Add AccessControl on S3 Buckets (#681)

* Add AccessControl on S3 Buckets **Why?** At the moment, if there is an `AccessControl` set on the S3 Bucket (in v3.2.0 ADF had this set), you cannot remove it and move to the new Bucket Ownership Rules. The only option to move to the new Bucket Ownership Rules would be to add those and remove the `AccessControl` property after. However, since we need to allow customers to upgrade, we cannot do this in a single release. **What?** Added the Bucket Ownership Rules today, and keep the `AccessControl` for now. We can remove the `AccessControl` property in a future version. While we instruct customers to first upgrade to v4.0.0 if they need to move to the version where this property is removed. * Disable Access Control warning until upgrade path is supported
awslabs · Jan 18, 2024 · 8336c69 · 8336c69
1 parent c1da68b
commit 8336c69
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 1 deletion.
diff --git a/.cfnlintrc b/.cfnlintrc
@@ -15,3 +15,4 @@ include_checks:
   - I
 ignore_checks:
   - W3002
+  - W3045
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -163,6 +163,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

diff --git a/...base/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/...base/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
@@ -1048,6 +1048,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -1075,6 +1076,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

diff --git a/...lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml b/...lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
@@ -23,6 +23,10 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:

diff --git a/src/template.yml b/src/template.yml
@@ -147,10 +147,11 @@ Resources:
               AWS: !Ref AWS::AccountId
 
   BootstrapArtifactStorageBucket:
+    Type: AWS::S3::Bucket
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
-    Type: AWS::S3::Bucket
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -171,6 +172,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -688,6 +690,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced