Skip to content

Commit

Permalink
fix(s3-constructs): accommodate s3 change that disables acls by defau…
Browse files Browse the repository at this point in the history
…lt (#949)

* Remove access Control override (avoid ACLs)

* Remove all S3 ACLs and adjust tests accordingly

* Two more constructs
  • Loading branch information
biffgaut authored Apr 16, 2023
1 parent 08114e1 commit 46d02cc
Show file tree
Hide file tree
Showing 89 changed files with 1,895 additions and 173 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -589,13 +589,13 @@
"cfapigwlambdaCloudFrontToApiGatewaySetHttpSecurityHeadersE20F2933": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f",
"AutoPublish": true
}
},
"cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2": {
Expand All @@ -611,6 +611,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -884,7 +891,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -589,13 +589,13 @@
"testcloudfrontapigatewaylambdaCloudFrontToApiGatewaySetHttpSecurityHeaders6945414A": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc8118ca6b46a588ddfb2f1826effa6addb3adda75e",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc8118ca6b46a588ddfb2f1826effa6addb3adda75e",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc8118ca6b46a588ddfb2f1826effa6addb3adda75e",
"AutoPublish": true
}
},
"testcloudfrontapigatewaylambdaCloudFrontToApiGatewayCloudfrontLoggingBucket7F467421": {
Expand All @@ -611,6 +611,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -884,7 +891,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -550,13 +550,13 @@
"cfapilambdaoverrideCloudFrontToApiGatewaySetHttpSecurityHeaders67E61E6E": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc82a9e79410026b75533b53f0a37eeb986a591fa95",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc82a9e79410026b75533b53f0a37eeb986a591fa95",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc82a9e79410026b75533b53f0a37eeb986a591fa95",
"AutoPublish": true
}
},
"cfapilambdaoverrideCloudFrontToApiGatewayCloudfrontLoggingBucket3A71B9E0": {
Expand All @@ -572,6 +572,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -923,7 +930,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ test('Cloudfront logging bucket with destroy removal policy and auto delete obje

const template = Template.fromStack(stack);
template.hasResourceProperties("AWS::S3::Bucket", {
AccessControl: "LogDeliveryWrite"
OwnershipControls: { Rules: [ { ObjectOwnership: "ObjectWriter" } ] },
});

template.hasResourceProperties("Custom::S3AutoDeleteObjects", {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -589,13 +589,13 @@
"cfapigwSetHttpSecurityHeaders07A0F0C0": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc8fc067b45a5c199a519a90c3b5f02d380f1625f1d",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc8fc067b45a5c199a519a90c3b5f02d380f1625f1d",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc8fc067b45a5c199a519a90c3b5f02d380f1625f1d",
"AutoPublish": true
}
},
"cfapigwCloudfrontLoggingBucket79FE4195": {
Expand All @@ -611,6 +611,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -884,7 +891,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -589,13 +589,13 @@
"testcloudfrontapigatewaySetHttpSecurityHeadersD8DBA642": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc86815c5ef0b0f2cdd73c6957ce5bbd25e8f895b9b",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc86815c5ef0b0f2cdd73c6957ce5bbd25e8f895b9b",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc86815c5ef0b0f2cdd73c6957ce5bbd25e8f895b9b",
"AutoPublish": true
}
},
"testcloudfrontapigatewayCloudfrontLoggingBucket9811F6E8": {
Expand All @@ -611,6 +611,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -884,7 +891,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ test('Cloudfront logging bucket with destroy removal policy and auto delete obje

const template = Template.fromStack(stack);
template.hasResourceProperties("AWS::S3::Bucket", {
AccessControl: "LogDeliveryWrite"
OwnershipControls: { Rules: [ { ObjectOwnership: "ObjectWriter" } ] },
});

template.hasResourceProperties("Custom::S3AutoDeleteObjects", {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,7 @@ test('Cloudfront logging bucket with destroy removal policy and auto delete obje

const template = Template.fromStack(stack);
template.hasResourceProperties("AWS::S3::Bucket", {
AccessControl: "LogDeliveryWrite"
OwnershipControls: { Rules: [ { ObjectOwnership: "ObjectWriter" } ] },
});

template.hasResourceProperties("Custom::S3AutoDeleteObjects", {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -269,13 +276,13 @@
"cloudfrontmediastoreSetHttpSecurityHeadersC55C3265": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc80b17555ef95835e434ce55c4536b557a9baf1262",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc80b17555ef95835e434ce55c4536b557a9baf1262",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc80b17555ef95835e434ce55c4536b557a9baf1262",
"AutoPublish": true
}
},
"cloudfrontmediastoreCloudFrontDistribution639346BB": {
Expand Down Expand Up @@ -410,7 +417,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -269,13 +276,13 @@
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc85e0befbf4ed85d473981453c3bd34f0a97efbe49",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc85e0befbf4ed85d473981453c3bd34f0a97efbe49",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc85e0befbf4ed85d473981453c3bd34f0a97efbe49",
"AutoPublish": true
}
},
"testcloudfrontmediastoreCloudFrontDistributionED9265B1": {
Expand Down Expand Up @@ -410,7 +417,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -194,13 +201,13 @@
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc8671d40ce388b672e8795a9218fe7e3f368379f42",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc8671d40ce388b672e8795a9218fe7e3f368379f42",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc8671d40ce388b672e8795a9218fe7e3f368379f42",
"AutoPublish": true
}
},
"testcloudfrontmediastoreCloudFrontDistributionED9265B1": {
Expand Down Expand Up @@ -327,7 +334,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand Down Expand Up @@ -233,13 +240,13 @@
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D": {
"Type": "AWS::CloudFront::Function",
"Properties": {
"Name": "SetHttpSecurityHeadersc8f338626119f90653fe964a54eb18cb4a8d6406ce",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc8f338626119f90653fe964a54eb18cb4a8d6406ce",
"Runtime": "cloudfront-js-1.0"
}
},
"Name": "SetHttpSecurityHeadersc8f338626119f90653fe964a54eb18cb4a8d6406ce",
"AutoPublish": true
}
},
"testcloudfrontmediastoreCloudFrontDistributionED9265B1": {
Expand Down Expand Up @@ -369,7 +376,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "15684a15d07860e99d2a8079150ad33dd2cb743677fcd7016dd07345e1b69538.zip"
"S3Key": "40aa87cdf43c4095cec18bc443965f22ab2f8c1ace47e482a0ba4e35d83b0cc9.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
Loading

0 comments on commit 46d02cc

Please sign in to comment.