chore(s3): use ICfnBucket wherever possible

packages/@aws-cdk/aws-appconfig-alpha/lib/configuration.ts

@@ -906,9 +906,9 @@ export abstract class ConfigurationSource {
    * @param objectKey The path to the configuration
    * @param key The KMS Key that the bucket is encrypted with
    */
-  public static fromBucket(bucket: s3.IBucket, objectKey: string, key?: kms.IKey): ConfigurationSource {
+  public static fromBucket(bucket: s3.ICfnBucket, objectKey: string, key?: kms.IKey): ConfigurationSource {
     return {
-      locationUri: bucket.s3UrlForObject(objectKey),
+      locationUri: s3.Bucket.fromCfnBucket(bucket).s3UrlForObject(objectKey),
       type: ConfigurationSourceType.S3,
       key,
     };

packages/@aws-cdk/aws-codestar-alpha/lib/github-repository.ts

@@ -41,7 +41,7 @@ export interface GitHubRepositoryProps {
   /**
    * The name of the Amazon S3 bucket that contains the ZIP file with the content to be committed to the new repository
    */
-  readonly contentsBucket: s3.IBucket;
+  readonly contentsBucket: s3.ICfnBucket;
 
   /**
    * The S3 object key or file name for the ZIP file
@@ -97,7 +97,7 @@ export class GitHubRepository extends cdk.Resource implements IGitHubRepository
       repositoryAccessToken: props.accessToken.unsafeUnwrap(), // Safe usage
       code: {
         s3: {
-          bucket: props.contentsBucket.bucketName,
+          bucket: props.contentsBucket.attrBucketName,
           key: props.contentsKey,
           objectVersion: props.contentsS3Version,
         },

packages/@aws-cdk/aws-gamelift-alpha/lib/content.ts

@@ -15,7 +15,7 @@ export abstract class Content {
      * @param key The object key
      * @param objectVersion Optional S3 ob ject version
      */
-  public static fromBucket(bucket: s3.IBucket, key: string, objectVersion?: string): S3Content {
+  public static fromBucket(bucket: s3.ICfnBucket, key: string, objectVersion?: string): S3Content {
     return new S3Content(bucket, key, objectVersion);
   }
 
@@ -50,9 +50,9 @@ export interface ContentConfig {
  */
 export class S3Content extends Content {
 
-  constructor(private readonly bucket: s3.IBucket, private key: string, private objectVersion?: string) {
+  constructor(private readonly bucket: s3.ICfnBucket, private key: string, private objectVersion?: string) {
     super();
-    if (!bucket.bucketName) {
+    if (!bucket.attrBucketName) {
       throw new Error('bucketName is undefined for the provided bucket');
     }
   }
@@ -61,13 +61,13 @@ export class S3Content extends Content {
     // Adding permission to access specific content
     role.addToPrincipalPolicy(new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
-      resources: [this.bucket.arnForObjects(this.key)],
+      resources: [s3.Bucket.fromCfnBucket(this.bucket).arnForObjects(this.key)],
       actions: ['s3:GetObject', 's3:GetObjectVersion'],
     }));
 
     return {
       s3Location: {
-        bucketName: this.bucket.bucketName,
+        bucketName: this.bucket.attrBucketName,
         objectKey: this.key,
         objectVersion: this.objectVersion,
       },

packages/@aws-cdk/aws-gamelift-alpha/lib/script.ts

@@ -120,7 +120,7 @@ export class Script extends ScriptBase {
   /**
    * Create a new realtime server script from s3 content
    */
-  static fromBucket(scope: Construct, id: string, bucket: s3.IBucket, key: string, objectVersion?: string) {
+  static fromBucket(scope: Construct, id: string, bucket: s3.ICfnBucket, key: string, objectVersion?: string) {
     return new Script(scope, id, {
       content: Content.fromBucket(bucket, key, objectVersion),
     });

packages/@aws-cdk/aws-glue-alpha/lib/code.ts

@@ -39,15 +39,15 @@ export abstract class Code {
  * Glue job Code from an S3 bucket.
  */
 export class S3Code extends Code {
-  constructor(private readonly bucket: s3.IBucket, private readonly key: string) {
+  constructor(private readonly bucket: s3.ICfnBucket, private readonly key: string) {
     super();
   }
 
   public bind(_scope: constructs.Construct, grantable: iam.IGrantable): CodeConfig {
-    this.bucket.grantRead(grantable, this.key);
+    s3.Bucket.fromCfnBucket(this.bucket).grantRead(grantable, this.key);
     return {
       s3Location: {
-        bucketName: this.bucket.bucketName,
+        bucketName: this.bucket.attrBucketName,
         objectKey: this.key,
       },
     };

packages/@aws-cdk/aws-glue-alpha/lib/job.ts

@@ -379,14 +379,14 @@ export interface SparkUIProps {
   /**
    * Enable Spark UI.
    */
-  readonly enabled: boolean
+  readonly enabled: boolean;
 
