diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json new file mode 100644 index 0000000000000..8a9292c452e57 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df": { + "source": { + "path": "BucketOwnerFullControl.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json new file mode 100644 index 0000000000000..3bb0781403679 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "BucketOwnerFullControl", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json new file mode 100644 index 0000000000000..1c59c453a5b9a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e": { + "source": { + "path": "BucketOwnerRead.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json new file mode 100644 index 0000000000000..403dad48ff052 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "BucketOwnerRead", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json new file mode 100644 index 0000000000000..9445a7fd59f38 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292": { + "source": { + "path": "Private.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json new file mode 100644 index 0000000000000..cb180ae32528a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "Private", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out new file mode 100644 index 0000000000000..7925065efbcc4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"31.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json new file mode 100644 index 0000000000000..6052f3d6110c4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "version": "31.0.0", + "testCases": { + "integ-test/DefaultTest": { + "stacks": [ + "Private", + "BucketOwnerRead", + "BucketOwnerFullControl" + ], + "assertionStack": "integ-test/DefaultTest/DeployAssert", + "assertionStackName": "integtestDefaultTestDeployAssert24D5C536" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json new file mode 100644 index 0000000000000..ecd9f6bd2a455 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestDefaultTestDeployAssert24D5C536.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json new file mode 100644 index 0000000000000..ea2f0d0fa88d9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json @@ -0,0 +1,217 @@ +{ + "version": "31.0.0", + "artifacts": { + "Private.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "Private.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "Private": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "Private.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "Private.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "Private.assets" + ], + "metadata": { + "/Private/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/Private/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/Private/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "Private" + }, + "BucketOwnerRead.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BucketOwnerRead.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BucketOwnerRead": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BucketOwnerRead.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BucketOwnerRead.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BucketOwnerRead.assets" + ], + "metadata": { + "/BucketOwnerRead/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/BucketOwnerRead/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BucketOwnerRead/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BucketOwnerRead" + }, + "BucketOwnerFullControl.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BucketOwnerFullControl.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BucketOwnerFullControl": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BucketOwnerFullControl.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BucketOwnerFullControl.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BucketOwnerFullControl.assets" + ], + "metadata": { + "/BucketOwnerFullControl/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/BucketOwnerFullControl/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BucketOwnerFullControl/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BucketOwnerFullControl" + }, + "integtestDefaultTestDeployAssert24D5C536.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestDefaultTestDeployAssert24D5C536.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestDefaultTestDeployAssert24D5C536": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestDefaultTestDeployAssert24D5C536.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "metadata": { + "/integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json new file mode 100644 index 0000000000000..d6501454fd3f3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json @@ -0,0 +1,246 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "Private": { + "id": "Private", + "path": "Private", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "Private/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "Private/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "Private", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "Private/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "Private/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BucketOwnerRead": { + "id": "BucketOwnerRead", + "path": "BucketOwnerRead", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "BucketOwnerRead/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "BucketOwnerRead/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "BucketOwnerRead", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "BucketOwnerRead/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "BucketOwnerRead/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BucketOwnerFullControl": { + "id": "BucketOwnerFullControl", + "path": "BucketOwnerFullControl", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "BucketOwnerFullControl/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "BucketOwnerFullControl/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "BucketOwnerFullControl", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "BucketOwnerFullControl/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "BucketOwnerFullControl/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "integ-test": { + "id": "integ-test", + "path": "integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts new file mode 100644 index 0000000000000..b0d09720c1af0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts @@ -0,0 +1,25 @@ +import { Construct } from 'constructs'; +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3 from 'aws-cdk-lib/aws-s3'; + +const app = new cdk.App(); + +class TestCase extends cdk.Stack { + constructor(scope: Construct, id: s3.BucketAccessControl, props?: cdk.StackProps) { + super(scope, id, props); + new s3.Bucket(this, 'IntegBucket', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + accessControl: id, + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + }); + } +} + +new integ.IntegTest(app, 'integ-test', { + testCases: [ + new TestCase(app, s3.BucketAccessControl.PRIVATE), + new TestCase(app, s3.BucketAccessControl.BUCKET_OWNER_READ), + new TestCase(app, s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL), + ], +}); diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 493e90652a12c..761b18be57b82 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -1,5 +1,13 @@ import { EOL } from 'os'; import * as path from 'path'; +import { Construct } from 'constructs'; +import { BucketPolicy } from './bucket-policy'; +import { IBucketNotificationDestination } from './destination'; +import { BucketNotifications } from './notifications-resource'; +import * as perms from './perms'; +import { LifecycleRule } from './rule'; +import { CfnBucket } from './s3.generated'; +import { parseBucketArn, parseBucketName } from './util'; import * as events from '../../aws-events'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; @@ -24,14 +32,6 @@ import { import { CfnReference } from '../../core/lib/private/cfn-reference'; import * as cxapi from '../../cx-api'; import * as regionInformation from '../../region-info'; -import { Construct } from 'constructs'; -import { BucketPolicy } from './bucket-policy'; -import { IBucketNotificationDestination } from './destination'; -import { BucketNotifications } from './notifications-resource'; -import * as perms from './perms'; -import { LifecycleRule } from './rule'; -import { CfnBucket } from './s3.generated'; -import { parseBucketArn, parseBucketName } from './util'; const AUTO_DELETE_OBJECTS_RESOURCE_TYPE = 'Custom::S3AutoDeleteObjects'; const AUTO_DELETE_OBJECTS_TAG = 'aws-cdk:auto-delete-objects'; @@ -540,6 +540,8 @@ export abstract class BucketBase extends Resource implements IBucket { protected notificationsHandlerRole?: iam.IRole; + protected objectOwnership?: ObjectOwnership; + constructor(scope: Construct, id: string, props: ResourceProps = {}) { super(scope, id, props); @@ -1834,6 +1836,7 @@ export class Bucket extends BucketBase { const objectLockConfiguration = this.parseObjectLockConfig(props); + this.objectOwnership = props.objectOwnership; const resource = new CfnBucket(this, 'Resource', { bucketName: this.physicalName, bucketEncryption, @@ -1846,7 +1849,7 @@ export class Bucket extends BucketBase { accessControl: Lazy.string({ produce: () => this.accessControl }), loggingConfiguration: this.parseServerAccessLogs(props), inventoryConfigurations: Lazy.any({ produce: () => this.parseInventoryConfiguration() }), - ownershipControls: this.parseOwnershipControls(props), + ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls() }), accelerateConfiguration: props.transferAcceleration ? { accelerationStatus: 'Enabled' } : undefined, intelligentTieringConfigurations: this.parseTieringConfig(props), objectLockEnabled: objectLockConfiguration ? true : props.objectLockEnabled, @@ -2190,13 +2193,26 @@ export class Bucket extends BucketBase { })); } - private parseOwnershipControls({ objectOwnership }: BucketProps): CfnBucket.OwnershipControlsProperty | undefined { - if (!objectOwnership) { + private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined { + // Enabling an ACL explicitly is required for all new buckets. + // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ + const aclsThatDoNotRequireObjectOwnership = [ + BucketAccessControl.PRIVATE, + BucketAccessControl.BUCKET_OWNER_READ, + BucketAccessControl.BUCKET_OWNER_FULL_CONTROL, + ]; + const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl)); + if (!this.objectOwnership && !accessControlRequiresObjectOwnership) { return undefined; } + + if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) { + throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`); + } + return { rules: [{ - objectOwnership, + objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER, }], }; } diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 3008700f87ec2..c186ccc89a3ea 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -1,8 +1,8 @@ import { EOL } from 'os'; +import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Annotations, Match, Template } from '../../assertions'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import * as cdk from '../../core'; import * as s3 from '../lib'; @@ -2738,6 +2738,84 @@ describe('bucket', () => { }); }); + test('Log bucket has ACL enabled when feature flag is disabled', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + const accessLogBucket = new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + }); + + new s3.Bucket(stack, 'MyBucket', { + serverAccessLogsBucket: accessLogBucket, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + OwnershipControls: { + Rules: [{ ObjectOwnership: 'ObjectWriter' }], + }, + }); + }); + + test('ObjectOwnership is configured when AccessControl is set', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + AccessControl: 'LogDeliveryWrite', + OwnershipControls: { + Rules: [{ ObjectOwnership: 'ObjectWriter' }], + }, + }); + }); + + test('ObjectOwnership is not configured when AccessControl="Private"', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.PRIVATE, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + AccessControl: 'Private', + OwnershipControls: Match.absent(), + }); + }); + + test('Throws if ObjectOwnership and AccessControl do not match', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE, + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + }); + + // THEN + expect(() => { + app.synth(); + }).toThrow(/objectOwnership must be set to \"ObjectWriter\" when accessControl is \"LogDeliveryWrite\"/); + }); + test('Defaults for an inventory bucket', () => { // Given const stack = new cdk.Stack();