feat: Add support for CloudFront standard logging v2 (#192)

bryantbiggs · clark42 · web-flow · commit 5f12dd4fef79 · 2026-01-05T14:48:48.000-06:00
Co-authored-by: Jean 'clark' EYMERT &lt;jean@kamorion.com&gt;
diff --git a/README.md b/README.md
@@ -178,6 +178,9 @@ No modules.
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_cloudfront_vpc_origin.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_vpc_origin) | resource |
+| [aws_cloudwatch_log_delivery.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery) | resource |
+| [aws_cloudwatch_log_delivery_destination.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_destination) | resource |
+| [aws_cloudwatch_log_delivery_source.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_source) | resource |
 | [aws_cloudfront_cache_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source |
 | [aws_cloudfront_origin_request_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source |
 | [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_response_headers_policy) | data source |
@@ -196,6 +199,7 @@ No modules.
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | <pre>list(object({<br/>    error_caching_min_ttl = optional(number)<br/>    error_code            = number<br/>    response_code         = optional(number)<br/>    response_page_path    = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | <pre>object({<br/>    allowed_methods           = optional(list(string), ["GET", "HEAD", "OPTIONS"])<br/>    cache_policy_id           = optional(string)<br/>    cache_policy_name         = optional(string)<br/>    cached_methods            = optional(list(string), ["GET", "HEAD"])<br/>    compress                  = optional(bool, true)<br/>    default_ttl               = optional(number)<br/>    field_level_encryption_id = optional(string)<br/>    forwarded_values = optional(object({<br/>      cookies = object({<br/>        forward           = optional(string, "none")<br/>        whitelisted_names = optional(list(string))<br/>      })<br/>      headers                 = optional(list(string))<br/>      query_string            = optional(bool, false)<br/>      query_string_cache_keys = optional(list(string))<br/>      }),<br/>      {<br/>        cookies = {<br/>          forward = "none"<br/>        }<br/>        query_string = false<br/>      }<br/>    )<br/>    function_association = optional(map(object({<br/>      event_type   = optional(string)<br/>      function_arn = optional(string)<br/>      function_key = optional(string)<br/>    })))<br/>    grpc_config = optional(object({<br/>      enabled = optional(bool)<br/>    }))<br/>    lambda_function_association = optional(map(object({<br/>      event_type   = optional(string)<br/>      include_body = optional(bool)<br/>      lambda_arn   = string<br/>    })))<br/>    max_ttl                      = optional(number)<br/>    min_ttl                      = optional(number)<br/>    origin_request_policy_id     = optional(string)<br/>    origin_request_policy_name   = optional(string)<br/>    realtime_log_config_arn      = optional(string)<br/>    response_headers_policy_id   = optional(string)<br/>    response_headers_policy_key  = optional(string)<br/>    response_headers_policy_name = optional(string)<br/>    smooth_streaming             = optional(bool)<br/>    target_origin_id             = string<br/>    trusted_key_groups           = optional(list(string))<br/>    trusted_signers              = optional(list(string))<br/>    viewer_protocol_policy       = optional(string, "https-only")<br/>  })</pre> | n/a | yes |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL | `string` | `null` | no |
+| <a name="input_enable_v2_logging"></a> [enable\_v2\_logging](#input\_enable\_v2\_logging) | Whether to enable v2 logging for the CloudFront distribution | `bool` | `false` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Whether the distribution is enabled to accept end user requests for content | `bool` | `true` | no |
 | <a name="input_http_version"></a> [http\_version](#input\_http\_version) | The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3, and http3. The default is http2 | `string` | `"http2"` | no |
 | <a name="input_is_ipv6_enabled"></a> [is\_ipv6\_enabled](#input\_is\_ipv6\_enabled) | Whether the IPv6 is enabled for the distribution | `bool` | `true` | no |
@@ -211,6 +215,7 @@ No modules.
 | <a name="input_retain_on_delete"></a> [retain\_on\_delete](#input\_retain\_on\_delete) | Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards | `bool` | `null` | no |
 | <a name="input_staging"></a> [staging](#input\_staging) | Whether the distribution is a staging distribution | `bool` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_v2_logging"></a> [v2\_logging](#input\_v2\_logging) | Configuration block for v2 logging destination | <pre>object({<br/>    # Destination<br/>    delivery_destination_configuration = optional(object({<br/>      destination_resource_arn = optional(string)<br/>    }))<br/>    delivery_destination_type = optional(string)<br/>    name                      = string<br/>    output_format             = optional(string)<br/>    # Delivery<br/>    field_delimiter = optional(string)<br/>    record_fields   = optional(list(string))<br/>    s3_delivery_configuration = optional(object({<br/>      enable_hive_compatible_path = optional(bool)<br/>      suffix_path                 = optional(string)<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_viewer_certificate"></a> [viewer\_certificate](#input\_viewer\_certificate) | The SSL configuration for this distribution | <pre>object({<br/>    acm_certificate_arn            = optional(string)<br/>    cloudfront_default_certificate = optional(bool)<br/>    iam_certificate_id             = optional(string)<br/>    minimum_protocol_version       = optional(string, "TLSv1.2_2025")<br/>    ssl_support_method             = optional(string)<br/>  })</pre> | `{}` | no |
 | <a name="input_vpc_origin"></a> [vpc\_origin](#input\_vpc\_origin) | Map of CloudFront VPC origins | <pre>map(object({<br/>    arn                    = string<br/>    http_port              = number<br/>    https_port             = number<br/>    name                   = optional(string)<br/>    origin_protocol_policy = string<br/>    origin_ssl_protocols = object({<br/>      items    = optional(list(string), ["TLSv1.2"])<br/>      quantity = optional(number, 1)<br/>    })<br/>    timeouts = optional(object({<br/>      create = optional(string)<br/>      update = optional(string)<br/>      delete = optional(string)<br/>    }))<br/>    tags = optional(map(string), {})<br/>  }))</pre> | `null` | no |
 | <a name="input_wait_for_deployment"></a> [wait\_for\_deployment](#input\_wait\_for\_deployment) | If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this to false will skip the process | `bool` | `null` | no |
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -50,8 +50,8 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_cloudfront_function.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
-| [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
-| [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -10,6 +10,8 @@ data "aws_availability_zones" "available" {
   }
 }
 