   /**
    * The bucket where the Glue job stores the logs.
    *
    * @default - a new bucket will be created.
    */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * The path inside the bucket (objects prefix) where the Glue job stores the logs.
@@ -818,7 +818,7 @@ export class Job extends JobBase {
     }
 
     this.validatePrefix(props.prefix);
-    const bucket = props.bucket ?? new s3.Bucket(this, 'SparkUIBucket');
+    const bucket = props.bucket ? s3.Bucket.fromCfnBucket(props.bucket) : new s3.Bucket(this, 'SparkUIBucket');
     bucket.grantReadWrite(role, this.cleanPrefixForGrant(props.prefix));
     const args = {
       '--enable-spark-ui': 'true',

packages/@aws-cdk/aws-glue-alpha/lib/s3-table.ts

@@ -36,14 +36,14 @@ export enum TableEncryption {
    *
    * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
    */
-  CLIENT_SIDE_KMS = 'CSE-KMS'
+  CLIENT_SIDE_KMS = 'CSE-KMS',
 }
 
 export interface S3TableProps extends TableBaseProps {
   /**
  * S3 bucket in which to store data.
  *
- * @default one is created for you
+ * @default - one is created for you
  */
   readonly bucket?: s3.IBucket;
 
@@ -71,7 +71,7 @@ export interface S3TableProps extends TableBaseProps {
    *
    * The `encryption` property must be `SSE-KMS` or `CSE-KMS`.
    *
-   * @default key is managed by KMS.
+   * @default - key is managed by KMS.
    */
   readonly encryptionKey?: kms.IKey;
 }

packages/@aws-cdk/aws-iot-actions-alpha/lib/s3-put-object-action.ts

@@ -40,7 +40,7 @@ export class S3PutObjectAction implements iot.IAction {
    * @param bucket The Amazon S3 bucket to which to write data.
    * @param props Optional properties to not use default
    */
-  constructor(private readonly bucket: s3.IBucket, props: S3PutObjectActionProps = {}) {
+  constructor(private readonly bucket: s3.ICfnBucket, props: S3PutObjectActionProps = {}) {
     this.accessControl = props.accessControl;
     this.key = props.key;
     this.role = props.role;
@@ -53,13 +53,13 @@ export class S3PutObjectAction implements iot.IAction {
     const role = this.role ?? singletonActionRole(rule);
     role.addToPrincipalPolicy(new iam.PolicyStatement({
       actions: ['s3:PutObject'],
-      resources: [this.bucket.arnForObjects('*')],
+      resources: [s3.Bucket.fromCfnBucket(this.bucket).arnForObjects('*')],
     }));
 
     return {
       configuration: {
         s3: {
-          bucketName: this.bucket.bucketName,
+          bucketName: this.bucket.attrBucketName,
           cannedAcl: this.accessControl && toKebabCase(this.accessControl.toString()),
           key: this.key ?? '${topic()}/${timestamp()}',
           roleArn: role.roleArn,

packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/lib/application-code.ts

@@ -31,7 +31,7 @@ export abstract class ApplicationCode {
    * @param fileKey - a key pointing to a Flink JAR file
    * @param objectVersion - an optional version string for the provided fileKey
    */
-  public static fromBucket(bucket: s3.IBucket, fileKey: string, objectVersion?: string): ApplicationCode {
+  public static fromBucket(bucket: s3.ICfnBucket, fileKey: string, objectVersion?: string): ApplicationCode {
     return new BucketApplicationCode({
       bucket,
       fileKey,
@@ -56,13 +56,13 @@ export abstract class ApplicationCode {
 }
 
 interface BucketApplicationCodeProps {
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
   readonly fileKey: string;
   readonly objectVersion?: string;
 }
 
 class BucketApplicationCode extends ApplicationCode {
-  public readonly bucket?: s3.IBucket;
+  public readonly bucket?: s3.ICfnBucket;
   public readonly fileKey: string;
   public readonly objectVersion?: string;
 
