chore(cloudfront): reference interfaces (#36420)

Reference interfaces for L2s, like #35271.

"chore" because I plan to make a lot of these PRs and they're not adding value to the changelog.

(Generated with AI)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.ts

@@ -55,7 +55,7 @@ export interface FunctionUrlOriginWithOACProps extends FunctionUrlOriginProps {
    *
    * @default - an Origin Access Control will be created.
    */
-  readonly originAccessControl?: cloudfront.IOriginAccessControl;
+  readonly originAccessControl?: cloudfront.IOriginAccessControlRef;
 
 }
 
@@ -96,7 +96,7 @@ export class FunctionUrlOrigin extends cloudfront.OriginBase {
  * An Origin for a Lambda Function URL with OAC.
  */
 class FunctionUrlOriginWithOAC extends cloudfront.OriginBase {
-  private originAccessControl?: cloudfront.IOriginAccessControl;
+  private originAccessControl?: cloudfront.IOriginAccessControlRef;
   private functionUrl: lambda.IFunctionUrl;
   private readonly props: FunctionUrlOriginWithOACProps;
 
@@ -136,7 +136,7 @@ class FunctionUrlOriginWithOAC extends cloudfront.OriginBase {
       ...originBindConfig,
       originProperty: {
         ...originBindConfig.originProperty!,
-        originAccessControlId: this.originAccessControl?.originAccessControlId,
+        originAccessControlId: this.originAccessControl?.originAccessControlRef.originAccessControlId,
       },
     };
   }

packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts

@@ -5,6 +5,7 @@ import * as iam from '../../aws-iam';
 import { IKey } from '../../aws-kms';
 import { IBucket } from '../../aws-s3';
 import { Annotations, Aws, Names, Stack, UnscopedValidationError } from '../../core';
+import { IOriginAccessControlRef } from '../../interfaces/generated/aws-cloudfront-interfaces.generated';
 
 interface BucketPolicyAction {
   readonly action: string;
@@ -38,7 +39,7 @@ export interface S3BucketOriginWithOACProps extends S3BucketOriginBaseProps {
    *
    * @default - an Origin Access Control will be created.
    */
-  readonly originAccessControl?: cloudfront.IOriginAccessControl;
+  readonly originAccessControl?: IOriginAccessControlRef;
 
   /**
    * The level of permissions granted in the bucket policy and key policy (if applicable)
@@ -58,7 +59,7 @@ export interface S3BucketOriginWithOAIProps extends S3BucketOriginBaseProps {
    *
    * @default - an Origin Access Identity will be created.
    */
-  readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
+  readonly originAccessIdentity?: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
 }
 
 /**
@@ -108,7 +109,7 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
 
 class S3BucketOriginWithOAC extends S3BucketOrigin {
   private readonly bucket: IBucket;
-  private originAccessControl?: cloudfront.IOriginAccessControl;
+  private originAccessControl?: IOriginAccessControlRef;
   private originAccessLevels?: cloudfront.AccessLevel[];
 
   constructor(bucket: IBucket, props?: S3BucketOriginWithOACProps) {
@@ -160,7 +161,7 @@ class S3BucketOriginWithOAC extends S3BucketOrigin {
       ...originBindConfig,
       originProperty: {
         ...originBindConfig.originProperty!,
-        originAccessControlId: this.originAccessControl.originAccessControlId,
+        originAccessControlId: this.originAccessControl.originAccessControlRef.originAccessControlId,
       },
     };
   }
@@ -221,7 +222,7 @@ class S3BucketOriginWithOAC extends S3BucketOrigin {
 
 class S3BucketOriginWithOAI extends S3BucketOrigin {
   private readonly bucket: IBucket;
-  private originAccessIdentity?: cloudfront.IOriginAccessIdentity;
+  private originAccessIdentity?: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
 
   constructor(bucket: IBucket, props?: S3BucketOriginWithOAIProps) {
     super(bucket, { ...props });
@@ -265,6 +266,6 @@ class S3BucketOriginWithOAI extends S3BucketOrigin {
     if (!this.originAccessIdentity) {
       throw new UnscopedValidationError('Origin access identity cannot be undefined');
     }
-    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
+    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.cloudFrontOriginAccessIdentityRef.cloudFrontOriginAccessIdentityId}` };
   }
 }

packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-origin.ts

@@ -14,7 +14,7 @@ export interface S3OriginProps extends cloudfront.OriginProps {
    *
    * @default - An Origin Access Identity will be created.
    */
-  readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
+  readonly originAccessIdentity?: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
 }
 
 /**
@@ -49,7 +49,7 @@ export class S3Origin implements cloudfront.IOrigin {
  * Contains additional logic around bucket permissions and origin access identities.
  */
 class S3BucketOrigin extends cloudfront.OriginBase {
-  private originAccessIdentity!: cloudfront.IOriginAccessIdentity;
+  private originAccessIdentity!: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
 
   constructor(private readonly bucket: s3.IBucket, { originAccessIdentity, ...props }: S3OriginProps) {
     super(bucket.bucketRegionalDomainName, props);
@@ -86,6 +86,6 @@ class S3BucketOrigin extends cloudfront.OriginBase {
   }
 
   protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined {
-    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
+    return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.cloudFrontOriginAccessIdentityRef.cloudFrontOriginAccessIdentityId}` };
   }
 }

packages/aws-cdk-lib/aws-cloudfront/lib/origin-access-control.ts

@@ -3,11 +3,12 @@ import { CfnOriginAccessControl } from './cloudfront.generated';
 import { IResource, Resource, Names } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
+import { IOriginAccessControlRef, OriginAccessControlReference } from '../../interfaces/generated/aws-cloudfront-interfaces.generated';
 