+data "aws_caller_identity" "current" {}
+
 locals {
   subdomain = "cdn"
 
@@ -42,9 +44,17 @@ module "cloudfront" {
 
   create_monitoring_subscription = true
 
-  logging_config = {
-    bucket = module.log_bucket.s3_bucket_bucket_domain_name
-    prefix = "cloudfront"
+  # v2 Logging - logs to S3 with CloudWatch Log Delivery
+  # Note: This supersedes the legacy logging_config which used S3 ACLs
+  v2_logging = {
+    name            = "example-v2-logs"
+    destination_arn = "${module.log_bucket.s3_bucket_arn}/cloudfront"
+    output_format   = "parquet"
+
+    s3_delivery_configuration = {
+      enable_hive_compatible_path = true
+      suffix_path                 = "{DistributionId}/{yyyy}/{MM}/{dd}/{HH}"
+    }
   }
 
   origin_access_control = {
@@ -435,9 +445,6 @@ data "aws_iam_policy_document" "s3_policy" {
   }
 }
 
-data "aws_canonical_user_id" "current" {}
-data "aws_cloudfront_log_delivery_canonical_user_id" "cloudfront" {}
-
 module "log_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "~> 5.0"
@@ -447,25 +454,56 @@ module "log_bucket" {
   # For example only
   force_destroy = true
 
-  control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.log_bucket_policy.json
 
-  grant = [
-    {
-      type       = "CanonicalUser"
-      permission = "FULL_CONTROL"
-      id         = data.aws_canonical_user_id.current.id
-    },
-    {
-      type       = "CanonicalUser"
-      permission = "FULL_CONTROL"
-      id         = data.aws_cloudfront_log_delivery_canonical_user_id.cloudfront.id
-      # Ref. https://github.com/terraform-providers/terraform-provider-aws/issues/12512
-      # Ref. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
+  tags = local.tags
+}
+
+data "aws_iam_policy_document" "log_bucket_policy" {
+  statement {
+    sid     = "AWSLogDeliveryWrite"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${module.log_bucket.s3_bucket_arn}/*"
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
     }
-  ]
 
-  tags = local.tags
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+
+  statement {
+    sid     = "AWSLogDeliveryAclCheck"
+    actions = ["s3:GetBucketAcl"]
+    resources = [
+      module.log_bucket.s3_bucket_arn
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
 }
 
 ################################################################################
diff --git a/main.tf b/main.tf
@@ -529,6 +529,63 @@ resource "aws_cloudfront_monitoring_subscription" "this" {
   }
 }
 
+################################################################################
+# v2 Logging
+# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logging.html
+################################################################################
+
+locals {
+  enable_v2_logging = var.create && var.enable_v2_logging
+}
+
+resource "aws_cloudwatch_log_delivery_source" "this" {
+  count = local.enable_v2_logging ? 1 : 0
+
+  log_type     = "ACCESS_LOGS"
+  name         = "cloudfront-${aws_cloudfront_distribution.this[0].id}"
+  resource_arn = aws_cloudfront_distribution.this[0].arn
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_log_delivery_destination" "this" {
+  count = local.enable_v2_logging ? 1 : 0
+
+  dynamic "delivery_destination_configuration" {
+    for_each = var.v2_logging.delivery_destination_configuration != null ? [var.v2_logging.delivery_destination_configuration] : []
+
+    content {
+      destination_resource_arn = delivery_destination_configuration.value.destination_resource_arn
+    }
+  }
+
+  delivery_destination_type = var.v2_logging.delivery_destination_type
+  name                      = var.v2_logging.name
+  output_format             = var.v2_logging.output_format
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_log_delivery" "this" {
+  count = local.enable_v2_logging ? 1 : 0
+
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.this[0].arn
+  delivery_source_name     = aws_cloudwatch_log_delivery_source.this[0].name
+  field_delimiter          = var.v2_logging.field_delimiter
+  record_fields            = var.v2_logging.record_fields
+
+  dynamic "s3_delivery_configuration" {
+    for_each = var.v2_logging.s3_delivery_configuration != null ? [var.v2_logging.s3_delivery_configuration] : []
+
+    content {
+      enable_hive_compatible_path = s3_delivery_configuration.value.enable_hive_compatible_path
+      suffix_path                 = s3_delivery_configuration.value.suffix_path
+    }
+  }
+
+  tags = var.tags
+}
+
 ################################################################################
 # Data source reverse lookup by name
 # These are used to refer to resources by name instead of ID
diff --git a/variables.tf b/variables.tf
@@ -461,3 +461,35 @@ variable "realtime_metrics_subscription_status" {
   type        = string
   default     = "Enabled"
 }
+
+################################################################################
+# v2 Logging
+# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logging.html
+################################################################################
+
+variable "enable_v2_logging" {
+  description = "Whether to enable v2 logging for the CloudFront distribution"
+  type        = bool
+  default     = false
+}
+
+variable "v2_logging" {
+  description = "Configuration block for v2 logging destination"
+  type = object({
+    # Destination
+    delivery_destination_configuration = optional(object({
+      destination_resource_arn = optional(string)
+    }))
+    delivery_destination_type = optional(string)
+    name                      = string
+    output_format             = optional(string)
+    # Delivery
+    field_delimiter = optional(string)
+    record_fields   = optional(list(string))
+    s3_delivery_configuration = optional(object({
+      enable_hive_compatible_path = optional(bool)
+      suffix_path                 = optional(string)
+    }))
+  })
+  default = null
+}
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -13,6 +13,7 @@ module "wrapper" {
   custom_error_response           = try(each.value.custom_error_response, var.defaults.custom_error_response, null)
   default_cache_behavior          = try(each.value.default_cache_behavior, var.defaults.default_cache_behavior)
   default_root_object             = try(each.value.default_root_object, var.defaults.default_root_object, null)
+  enable_v2_logging               = try(each.value.enable_v2_logging, var.defaults.enable_v2_logging, false)
   enabled                         = try(each.value.enabled, var.defaults.enabled, true)
   http_version                    = try(each.value.http_version, var.defaults.http_version, "http2")
   is_ipv6_enabled                 = try(each.value.is_ipv6_enabled, var.defaults.is_ipv6_enabled, true)
@@ -38,6 +39,7 @@ module "wrapper" {
   retain_on_delete    = try(each.value.retain_on_delete, var.defaults.retain_on_delete, null)
   staging             = try(each.value.staging, var.defaults.staging, null)
   tags                = try(each.value.tags, var.defaults.tags, {})
+  v2_logging          = try(each.value.v2_logging, var.defaults.v2_logging, null)
   viewer_certificate  = try(each.value.viewer_certificate, var.defaults.viewer_certificate, {})
   vpc_origin          = try(each.value.vpc_origin, var.defaults.vpc_origin, null)
   wait_for_deployment = try(each.value.wait_for_deployment, var.defaults.wait_for_deployment, null)
