fix(cloudfront): can't create the default log bucket (#25298)

Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created. Reference - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Closes #25288 #25291 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Apr 26, 2023 · f98c428 · f98c428
1 parent bec04d3
commit f98c428
Show file tree

Hide file tree

Showing 18 changed files with 590 additions and 33 deletions.
diff --git a/...framework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/cdk.out b/...framework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"31.0.0"}
diff --git a/...nt/test/integ.distribution-extensive.js.snapshot/integ-distribution-extensive.assets.json b/...nt/test/integ.distribution-extensive.js.snapshot/integ-distribution-extensive.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "31.0.0",
   "files": {
-    "9dc2b1d91bf8dc7a564007d2b8c42cfbe1048645014b8bcda1610f778f32d174": {
+    "d07498b95e3a0a153a16e1cc45cdd588cc73020e9f653aecbaf1cfa16a99f262": {
       "source": {
         "path": "integ-distribution-extensive.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "9dc2b1d91bf8dc7a564007d2b8c42cfbe1048645014b8bcda1610f778f32d174.json",
+          "objectKey": "d07498b95e3a0a153a16e1cc45cdd588cc73020e9f653aecbaf1cfa16a99f262.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/.../test/integ.distribution-extensive.js.snapshot/integ-distribution-extensive.template.json b/.../test/integ.distribution-extensive.js.snapshot/integ-distribution-extensive.template.json
@@ -11,6 +11,13 @@
        }
       }
      ]
+    },
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "ObjectWriter"
+      }
+     ]
     }
    },
    "UpdateReplacePolicy": "Retain",

diff --git a/...mework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/integ.json b/...mework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "31.0.0",
   "testCases": {
     "integ.distribution-extensive": {
       "stacks": [

diff --git a/...ork-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/manifest.json b/...ork-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "31.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-distribution-extensive.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9dc2b1d91bf8dc7a564007d2b8c42cfbe1048645014b8bcda1610f778f32d174.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d07498b95e3a0a153a16e1cc45cdd588cc73020e9f653aecbaf1cfa16a99f262.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -65,6 +59,12 @@
         ]
       },
       "displayName": "integ-distribution-extensive"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/...amework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/tree.json b/...amework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "integ-distribution-extensive": {
         "id": "integ-distribution-extensive",
         "path": "integ-distribution-extensive",
@@ -25,7 +17,7 @@
                 "path": "integ-distribution-extensive/MyDist/Origin1",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.85"
+                  "version": "10.1.270"
                 }
               },
               "LoggingBucket": {
@@ -46,18 +38,25 @@
                               }
                             }
                           ]
+                        },
+                        "ownershipControls": {
+                          "rules": [
+                            {
+                              "objectOwnership": "ObjectWriter"
+                            }
+                          ]
                         }
                       }
                     },
                     "constructInfo": {
-                      "fqn": "@aws-cdk/aws-s3.CfnBucket",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.1.270"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "@aws-cdk/aws-s3.Bucket",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.1.270"
                 }
               },
               "Resource": {
@@ -116,26 +115,50 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "@aws-cdk/aws-cloudfront.CfnDistribution",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.1.270"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "@aws-cdk/aws-cloudfront.Distribution",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.1.270"
+            }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "integ-distribution-extensive/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "constructs.Construct",
+              "version": "10.1.270"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "integ-distribution-extensive/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "constructs.Construct",
+              "version": "10.1.270"
             }
           }
         },
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.270"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
+        "constructInfo": {
+          "fqn": "constructs.Construct",
+          "version": "10.1.270"
         }
       }
     },
     "constructInfo": {
       "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "version": "10.1.270"
     }
   }
 }
diff --git a/....distribution-logbucket.js.snapshot/LambdaTestDefaultTestDeployAssert1AF2B360.assets.json b/....distribution-logbucket.js.snapshot/LambdaTestDefaultTestDeployAssert1AF2B360.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "LambdaTestDefaultTestDeployAssert1AF2B360.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...istribution-logbucket.js.snapshot/LambdaTestDefaultTestDeployAssert1AF2B360.template.json b/...istribution-logbucket.js.snapshot/LambdaTestDefaultTestDeployAssert1AF2B360.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/cdk.out b/...framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"31.0.0"}
diff --git a/...nt/test/integ.distribution-logbucket.js.snapshot/integ-distribution-logbucket.assets.json b/...nt/test/integ.distribution-logbucket.js.snapshot/integ-distribution-logbucket.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "048a9217333f79d9daa080118ffb36e6564d692917b8083547f37690586c037d": {
+      "source": {
+        "path": "integ-distribution-logbucket.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "048a9217333f79d9daa080118ffb36e6564d692917b8083547f37690586c037d.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/.../test/integ.distribution-logbucket.js.snapshot/integ-distribution-logbucket.template.json b/.../test/integ.distribution-logbucket.js.snapshot/integ-distribution-logbucket.template.json
@@ -0,0 +1,89 @@
+{
+ "Resources": {
+  "LogBucketCC3B17E8": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "ObjectWriter"
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "MyDistDB88FD9A": {
+   "Type": "AWS::CloudFront::Distribution",
+   "Properties": {
+    "DistributionConfig": {
+     "DefaultCacheBehavior": {
+      "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
+      "Compress": true,
+      "TargetOriginId": "integdistributionlogbucketMyDistOrigin16148F85F",
+      "ViewerProtocolPolicy": "allow-all"
+     },
+     "Enabled": true,
+     "HttpVersion": "http2",
+     "IPV6Enabled": true,
+     "Logging": {
+      "Bucket": {
+       "Fn::GetAtt": [
+        "LogBucketCC3B17E8",
+        "RegionalDomainName"
+       ]
+      }
+     },
+     "Origins": [
+      {
+       "CustomOriginConfig": {
+        "OriginProtocolPolicy": "https-only"
+       },
+       "DomainName": "www.example.com",
+       "Id": "integdistributionlogbucketMyDistOrigin16148F85F",
+       "OriginShield": {
+        "Enabled": true,
+        "OriginShieldRegion": "us-west-2"
+       }
+      }
+     ]
+    }
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...mework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/integ.json b/...mework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "LambdaTest/DefaultTest": {
+      "stacks": [
+        "integ-distribution-logbucket"
+      ],
+      "assertionStack": "LambdaTest/DefaultTest/DeployAssert",
+      "assertionStackName": "LambdaTestDefaultTestDeployAssert1AF2B360"
+    }
+  }
+}