@@ -79,15 +79,15 @@ class BucketApplicationCode extends ApplicationCode {
         applicationCodeConfiguration: {
           codeContent: {
             s3ContentLocation: {
-              bucketArn: this.bucket!.bucketArn,
+              bucketArn: this.bucket!.attrArn,
               fileKey: this.fileKey,
               objectVersion: this.objectVersion,
             },
           },
           codeContentType: 'ZIPFILE',
         },
       },
-      bucket: this.bucket!,
+      bucket: s3.Bucket.fromCfnBucket(this.bucket!),
     };
   }
 }

packages/@aws-cdk/aws-kinesisfirehose-destinations-alpha/lib/common.ts

@@ -155,7 +155,7 @@ export interface DestinationS3BackupProps extends DestinationLoggingProps, Commo
    *
    * @default - If `mode` is set to `BackupMode.ALL` or `BackupMode.FAILED`, a bucket will be created for you.
    */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * Indicates the mode by which incoming records should be backed up to S3, if any.

packages/@aws-cdk/aws-kinesisfirehose-destinations-alpha/lib/private/helpers.ts

@@ -148,7 +148,7 @@ export function createBackupConfig(scope: Construct, role: iam.IRole, props?: De
     return undefined;
   }
 
-  const bucket = props.bucket ?? new s3.Bucket(scope, 'BackupBucket');
+  const bucket = props.bucket ? s3.Bucket.fromCfnBucket(props.bucket) : new s3.Bucket(scope, 'BackupBucket');
   const bucketGrant = bucket.grantReadWrite(role);
 
   const { loggingOptions, dependables: loggingDependables } = createLoggingOptions(scope, {

packages/@aws-cdk/aws-kinesisfirehose-destinations-alpha/lib/s3-bucket.ts

@@ -15,7 +15,7 @@ export interface S3BucketProps extends CommonDestinationS3Props, CommonDestinati
  * An S3 bucket destination for data from a Kinesis Data Firehose delivery stream.
  */
 export class S3Bucket implements firehose.IDestination {
-  constructor(private readonly bucket: s3.IBucket, private readonly props: S3BucketProps = {}) {
+  constructor(private readonly bucket: s3.ICfnBucket, private readonly props: S3BucketProps = {}) {
     if (this.props.s3Backup?.mode === BackupMode.FAILED) {
       throw new Error('S3 destinations do not support BackupMode.FAILED');
     }
@@ -26,7 +26,8 @@ export class S3Bucket implements firehose.IDestination {
       assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
     });
 
-    const bucketGrant = this.bucket.grantReadWrite(role);
+    const bucket = s3.Bucket.fromCfnBucket(this.bucket);
+    const bucketGrant = bucket.grantReadWrite(role);
 
     const { loggingOptions, dependables: loggingDependables } = createLoggingOptions(scope, {
       logging: this.props.logging,
@@ -44,7 +45,7 @@ export class S3Bucket implements firehose.IDestination {
         s3BackupConfiguration: backupConfig,
         s3BackupMode: this.getS3BackupMode(),
         bufferingHints: createBufferingHints(this.props.bufferingInterval, this.props.bufferingSize),
-        bucketArn: this.bucket.bucketArn,
+        bucketArn: bucket.attrArn,
         compressionFormat: this.props.compression?.value,
         encryptionConfiguration: createEncryptionConfig(role, this.props.encryptionKey),
         errorOutputPrefix: this.props.errorOutputPrefix,

packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts

@@ -302,8 +302,7 @@ export interface S3LoggingConfiguration {
   /**
    * The S3 bucket that is the destination for broker logs.
    */
-  readonly bucket: s3.IBucket;
-
+  readonly bucket: s3.ICfnBucket;
   /**
    * The S3 prefix that is the destination for broker logs.
    *
@@ -578,7 +577,7 @@ export class Cluster extends ClusterBase {
         }
         : undefined;
 
-    const loggingBucket = props.logging?.s3?.bucket;
+    const loggingBucket = props.logging?.s3?.bucket ? s3.Bucket.fromCfnBucket(props.logging.s3.bucket) : undefined;
     if (loggingBucket && FeatureFlags.of(this).isEnabled(S3_CREATE_DEFAULT_LOGGING_POLICY)) {
       const stack = core.Stack.of(this);
       loggingBucket.addToResourcePolicy(new iam.PolicyStatement({

packages/@aws-cdk/aws-s3objectlambda-alpha/lib/access-point.ts

@@ -49,7 +49,7 @@ export interface AccessPointProps {
   /**
    * The bucket to which this access point belongs.
    */
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
 
   /**
    * The Lambda function used to transform objects.
@@ -211,7 +211,7 @@ export class AccessPoint extends AccessPointBase {
     }
 
     const supporting = new s3.CfnAccessPoint(this, 'SupportingAccessPoint', {
-      bucket: props.bucket.bucketName,
+      bucket: props.bucket.attrBucketName,
     });
 
     const allowedFeatures = [];

packages/@aws-cdk/example-construct-library/lib/example-resource.ts

@@ -268,7 +268,7 @@ export interface ExampleResourceProps {
    *
    * @default - no Bucket will be used
    */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * Many resources can be attached to a VPC.

