Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(component): change static-website distribution log bucket to owner_preferred to permit ACLs #369

Merged
merged 1 commit into from
Apr 24, 2023
Merged

fix(component): change static-website distribution log bucket to owner_preferred to permit ACLs #369

merged 1 commit into from
Apr 24, 2023

Conversation

JoshuaToth
Copy link
Contributor

A recent change to bucket object ownership within static-website has set all buckets to BUCKET_OWNER_ENFORCED, however this blocks ACLs and causes an error when the staticWebsite construct attempts to deploy. The Cloudwatch distribution log bucket requires ACLs to be permitted.

Issue first noticed:
When doing a fresh deployment using version 0.17.1 of @aws-prototyping-sdk/* packages

"Invalid request provided: AWS::CloudFront::Distribution: The S3
bucket that you specified for CloudFront logs does not enable ACL access: my-stack-staticwebsitedist
ributionlogbuckete54478-ulrggnuqkwpc.s3.us-west-2.amazonaws.com (Service: CloudFront, Status Code: 4
00, Request ID: 3e3e64c2-062a-4620-8dad-4e6e19414fc4)" (RequestToken: e68397fa-d759-f11c-b528-c86038
7c8de0, HandlerErrorCode: InvalidRequest)

@JoshuaToth
fix(component): change static-website distribution log bucket to owne…
b8ef572 
…r_preferred to permit ACLs

A recent change to bucket object ownership within static-website has set all buckets to
BUCKET_OWNER_ENFORCED, however this blocks ACLs and causes an error when the staticWebsite construct
attempts to deploy. The Cloudwatch distribution log bucket requires ACLs to be permitted.
@nx-cloud
Copy link

nx-cloud bot commented Apr 24, 2023
edited
Loading

☁️ Nx Cloud Report

CI is running/has finished running commands for commit b8ef572. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this branch

✅ Successfully ran 2 targets

Sent with 💌 from NxCloud.

@JoshuaToth JoshuaToth changed the title fix(component): change static-website distribution log bucket to ownerr_preferred to permit ACLs fix(component): change static-website distribution log bucket to owner_preferred to permit ACLs Apr 24, 2023
@cogwirrel
Copy link
Member

Sadly it looks like unlike s3 access logging buckets, CloudFront only supports ACLs for granting itself access to the logging bucket: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership

@cogwirrel cogwirrel merged commit 77d15c8 into aws:mainline Apr 24, 2023
4 checks passed
@JoshuaToth JoshuaToth deleted the fix-acl branch April 24, 2023 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cogwirrel cogwirrel cogwirrel approved these changes

@agdimech agdimech agdimech approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JoshuaToth @cogwirrel @agdimech