chore: Updated S3 bucket policy for OAC in the complete example (#105)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

Author: remiflament

examples/complete/main.tf

@@ -290,10 +290,8 @@ module "records" {
   ]
 }
 
-###########################
-# Origin Access Identities
-###########################
 data "aws_iam_policy_document" "s3_policy" {
+  # Origin Access Identities
   statement {
     actions   = ["s3:GetObject"]
     resources = ["${module.s3_one.s3_bucket_arn}/static/*"]
@@ -303,6 +301,23 @@ data "aws_iam_policy_document" "s3_policy" {
       identifiers = module.cloudfront.cloudfront_origin_access_identity_iam_arns
     }
   }
+
+  # Origin Access Controls
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${module.s3_one.s3_bucket_arn}/static/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [module.cloudfront.cloudfront_distribution_arn]
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "bucket_policy" {