packages/aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.ts

@@ -421,7 +421,7 @@ export class Trail extends Resource {
    */
   public addS3EventSelector(s3Selector: S3EventSelector[], options: AddEventSelectorOptions = {}) {
     if (s3Selector.length === 0) { return; }
-    const dataResourceValues = s3Selector.map((sel) => `${sel.bucket.bucketArn}/${sel.objectPrefix ?? ''}`);
+    const dataResourceValues = s3Selector.map((sel) => `${sel.bucket.attrArn}/${sel.objectPrefix ?? ''}`);
     return this.addEventSelector(DataResourceType.S3_OBJECT, dataResourceValues, options);
   }
 
@@ -504,7 +504,7 @@ export enum ManagementEventSources {
  */
 export interface S3EventSelector {
   /** S3 bucket */
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
 
   /**
    * Data events for objects whose key matches this prefix will be logged.

packages/aws-cdk-lib/aws-codepipeline-actions/lib/private/stack-dependency.ts

@@ -20,7 +20,7 @@ import { Resource, Stack } from '../../../core';
  * the account stack R first, followed by the region stack B. So explicitly establish
  * this dependency in CodePipeline Actions.
  */
-export function forceSupportStackDependency(bucket: s3.IBucket, role: iam.IRole) {
+export function forceSupportStackDependency(bucket: s3.ICfnBucket, role: iam.IRole) {
   if (Resource.isOwnedResource(bucket) && Resource.isOwnedResource(role)) {
     Stack.of(bucket).addDependency(Stack.of(role), `replication bucket {${bucket.node.path}} to action role {${role}}`);
   }

packages/aws-cdk-lib/aws-ec2/lib/user-data.ts

@@ -1,5 +1,5 @@
 import { OperatingSystemType } from './machine-image';
-import { IBucket } from '../../aws-s3';
+import { ICfnBucket } from '../../aws-s3';
 import { Fn, Resource, Stack, CfnResource } from '../../core';
 
 /**
@@ -40,7 +40,7 @@ export interface S3DownloadOptions {
   /**
    * Name of the S3 bucket to download from
    */
-  readonly bucket: IBucket;
+  readonly bucket: ICfnBucket;
 
   /**
    * The key of the file to download
@@ -176,7 +176,7 @@ class LinuxUserData extends UserData {
   }
 
   public addS3DownloadCommand(params: S3DownloadOptions): string {
-    const s3Path = `s3://${params.bucket.bucketName}/${params.bucketKey}`;
+    const s3Path = `s3://${params.bucket.attrBucketName}/${params.bucketKey}`;
     const localPath = ( params.localFile && params.localFile.length !== 0 ) ? params.localFile : `/tmp/${ params.bucketKey }`;
     this.addCommands(
       `mkdir -p $(dirname '${localPath}')`,
@@ -239,7 +239,7 @@ class WindowsUserData extends UserData {
     const localPath = ( params.localFile && params.localFile.length !== 0 ) ? params.localFile : `C:/temp/${ params.bucketKey }`;
     this.addCommands(
       `mkdir (Split-Path -Path '${localPath}' ) -ea 0`,
-      `Read-S3Object -BucketName '${params.bucket.bucketName}' -key '${params.bucketKey}' -file '${localPath}' -ErrorAction Stop` + (params.region !== undefined ? ` -Region ${params.region}` : ''),
+      `Read-S3Object -BucketName '${params.bucket.attrBucketName}' -key '${params.bucketKey}' -file '${localPath}' -ErrorAction Stop` + (params.region !== undefined ? ` -Region ${params.region}` : ''),
     );
     return localPath;
   }

packages/aws-cdk-lib/aws-ecs/lib/cluster.ts

@@ -331,7 +331,7 @@ export class Cluster extends Resource implements ICluster {
     return {
       cloudWatchEncryptionEnabled: logConfiguration?.cloudWatchEncryptionEnabled,
       cloudWatchLogGroupName: logConfiguration?.cloudWatchLogGroup?.logGroupName,
-      s3BucketName: logConfiguration?.s3Bucket?.bucketName,
+      s3BucketName: logConfiguration?.s3Bucket?.attrBucketName,
       s3EncryptionEnabled: logConfiguration?.s3EncryptionEnabled,
       s3KeyPrefix: logConfiguration?.s3KeyPrefix,
     };
@@ -1107,7 +1107,7 @@ export interface ExecuteCommandLogConfiguration {
    *
    * @default - none
    */
-  readonly s3Bucket?: s3.IBucket,
+  readonly s3Bucket?: s3.ICfnBucket,
 
   /**
    * Whether or not to enable encryption on the S3 bucket.