How to disable OAI(origin access identity) of cloudfront-origin in CDK v2?

[cckn]

I'm using KMS to encrypt objects in my S3 bucket and serving them from cloudfront.

I need to disable OAI in cloudfront-origin to use KMS.

I'm using CDK 2.4.0 and I couldn't find how to disable OAI in the CDK documentation.

If originAccessIdentity is not entered, the default for OAI in CDK v1 is OAI is not used.
cdk v1 originaccessidentity

On the other hand, in CDK v2, if you do not input OAI, CDK creates and uses OAI.
cdk v2 originaccessidentity

I can change that setting in the console, but I have to change it every time the CDK is finished deploying.
It is not easy to use only that stack as CDK v1 because all of the existing infrastructure is using CDK v2.

Is there any way to disable OAI in CDK v2?

 const origin = new cloudfrontOrigins.S3Origin(bucket)

 const cloudfrontDistributionBehaviorOptions: cdk.aws_cloudfront.BehaviorOptions = {
    origin,
    viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
    trustedKeyGroups: [keyGroup],
    edgeLambdas: [
        {
            functionVersion,
                eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
        },
    ],
 }

 this.cloudfrontDistribution = new cloudfront.Distribution(this, `cloudfront-distribution`, {
    defaultBehavior: {
        ...cloudfrontDistributionBehaviorOptions,
    },
    additionalBehaviors: {
        "*.m3u8": {
            ...cloudfrontDistributionBehaviorOptions,
            cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
        },
    },
 })

[peterwoodworth]

You can remove the OAI config on your distribution with escape hatches. Here's an example:

        const dist = new Distribution(this, 'Dist', {
            defaultBehavior: {
                origin,
            }
        })

        const cfdist = dist.node.defaultChild as CfnDistribution;
        cfdist.addPropertyDeletionOverride('DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity')

But also, nothing about using cdk v2 should prevent you from using the CloudFrontWebDistribution construct if that's easier. You can create both CloudFrontWebDistribution and Distribution in both v1 and v2

Hope this helps

[danielbayerlein]

Does not work:

cfdist.addPropertyDeletionOverride('DistributionConfig.Origins.0.S3OriginConfig')

Works for me:

cfdist.addPropertyOverride('DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity', '');

[peterwoodworth]

Thanks, I had the wrong path. I've updated my comment and it should be good now.

[belinde]

I too had to use addPropertyOverride with an empty string, and it works OK. But the OriginAccessIdentity is still created, even if it's not attached to the distribution. Is there a way to remove it from the stack?