From 075f5752f9902a1cfb02338dedcf4f119caa2579 Mon Sep 17 00:00:00 2001 From: Mitchell Valine Date: Tue, 25 Apr 2023 15:39:59 -0700 Subject: [PATCH 1/5] fix: log buckets don't have acls enabled Adds `objectOwnership` to s3 server access log delivery buckets that are created in cdk applications with the `@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy` feature flag disabled. This will allow users to keep creating new buckets within those apps for storing logs. This is only set if the user has not configured `objectOwnership` manually on the log bucket. `ObjectWriter` was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement. --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 10 +++++++-- .../aws-cdk-lib/aws-s3/test/bucket.test.ts | 22 +++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 493e90652a12c..0bc3584c05d54 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -540,6 +540,8 @@ export abstract class BucketBase extends Resource implements IBucket { protected notificationsHandlerRole?: iam.IRole; + protected objectOwnership?: ObjectOwnership; + constructor(scope: Construct, id: string, props: ResourceProps = {}) { super(scope, id, props); @@ -1834,6 +1836,7 @@ export class Bucket extends BucketBase { const objectLockConfiguration = this.parseObjectLockConfig(props); + this.objectOwnership = props.objectOwnership; const resource = new CfnBucket(this, 'Resource', { bucketName: this.physicalName, bucketEncryption, @@ -1846,7 +1849,7 @@ export class Bucket extends BucketBase { accessControl: Lazy.string({ produce: () => this.accessControl }), loggingConfiguration: this.parseServerAccessLogs(props), inventoryConfigurations: Lazy.any({ produce: () => this.parseInventoryConfiguration() }), - ownershipControls: this.parseOwnershipControls(props), + ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls(this.objectOwnership) }), accelerateConfiguration: props.transferAcceleration ? { accelerationStatus: 'Enabled' } : undefined, intelligentTieringConfigurations: this.parseTieringConfig(props), objectLockEnabled: objectLockConfiguration ? true : props.objectLockEnabled, @@ -2190,7 +2193,7 @@ export class Bucket extends BucketBase { })); } - private parseOwnershipControls({ objectOwnership }: BucketProps): CfnBucket.OwnershipControlsProperty | undefined { + private parseOwnershipControls(objectOwnership?: ObjectOwnership): CfnBucket.OwnershipControlsProperty | undefined { if (!objectOwnership) { return undefined; } @@ -2325,6 +2328,9 @@ export class Bucket extends BucketBase { throw new Error("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed"); } else { this.accessControl = BucketAccessControl.LOG_DELIVERY_WRITE; + // Enabling an ACL explicitly is required for all new buckets. + // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ + this.objectOwnership = this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER; } } diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 3008700f87ec2..ac070e37085f2 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -2738,6 +2738,28 @@ describe('bucket', () => { }); }); + test('Log bucket has ACL enabled when feature flag is disabled', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + const accessLogBucket = new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + }); + + new s3.Bucket(stack, 'MyBucket', { + serverAccessLogsBucket: accessLogBucket, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + OwnershipControls: { + Rules: [{ ObjectOwnership: 'ObjectWriter' }], + }, + }); + }); + test('Defaults for an inventory bucket', () => { // Given const stack = new cdk.Stack(); From 7932d972bd8c9fafab17a7844ce7a469cc40f2f1 Mon Sep 17 00:00:00 2001 From: corymhall <43035978+corymhall@users.noreply.github.com> Date: Wed, 26 Apr 2023 12:39:00 +0000 Subject: [PATCH 2/5] updating based on comments --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 38 +++++++----- .../aws-cdk-lib/aws-s3/test/bucket.test.ts | 58 ++++++++++++++++++- 2 files changed, 80 insertions(+), 16 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 0bc3584c05d54..942c1613e4712 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -1,5 +1,13 @@ import { EOL } from 'os'; import * as path from 'path'; +import { Construct } from 'constructs'; +import { BucketPolicy } from './bucket-policy'; +import { IBucketNotificationDestination } from './destination'; +import { BucketNotifications } from './notifications-resource'; +import * as perms from './perms'; +import { LifecycleRule } from './rule'; +import { CfnBucket } from './s3.generated'; +import { parseBucketArn, parseBucketName } from './util'; import * as events from '../../aws-events'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; @@ -24,14 +32,6 @@ import { import { CfnReference } from '../../core/lib/private/cfn-reference'; import * as cxapi from '../../cx-api'; import * as regionInformation from '../../region-info'; -import { Construct } from 'constructs'; -import { BucketPolicy } from './bucket-policy'; -import { IBucketNotificationDestination } from './destination'; -import { BucketNotifications } from './notifications-resource'; -import * as perms from './perms'; -import { LifecycleRule } from './rule'; -import { CfnBucket } from './s3.generated'; -import { parseBucketArn, parseBucketName } from './util'; const AUTO_DELETE_OBJECTS_RESOURCE_TYPE = 'Custom::S3AutoDeleteObjects'; const AUTO_DELETE_OBJECTS_TAG = 'aws-cdk:auto-delete-objects'; @@ -1849,7 +1849,7 @@ export class Bucket extends BucketBase { accessControl: Lazy.string({ produce: () => this.accessControl }), loggingConfiguration: this.parseServerAccessLogs(props), inventoryConfigurations: Lazy.any({ produce: () => this.parseInventoryConfiguration() }), - ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls(this.objectOwnership) }), + ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls(this.objectOwnership, this.accessControl) }), accelerateConfiguration: props.transferAcceleration ? { accelerationStatus: 'Enabled' } : undefined, intelligentTieringConfigurations: this.parseTieringConfig(props), objectLockEnabled: objectLockConfiguration ? true : props.objectLockEnabled, @@ -2193,13 +2193,24 @@ export class Bucket extends BucketBase { })); } - private parseOwnershipControls(objectOwnership?: ObjectOwnership): CfnBucket.OwnershipControlsProperty | undefined { - if (!objectOwnership) { + private parseOwnershipControls( + objectOwnership?: ObjectOwnership, + accessControl?: BucketAccessControl, + ): CfnBucket.OwnershipControlsProperty | undefined { + // Enabling an ACL explicitly is required for all new buckets. + // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ + const accessControlRequiresObjectOwnership = (accessControl && accessControl !== BucketAccessControl.PRIVATE); + if (!objectOwnership && !accessControlRequiresObjectOwnership) { return undefined; } + + if (accessControlRequiresObjectOwnership && objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) { + throw new Error (`objectOwnership cannot be set to "${ObjectOwnership.BUCKET_OWNER_ENFORCED}" when accessControl is "${accessControl}"`); + } + return { rules: [{ - objectOwnership, + objectOwnership: objectOwnership ?? ObjectOwnership.OBJECT_WRITER, }], }; } @@ -2328,9 +2339,6 @@ export class Bucket extends BucketBase { throw new Error("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed"); } else { this.accessControl = BucketAccessControl.LOG_DELIVERY_WRITE; - // Enabling an ACL explicitly is required for all new buckets. - // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ - this.objectOwnership = this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER; } } diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index ac070e37085f2..1c7c8b91eb903 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -1,8 +1,8 @@ import { EOL } from 'os'; +import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Annotations, Match, Template } from '../../assertions'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import * as cdk from '../../core'; import * as s3 from '../lib'; @@ -2760,6 +2760,62 @@ describe('bucket', () => { }); }); + test('ObjectOwnership is configured when AccessControl is set', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + AccessControl: 'LogDeliveryWrite', + OwnershipControls: { + Rules: [{ ObjectOwnership: 'ObjectWriter' }], + }, + }); + }); + + test('ObjectOwnership is not configured when AccessControl="Private"', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.PRIVATE, + }); + + // Logging bucket has ACL enabled when feature flag is not set + Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', { + BucketName: 'mylogbucket', + AccessControl: 'Private', + OwnershipControls: Match.absent(), + }); + }); + + test('Throws if ObjectOwnership and AccessControl do not match', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app); + + // WHEN + new s3.Bucket(stack, 'AccessLogs', { + bucketName: 'mylogbucket', + accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE, + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + }); + + // THEN + expect(() => { + app.synth(); + }).toThrow(/objectOwnership cannot be set to \"BucketOwnerEnforced\" when accessControl is \"LogDeliveryWrite\"/); + }); + test('Defaults for an inventory bucket', () => { // Given const stack = new cdk.Stack(); From 47420f6a2201daf7d6294bce565f72bdc8faffcd Mon Sep 17 00:00:00 2001 From: corymhall <43035978+corymhall@users.noreply.github.com> Date: Wed, 26 Apr 2023 12:47:12 +0000 Subject: [PATCH 3/5] update --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 17 +++++++---------- packages/aws-cdk-lib/aws-s3/test/bucket.test.ts | 2 +- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 942c1613e4712..d78d54759d6a3 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -1849,7 +1849,7 @@ export class Bucket extends BucketBase { accessControl: Lazy.string({ produce: () => this.accessControl }), loggingConfiguration: this.parseServerAccessLogs(props), inventoryConfigurations: Lazy.any({ produce: () => this.parseInventoryConfiguration() }), - ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls(this.objectOwnership, this.accessControl) }), + ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls() }), accelerateConfiguration: props.transferAcceleration ? { accelerationStatus: 'Enabled' } : undefined, intelligentTieringConfigurations: this.parseTieringConfig(props), objectLockEnabled: objectLockConfiguration ? true : props.objectLockEnabled, @@ -2193,24 +2193,21 @@ export class Bucket extends BucketBase { })); } - private parseOwnershipControls( - objectOwnership?: ObjectOwnership, - accessControl?: BucketAccessControl, - ): CfnBucket.OwnershipControlsProperty | undefined { + private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined { // Enabling an ACL explicitly is required for all new buckets. // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ - const accessControlRequiresObjectOwnership = (accessControl && accessControl !== BucketAccessControl.PRIVATE); - if (!objectOwnership && !accessControlRequiresObjectOwnership) { + const accessControlRequiresObjectOwnership = (this.accessControl && this.accessControl !== BucketAccessControl.PRIVATE); + if (!this.objectOwnership && !accessControlRequiresObjectOwnership) { return undefined; } - if (accessControlRequiresObjectOwnership && objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) { - throw new Error (`objectOwnership cannot be set to "${ObjectOwnership.BUCKET_OWNER_ENFORCED}" when accessControl is "${accessControl}"`); + if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) { + throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`); } return { rules: [{ - objectOwnership: objectOwnership ?? ObjectOwnership.OBJECT_WRITER, + objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER, }], }; } diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 1c7c8b91eb903..c186ccc89a3ea 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -2813,7 +2813,7 @@ describe('bucket', () => { // THEN expect(() => { app.synth(); - }).toThrow(/objectOwnership cannot be set to \"BucketOwnerEnforced\" when accessControl is \"LogDeliveryWrite\"/); + }).toThrow(/objectOwnership must be set to \"ObjectWriter\" when accessControl is \"LogDeliveryWrite\"/); }); test('Defaults for an inventory bucket', () => { From 57676680fc8d546aca4e7b327f52b593afb8e049 Mon Sep 17 00:00:00 2001 From: corymhall <43035978+corymhall@users.noreply.github.com> Date: Wed, 26 Apr 2023 13:37:14 +0000 Subject: [PATCH 4/5] updating allowed acls and adding integ test --- .../BucketOwnerFullControl.assets.json | 19 ++ .../BucketOwnerFullControl.template.json | 53 ++++ .../BucketOwnerRead.assets.json | 19 ++ .../BucketOwnerRead.template.json | 53 ++++ .../Private.assets.json | 19 ++ .../Private.template.json | 53 ++++ .../integ.bucket-acls.js.snapshot/cdk.out | 1 + .../integ.bucket-acls.js.snapshot/integ.json | 14 + ...efaultTestDeployAssert24D5C536.assets.json | 19 ++ ...aultTestDeployAssert24D5C536.template.json | 36 +++ .../manifest.json | 217 +++++++++++++++ .../integ.bucket-acls.js.snapshot/tree.json | 246 ++++++++++++++++++ .../test/aws-s3/test/integ.bucket-acls.ts | 25 ++ packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 7 +- 14 files changed, 780 insertions(+), 1 deletion(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json new file mode 100644 index 0000000000000..8a9292c452e57 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df": { + "source": { + "path": "BucketOwnerFullControl.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json new file mode 100644 index 0000000000000..3bb0781403679 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "BucketOwnerFullControl", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json new file mode 100644 index 0000000000000..1c59c453a5b9a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e": { + "source": { + "path": "BucketOwnerRead.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json new file mode 100644 index 0000000000000..403dad48ff052 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "BucketOwnerRead", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json new file mode 100644 index 0000000000000..9445a7fd59f38 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292": { + "source": { + "path": "Private.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json new file mode 100644 index 0000000000000..cb180ae32528a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json @@ -0,0 +1,53 @@ +{ + "Resources": { + "IntegBucketD47DF7CA": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "Private", + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerEnforced" + } + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out new file mode 100644 index 0000000000000..7925065efbcc4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"31.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json new file mode 100644 index 0000000000000..6052f3d6110c4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "version": "31.0.0", + "testCases": { + "integ-test/DefaultTest": { + "stacks": [ + "Private", + "BucketOwnerRead", + "BucketOwnerFullControl" + ], + "assertionStack": "integ-test/DefaultTest/DeployAssert", + "assertionStackName": "integtestDefaultTestDeployAssert24D5C536" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json new file mode 100644 index 0000000000000..ecd9f6bd2a455 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json @@ -0,0 +1,19 @@ +{ + "version": "31.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestDefaultTestDeployAssert24D5C536.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json new file mode 100644 index 0000000000000..ea2f0d0fa88d9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/manifest.json @@ -0,0 +1,217 @@ +{ + "version": "31.0.0", + "artifacts": { + "Private.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "Private.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "Private": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "Private.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "Private.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "Private.assets" + ], + "metadata": { + "/Private/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/Private/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/Private/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "Private" + }, + "BucketOwnerRead.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BucketOwnerRead.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BucketOwnerRead": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BucketOwnerRead.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BucketOwnerRead.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BucketOwnerRead.assets" + ], + "metadata": { + "/BucketOwnerRead/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/BucketOwnerRead/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BucketOwnerRead/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BucketOwnerRead" + }, + "BucketOwnerFullControl.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BucketOwnerFullControl.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BucketOwnerFullControl": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BucketOwnerFullControl.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BucketOwnerFullControl.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BucketOwnerFullControl.assets" + ], + "metadata": { + "/BucketOwnerFullControl/IntegBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "IntegBucketD47DF7CA" + } + ], + "/BucketOwnerFullControl/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BucketOwnerFullControl/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BucketOwnerFullControl" + }, + "integtestDefaultTestDeployAssert24D5C536.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestDefaultTestDeployAssert24D5C536.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestDefaultTestDeployAssert24D5C536": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestDefaultTestDeployAssert24D5C536.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "metadata": { + "/integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json new file mode 100644 index 0000000000000..d6501454fd3f3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/tree.json @@ -0,0 +1,246 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "Private": { + "id": "Private", + "path": "Private", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "Private/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "Private/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "Private", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "Private/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "Private/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BucketOwnerRead": { + "id": "BucketOwnerRead", + "path": "BucketOwnerRead", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "BucketOwnerRead/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "BucketOwnerRead/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "BucketOwnerRead", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "BucketOwnerRead/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "BucketOwnerRead/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BucketOwnerFullControl": { + "id": "BucketOwnerFullControl", + "path": "BucketOwnerFullControl", + "children": { + "IntegBucket": { + "id": "IntegBucket", + "path": "BucketOwnerFullControl/IntegBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "BucketOwnerFullControl/IntegBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "accessControl": "BucketOwnerFullControl", + "ownershipControls": { + "rules": [ + { + "objectOwnership": "BucketOwnerEnforced" + } + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "BucketOwnerFullControl/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "BucketOwnerFullControl/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "integ-test": { + "id": "integ-test", + "path": "integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.270" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts new file mode 100644 index 0000000000000..b0d09720c1af0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts @@ -0,0 +1,25 @@ +import { Construct } from 'constructs'; +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3 from 'aws-cdk-lib/aws-s3'; + +const app = new cdk.App(); + +class TestCase extends cdk.Stack { + constructor(scope: Construct, id: s3.BucketAccessControl, props?: cdk.StackProps) { + super(scope, id, props); + new s3.Bucket(this, 'IntegBucket', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + accessControl: id, + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + }); + } +} + +new integ.IntegTest(app, 'integ-test', { + testCases: [ + new TestCase(app, s3.BucketAccessControl.PRIVATE), + new TestCase(app, s3.BucketAccessControl.BUCKET_OWNER_READ), + new TestCase(app, s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL), + ], +}); diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index d78d54759d6a3..7879ce7795b2f 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -2196,7 +2196,12 @@ export class Bucket extends BucketBase { private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined { // Enabling an ACL explicitly is required for all new buckets. // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ - const accessControlRequiresObjectOwnership = (this.accessControl && this.accessControl !== BucketAccessControl.PRIVATE); + const allowedAcls = [ + BucketAccessControl.PRIVATE, + BucketAccessControl.BUCKET_OWNER_READ, + BucketAccessControl.BUCKET_OWNER_FULL_CONTROL, + ]; + const accessControlRequiresObjectOwnership = (this.accessControl && !allowedAcls.includes(this.accessControl)); if (!this.objectOwnership && !accessControlRequiresObjectOwnership) { return undefined; } From 29e0a82932d386f78d721435051a1b7e5290560a Mon Sep 17 00:00:00 2001 From: corymhall <43035978+corymhall@users.noreply.github.com> Date: Wed, 26 Apr 2023 13:44:41 +0000 Subject: [PATCH 5/5] updating variable name --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 7879ce7795b2f..761b18be57b82 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -2196,12 +2196,12 @@ export class Bucket extends BucketBase { private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined { // Enabling an ACL explicitly is required for all new buckets. // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ - const allowedAcls = [ + const aclsThatDoNotRequireObjectOwnership = [ BucketAccessControl.PRIVATE, BucketAccessControl.BUCKET_OWNER_READ, BucketAccessControl.BUCKET_OWNER_FULL_CONTROL, ]; - const accessControlRequiresObjectOwnership = (this.accessControl && !allowedAcls.includes(this.accessControl)); + const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl)); if (!this.objectOwnership && !accessControlRequiresObjectOwnership) { return undefined; }