Fix S3 permissions to allow CloudFront logging

[colekettler]

Overview

Creates grants to prevent Terraform removing implicit grants that are usually created by AWS when creating a CloudFront distribution through the console. These grants have recently become necessary for CloudFront to persist access logs to S3.

The AWS canonical user grant replicates the permissions granted by the private canned ACL, and the CloudFront canonical user ID replicates the permissions granted when creating a distribution through the console.

Testing Instructions

• Disable CloudFront logging for the staging distribution via the AWS console
• Execute a Terraform plan/apply cycle using the changes on this branch and ensure that logging is reconfigured for the distribution

bash-5.0# GIT_COMMIT="4090799" ./scripts/infra plan
bash-5.0# GIT_COMMIT="4090799" ./scripts/infra apply

• Interact with the staging website; ensure new log entries exist in the S3 bucket

Checklist

• fixup! commits have been squashed
• CI passes after rebase
• CHANGELOG.md updated with summary of features or fixes, following Keep a Changelog guidelines

[colekettler]

These two create no diff in the plan, but using bucket_domain_name requires less manual stringiness.

[colekettler]

We need to hardcode this magic ID until hashicorp/terraform-provider-aws#12512 is merged.

[jwalgran]

👍
We should consider opening an issue in the backlog so we have something to remind us to clean this up.

[colekettler]

Tracked in #1209!

[hectcastro]

Changes working as expected. 👍🏼 Shame, because I thought we had an issue that mirrored the one in other CA projects to confirm that this relationship wasn't severed, but after looking, I wasn't able to find one in the OAR repo.