Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: log buckets don't have acls enabled #25303

Merged
merged 6 commits into from
Apr 26, 2023
Merged

Conversation

MrArnoldPalmer
Copy link
Contributor

@MrArnoldPalmer MrArnoldPalmer commented Apr 25, 2023

Set ObjectOwnership: ObjectWriter automatically if and only if:

  • It is not provided by the user
  • AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

ObjectWriter was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Closes #25288


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Adds `objectOwnership` to s3 server access log delivery buckets that are
created in cdk applications with the `@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy` feature flag disabled. This will allow users to keep creating new buckets within those apps for storing logs. This is only set if the user has not configured `objectOwnership` manually on the log bucket.

`ObjectWriter` was essentially the default behavior before the change to
disable ACLs by default for new buckets so though this will update
existing buckets it should not cause any breakage or replacement.
@MrArnoldPalmer MrArnoldPalmer added the pr/do-not-merge This PR should not be merged at this time. label Apr 25, 2023
@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 labels Apr 25, 2023
@gitpod-io
Copy link

gitpod-io bot commented Apr 25, 2023

@aws-cdk-automation aws-cdk-automation requested a review from a team April 25, 2023 22:45
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Apr 25, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@MrArnoldPalmer MrArnoldPalmer added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Apr 25, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review April 25, 2023 23:17

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Apr 26, 2023
@mergify
Copy link
Contributor

mergify bot commented Apr 26, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@rix0rrr rix0rrr added the pr/do-not-merge This PR should not be merged at this time. label Apr 26, 2023
@rix0rrr
Copy link
Contributor

rix0rrr commented Apr 26, 2023

Changed my mind -- I think we should set ObjectOwnership: ObjectWriter automatically if and only if:

  • It is not provided by the user
  • AccessControl ACLs are configured (potentially only if AccessControl != PRIVATE, which seems to still be allowed?)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

Comment on lines 2196 to 2199
private parseOwnershipControls(
objectOwnership?: ObjectOwnership,
accessControl?: BucketAccessControl,
): CfnBucket.OwnershipControlsProperty | undefined {
Copy link
Contributor

@rix0rrr rix0rrr Apr 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For style, since this function is only ever called with this.whatever as its arguments anyway, it doesn't need to take these as parameters.

It could just read them from the object immediately.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

return undefined;
}

if (accessControlRequiresObjectOwnership && objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
throw new Error (`objectOwnership cannot be set to "${ObjectOwnership.BUCKET_OWNER_ENFORCED}" when accessControl is "${accessControl}"`);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
throw new Error (`objectOwnership cannot be set to "${ObjectOwnership.BUCKET_OWNER_ENFORCED}" when accessControl is "${accessControl}"`);
throw new Error (`objectOwnership must be set to ObjectOwnership.OBJECT_WRITER when accessControl is "${accessControl}"`);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Provisional approval with some small requests

@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Apr 26, 2023
@rix0rrr rix0rrr enabled auto-merge (squash) April 26, 2023 13:46
@mergify
Copy link
Contributor

mergify bot commented Apr 26, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@corymhall
Copy link
Contributor

@Mergifyio refresh

@mergify
Copy link
Contributor

mergify bot commented Apr 26, 2023

refresh

✅ Pull request refreshed

@rix0rrr rix0rrr merged commit 0e9440b into main Apr 26, 2023
@rix0rrr rix0rrr deleted the fix/s3-logging-object-ownership branch April 26, 2023 14:56
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: d721070
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

madeline-k pushed a commit that referenced this pull request Apr 27, 2023
Set ObjectOwnership: ObjectWriter automatically if and only if:

   - It is not provided by the user
   - AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

`ObjectWriter` was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Closes #25288

---------

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn
4 participants