fix: log buckets don't have acls enabled (#25303)

Set ObjectOwnership: ObjectWriter automatically if and only if:

   - It is not provided by the user
   - AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

`ObjectWriter` was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Closes #25288

---------

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df": {
+      "source": {
+        "path": "BucketOwnerFullControl.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "c5d89de727de047b0b75da8185709c8fa329fc4ad9497705d05c1956a40363df.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerFullControl.template.json

@@ -0,0 +1,53 @@
+{
+ "Resources": {
+  "IntegBucketD47DF7CA": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "AccessControl": "BucketOwnerFullControl",
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "BucketOwnerEnforced"
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e": {
+      "source": {
+        "path": "BucketOwnerRead.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "cd03051e579b08328849c49cd840e271660c756be655c14b55c6ef670dbe692e.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/BucketOwnerRead.template.json

@@ -0,0 +1,53 @@
+{
+ "Resources": {
+  "IntegBucketD47DF7CA": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "AccessControl": "BucketOwnerRead",
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "BucketOwnerEnforced"
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292": {
+      "source": {
+        "path": "Private.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "cd71a9eeaf11c0cb27fee1df2427db744d7a065bab534cb246a45d1a5d7f6292.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/Private.template.json

@@ -0,0 +1,53 @@
+{
+ "Resources": {
+  "IntegBucketD47DF7CA": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "AccessControl": "Private",
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "BucketOwnerEnforced"
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"31.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integ.json

@@ -0,0 +1,14 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "integ-test/DefaultTest": {
+      "stacks": [
+        "Private",
+        "BucketOwnerRead",
+        "BucketOwnerFullControl"
+      ],
+      "assertionStack": "integ-test/DefaultTest/DeployAssert",
+      "assertionStackName": "integtestDefaultTestDeployAssert24D5C536"
+    }
+  }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "integtestDefaultTestDeployAssert24D5C536.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}