 /**
  * Represents a CloudFront Origin Access Control
  */
-export interface IOriginAccessControl extends IResource {
+export interface IOriginAccessControl extends IResource, IOriginAccessControlRef {
   /**
    * The unique identifier of the origin access control.
    * @attribute
@@ -178,6 +179,12 @@ export abstract class OriginAccessControlBase extends Resource implements IOrigi
    * @attribute
    */
   public abstract readonly originAccessControlId: string;
+
+  public get originAccessControlRef(): OriginAccessControlReference {
+    return {
+      originAccessControlId: this.originAccessControlId,
+    };
+  }
 }
 
 /**
@@ -197,6 +204,12 @@ export class S3OriginAccessControl extends OriginAccessControlBase {
     class Import extends Resource implements IOriginAccessControl {
       public readonly originAccessControlId = originAccessControlId;
       public readonly originAccessControlOriginType = OriginAccessControlOriginType.S3;
+
+      public get originAccessControlRef(): OriginAccessControlReference {
+        return {
+          originAccessControlId: this.originAccessControlId,
+        };
+      }
     }
     return new Import(scope, id);
   }
@@ -245,6 +258,12 @@ export class FunctionUrlOriginAccessControl extends OriginAccessControlBase {
     class Import extends Resource implements IOriginAccessControl {
       public readonly originAccessControlId = originAccessControlId;
       public readonly originAccessControlOriginType = OriginAccessControlOriginType.LAMBDA;
+
+      public get originAccessControlRef(): OriginAccessControlReference {
+        return {
+          originAccessControlId: this.originAccessControlId,
+        };
+      }
     }
     return new Import(scope, id);
   }

packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts

@@ -13,8 +13,6 @@ import {
 } from './distribution';
 import { FunctionAssociation } from './function';
 import { GeoRestriction } from './geo-restriction';
-import { IKeyGroup } from './key-group';
-import { IOriginAccessIdentity } from './origin-access-identity';
 import { formatDistributionArn } from './private/utils';
 import * as certificatemanager from '../../aws-certificatemanager';
 import * as iam from '../../aws-iam';
@@ -23,6 +21,7 @@ import * as s3 from '../../aws-s3';
 import * as cdk from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
+import { ICloudFrontOriginAccessIdentityRef, IKeyGroupRef } from '../../interfaces/generated/aws-cloudfront-interfaces.generated';
 
 /**
  * HTTP status code to failover to second origin
@@ -321,7 +320,7 @@ export interface S3OriginConfig {
    *
    * @default No Origin Access Identity which requires the S3 bucket to be public accessible
    */
-  readonly originAccessIdentity?: IOriginAccessIdentity;
+  readonly originAccessIdentity?: ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
 
   /**
    * The relative path to the origin root to use for sources.
@@ -397,7 +396,7 @@ export interface Behavior {
    * @default - no KeyGroups are associated with cache behavior
    * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
    */
-  readonly trustedKeyGroups?: IKeyGroup[];
+  readonly trustedKeyGroups?: IKeyGroupRef[];
 
   /**
    *
@@ -1062,7 +1061,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       forwardedValues: input.forwardedValues || { queryString: false, cookies: { forward: 'none' } },
       maxTtl: input.maxTtl && input.maxTtl.toSeconds(),
       minTtl: input.minTtl && input.minTtl.toSeconds(),
-      trustedKeyGroups: input.trustedKeyGroups?.map(key => key.keyGroupId),
+      trustedKeyGroups: input.trustedKeyGroups?.map(key => key.keyGroupRef.keyGroupId),
       trustedSigners: input.trustedSigners,
       targetOriginId: input.targetOriginId,
       viewerProtocolPolicy: input.viewerProtocolPolicy || protoPolicy || ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
@@ -1176,7 +1175,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
         }));
 
         s3OriginConfig = {
-          originAccessIdentity: `origin-access-identity/cloudfront/${originConfig.s3OriginSource.originAccessIdentity.originAccessIdentityId}`,
+          originAccessIdentity: `origin-access-identity/cloudfront/${originConfig.s3OriginSource.originAccessIdentity.cloudFrontOriginAccessIdentityRef.cloudFrontOriginAccessIdentityId}`,
         };
       } else {
         s3OriginConfig = {};

packages/awslint/lib/rules/api.ts

@@ -108,6 +108,13 @@ apiLinter.add({
         return;
       }
 
+      if (type.intersectionOfTypes) {
+        for (const t of type.intersectionOfTypes) {
+          assertType(t, docs, scope);
+        }
+        return;
+      }
+
       // interfaces are okay
       if (type.type && type.type.isInterfaceType()) {
         return assertInterface(type.type);