(cloudfront): Cannot set Origin Access Control on Object Lambda Access Point origin

[joseph-m-smith]

Describe the bug

I have a CloudFront distribution with an Object Lambda Access Point (OLAP) origin to serve S3 objects. The distribution construct uses an HttpOrigin with the OLAP's domain name (from its alias). Origin Access Control is set up using CfnOriginAccessControl. The origin access control ID is set on the underlying CfnDistribution. Attempting to deploy results in an CloudFront API 400 response. But I can set origin access control on the origin via the AWS console and the origin's type is S3 in the console.

Expected Behavior

The origin access control policy is applied to the distribution's default origin.

Current Behavior

The stack named [redacted] failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Illegal configuration: The origin type and OAC origin type differ. (Service: CloudFront, Status Code: 400, Request ID: [redacted])" (RequestToken: [redacted], HandlerErrorCode: InvalidRequest)

Reproduction Steps

    const distribution = new Distribution(scope, id, {
      defaultBehavior: {
       // accessPoint is a custom construct with the OLAP and supporting access point
        origin: new HttpOrigin(accessPoint.accessPointDomainName),
      },
    });

    const originAccessControl = new CfnOriginAccessControl(
      scope,
      'OriginAccessControl',
      {
        originAccessControlConfig: {
          name: 'originAccessControlPolicy',
          originAccessControlOriginType: 's3',
          signingBehavior: 'always',
          signingProtocol: 'sigv4',
        },
      },
    );

    (distribution.node.defaultChild as CfnDistribution).addPropertyOverride(
      'DistributionConfig.Origins.0.OriginAccessControlId',
      originAccessControl.getAtt('Id'),
    );

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.86.0

Framework Version

No response

Node.js Version

18.14.0

OS

linux

Language

Typescript

Language Version

No response

Other information

No response

[joseph-m-smith]

This appears to be related to the CloudFront API. I discovered using an origin with an empty S3 origin configuration works.

class CustomOrigin extends OriginBase {
  public constructor(domainName: string, props: OriginProps = {}) {
    super(domainName, props);
  }

  protected renderS3OriginConfig(): CfnDistribution.S3OriginConfigProperty {
    return {};
  }
}

I'm closing the issue as no further work is needed.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.