feat(web-ui): switch CloudFront origin access from OAI to OAC (#369)

Author: rstrahan

CHANGELOG.md

@@ -15,6 +15,10 @@ SPDX-License-Identifier: MIT-0
 
 - **Global split panel ("documents selected")** — Removed the persistent bottom split panel from the global Web UI layout and deleted the related split-panel components and `use-split-panel` hook. The split-panel was noisy on non-document-list pages and only provided full details for single-document selection; reintroduce as an opt-in, per-page component if needed (recommendation: enable only on `DocumentList`).
 
+### Changed
+
+- **Web UI CloudFront origin access: OAI → OAC (#369)** — The CloudFront-hosted Web UI now reads its S3 origin (`WebUIBucket`) using **Origin Access Control (OAC)** instead of the legacy **Origin Access Identity (OAI)**. The distribution origin references a new `AWS::CloudFront::OriginAccessControl` resource (SigV4, `SigningBehavior: always`), and the `WebUIBucketPolicy` now grants `s3:GetObject` to the `cloudfront.amazonaws.com` service principal scoped by an `AWS:SourceArn` condition matching this distribution — strictly tighter than the previous shared canonical-user grant. This fixes a **403 / Access Denied** loading the Web UI in accounts whose org-level SCP or data-perimeter guardrails silently deny legacy OAI requests to S3 (OAI requests carry no `aws:SourceAccount`/`aws:SourceArn` and are blocked). OAC is the AWS-recommended successor to OAI. **Upgrade is in-place and non-disruptive:** the CloudFront distribution keeps the same domain name (existing Web UI URLs and the welcome-email link continue to work), and `WebUIBucket` is unaffected. GovCloud and ALB-hosted deployments are unchanged — the resource is gated on `WebUIHosting=CloudFront`.
+
 ## [0.5.15]
 
 ### Added

docs/alb-hosting.md

@@ -160,15 +160,15 @@ You can switch an existing CloudFront-hosted stack to ALB hosting (or vice versa
 
 When `WebUIHosting=ALB`:
 
-- CloudFront distribution, Origin Access Identity, and security headers policy are **not created**
+- CloudFront distribution, Origin Access Control (OAC), and security headers policy are **not created**
 - ALB nested stack is created with all ALB infrastructure
 - S3 WebUI bucket omits `WebsiteConfiguration` (ALB handles routing)
-- S3 bucket policy grants access via `aws:sourceVpce` condition instead of CloudFront OAI
+- S3 bucket policy grants access via `aws:sourceVpce` condition instead of CloudFront OAC
 
 When `WebUIHosting=CloudFront` (default):
 
 - ALB nested stack is **not created**
-- Standard CloudFront distribution with OAI is created
+- Standard CloudFront distribution with Origin Access Control (OAC) is created
 
 ### Request Flow (ALB Mode)
 

lib/idp_feature_sdk/idp_feature_sdk/cli.py

@@ -268,9 +268,7 @@ def publish_pack_cmd(
     """
     from .pack import PackPublisher
 
-    artifacts_bucket = _resolve_bucket(
-        bucket_basename, region, make_public=make_public
-    )
+    artifacts_bucket = _resolve_bucket(bucket_basename, region, make_public=make_public)
     try:
         publisher = PackPublisher(project_dir, console=console)
         result = publisher.publish(

template.yaml

@@ -4614,7 +4614,7 @@ Resources:
             - UseCloudFrontHosting
             - Effect: Allow
               Principal:
-                Service: cloudfront.amazonaws.com
+                Service: !Sub "cloudfront.${AWS::URLSuffix}"
               Action: s3:GetObject
               Resource: !Sub "${WebUIBucket.Arn}/*"
               Condition: