From 8336c6950d2fa0f3bb6b2b94530768654961e25c Mon Sep 17 00:00:00 2001
From: Simon Kok <sbkok@users.noreply.github.com>
Date: Thu, 18 Jan 2024 14:18:49 +0100
Subject: [PATCH] Add AccessControl on S3 Buckets (#681)

* Add AccessControl on S3 Buckets

**Why?**

At the moment, if there is an `AccessControl` set on the S3 Bucket (in v3.2.0
ADF had this set), you cannot remove it and move to the new
Bucket Ownership Rules.

The only option to move to the new Bucket Ownership Rules would be to add those
and remove the `AccessControl` property after. However, since we need to allow
customers to upgrade, we cannot do this in a single release.

**What?**

Added the Bucket Ownership Rules today, and keep the `AccessControl` for now.

We can remove the `AccessControl` property in a future version.
While we instruct customers to first upgrade to v4.0.0 if they need to move
to the version where this property is removed.

* Disable Access Control warning until upgrade path is supported
---
 .cfnlintrc                                                   | 1 +
 .../bootstrap_repository/adf-bootstrap/deployment/global.yml | 1 +
 .../adf-bootstrap/deployment/pipeline_management.yml         | 2 ++
 .../adf-bootstrap/deployment/regional.yml                    | 4 ++++
 src/template.yml                                             | 5 ++++-
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.cfnlintrc b/.cfnlintrc
index a8b0f0ee4..e88f438f4 100644
--- a/.cfnlintrc
+++ b/.cfnlintrc
@@ -15,3 +15,4 @@ include_checks:
   - I
 ignore_checks:
   - W3002
+  - W3045
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
index af3a5c840..1c9c01579 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -163,6 +163,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
index e24ab6d90..c10bc943d 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
@@ -1048,6 +1048,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -1075,6 +1076,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
index 0800bf357..af76f4c62 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
@@ -23,6 +23,10 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
diff --git a/src/template.yml b/src/template.yml
index 454a2edeb..60e0902ae 100644
--- a/src/template.yml
+++ b/src/template.yml
@@ -147,10 +147,11 @@ Resources:
               AWS: !Ref AWS::AccountId
 
   BootstrapArtifactStorageBucket:
+    Type: AWS::S3::Bucket
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
-    Type: AWS::S3::Bucket
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -171,6 +172,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced
@@ -688,6 +690,7 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      AccessControl: BucketOwnerFullControl
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced