feat(cloudfront-origins): read versioned access level

[matthiasgubler]

Issue # (if applicable)

Closes #33034

Reason for this change

This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects via CloudFront.

Description of changes

Added a new AccessLevel.READ_VERSIONED, to extend the list of the OAC access levels, which extends the S3 bucket policy to contain s3:GetObjectVersion. I followed the existing patterns for the different AccessLevels, to make the change as small as possible.

This enables versioned S3 bucket origins to allow the CloudFront distribution to access object versions.

Describe any new or updated permissions being added

n/a

Description of how you validated changes

Added a new unit-test and a new integration test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.17%. Comparing base (afa3d1f) to head (3c0b309).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33038   +/-   ##
=======================================
  Coverage   82.17%   82.17%           
=======================================
  Files         119      119           
  Lines        6862     6862           
  Branches     1158     1158           
=======================================
  Hits         5639     5639           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.17% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[matthiasgubler]

@moelasmar can you help me with this: #33034 (comment)

[GavinZZ]

@matthiasgubler I see the CodeBuild CI is successful. Is your comment related to the Code scanning results / CodeQL? If so, I have proceeded to dismiss the alert as it's used in test snapshot.

[GavinZZ]

Thank you for the contribution!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[matthiasgubler]

@GavinZZ yes, it was the CodeQL in the generated IT code: This does not escape backslash characters in the input.

Thank you for checking and approving it!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[GavinZZ]

@Mergifyio requeue

[mergify]

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[GavinZZ]

@mergify update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/yarn-upgrade.yml without workflows permission

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 3c0b309
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.