);
 
     // Canonical user to grant access to in the S3 Bucket Policy
     this.cloudFrontOriginAccessIdentityS3CanonicalUserId = this.resource.attrS3CanonicalUserId;

From d9a9f71321eb83f005a04c02b2e6d36de1097042 Mon Sep 17 00:00:00 2001
From: Daniel Bartholomae <daniel.bartholomae@optilyz.com>
Date: Fri, 17 Jun 2022 11:14:29 +0200
Subject: [PATCH 4/4] docs(cloudfront): deprecate originAccessIdentityName
 property

---
 .../aws-cloudfront-origins/lib/s3-origin.ts        |  2 +-
 .../aws-cloudfront/lib/origin-access-identity.ts   | 14 +++++++++++---
 .../aws-cloudfront/lib/web-distribution.ts         |  2 +-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
index 6f82b5afcf73c..d2003c9285571 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
+++ b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
@@ -84,6 +84,6 @@ class S3BucketOrigin extends cloudfront.OriginBase {
   }
 
   protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined {
-    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityName}` };
+    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
   }
 }
diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
index 5cef00c1c1d8c..449f801b1089d 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-access-identity.ts
@@ -20,7 +20,10 @@ export interface OriginAccessIdentityProps {
  */
 export interface IOriginAccessIdentity extends cdk.IResource, iam.IGrantable {
   /**
-   * The Origin Access Identity Name
+   * The Origin Access Identity Id (physical id)
+   * It is misnamed and superseded by the correctly named originAccessIdentityId
+   *
+   * @deprecated use originAccessIdentityId instead
    */
   readonly originAccessIdentityName: string;
 
@@ -33,7 +36,10 @@ export interface IOriginAccessIdentity extends cdk.IResource, iam.IGrantable {
 
 abstract class OriginAccessIdentityBase extends cdk.Resource {
   /**
-   * The Origin Access Identity Name (physical id)
+   * The Origin Access Identity Id (physical id)
+   * It is misnamed and superseded by the correctly named originAccessIdentityId
+   *
+   * @deprecated use originAccessIdentityId instead
    */
   public abstract readonly originAccessIdentityName: string;
 
@@ -120,9 +126,11 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
   public readonly grantPrincipal: iam.IPrincipal;
 
   /**
-   * The Origin Access Identity Name (physical id)
+   * The Origin Access Identity Id (physical id)
+   * It is misnamed and superseded by the correctly named originAccessIdentityId
    *
    * @attribute
+   * @deprecated use originAccessIdentityId instead
    */
   public get originAccessIdentityName() {
     return this.originAccessIdentityId;
diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
index 2fb0d5d958dc0..1dc5e570c264a 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
@@ -1107,7 +1107,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
         }));
 
         s3OriginConfig = {
-          originAccessIdentity: `origin-access-identity/cloudfront/${originConfig.s3OriginSource.originAccessIdentity.originAccessIdentityName}`,
+          originAccessIdentity: `origin-access-identity/cloudfront/${originConfig.s3OriginSource.originAccessIdentity.originAccessIdentityId}`,
         };
       } else {
         s3OriginConfig = {};