From 24c11054140bd771425c5a5a772a6a3ee1dd2eaf Mon Sep 17 00:00:00 2001
From: Luca Pizzini <lpizzini7@gmail.com>
Date: Tue, 14 Nov 2023 09:21:21 +0100
Subject: [PATCH] removed bucket policy auto-creation

---
 ...-cdk-alb-log-imported-bucket-integ.template.json |  4 ++--
 .../test/integ.alb.log.imported-bucket.ts           |  4 ++++
 .../lib/shared/base-load-balancer.ts                | 13 +++----------
 .../test/alb/load-balancer.test.ts                  |  6 +++++-
 .../test/nlb/load-balancer.test.ts                  |  6 +++++-
 5 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json
index 77c34ae2e8aad..e596a9c1e41e8 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json
@@ -396,7 +396,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "ImportedBucketPolicy71C80354": {
+  "ImportedBucketPolicyAE50CA2C": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
     "Bucket": {
@@ -521,7 +521,7 @@
     "Type": "application"
    },
    "DependsOn": [
-    "ImportedBucketPolicy71C80354",
+    "ImportedBucketPolicyAE50CA2C",
     "VPCPublicSubnet1DefaultRoute91CEF279",
     "VPCPublicSubnet1RouteTableAssociation0B0896DC",
     "VPCPublicSubnet2DefaultRouteB7481BBA",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts
index a6ccaea0f574a..0aefeaa37378e 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts
@@ -16,6 +16,10 @@ const vpc = new ec2.Vpc(stack, 'VPC', {
 
 const bucket = new s3.Bucket(stack, 'Bucket');
 const importedBucket = s3.Bucket.fromBucketName(stack, 'ImportedBucket', bucket.bucketName);
+// Imported buckets have `autoCreatePolicy` disabled by default
+importedBucket.policy = new s3.BucketPolicy(stack, 'ImportedBucketPolicy', {
+  bucket: importedBucket,
+});
 
 const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', {
   vpc,
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
index 234b0274b24e6..d6ccaeeee0507 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
@@ -252,21 +252,14 @@ export abstract class BaseLoadBalancer extends Resource {
     this.setAttribute('access_logs.s3.bucket', bucket.bucketName.toString());
     this.setAttribute('access_logs.s3.prefix', prefix);
 
-    const putObjectStatement = new PolicyStatement({
+    const logsDeliveryServicePrincipal = new ServicePrincipal('delivery.logs.amazonaws.com');
+    bucket.addToResourcePolicy(new PolicyStatement({
       actions: ['s3:PutObject'],
       principals: [this.resourcePolicyPrincipal()],
       resources: [
         bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`),
       ],
-    });
-    bucket.addToResourcePolicy(putObjectStatement);
-    if (!bucket.policy) {
-      // Imported buckets have `autoCreatePolicy` disabled
-      bucket.policy = new s3.BucketPolicy(bucket, 'Policy', { bucket });
-      bucket.addToResourcePolicy(putObjectStatement);
-    }
-
-    const logsDeliveryServicePrincipal = new ServicePrincipal('delivery.logs.amazonaws.com');
+    }));
     bucket.addToResourcePolicy(
       new PolicyStatement({
         actions: ['s3:PutObject'],
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
index e783a4bf940d9..9b12caafcd797 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
@@ -408,6 +408,10 @@ describe('tests', () => {
       const { stack, lb } = loggingSetup();
 
       const bucket = s3.Bucket.fromBucketName(stack, 'ImportedAccessLoggingBucket', 'imported-bucket');
+      // Imported buckets have `autoCreatePolicy` disabled by default
+      bucket.policy = new s3.BucketPolicy(stack, 'ImportedAccessLoggingBucketPolicy', {
+        bucket,
+      });
 
       // WHEN
       lb.logAccessLogs(bucket);
@@ -492,7 +496,7 @@ describe('tests', () => {
 
       // verify the ALB depends on the bucket policy
       Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::LoadBalancer', {
-        DependsOn: ['ImportedAccessLoggingBucketPolicy832A536F'],
+        DependsOn: ['ImportedAccessLoggingBucketPolicy97AE3371'],
       });
     });
 
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
index a5ee4240c4b91..6e8dcea8dc685 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
@@ -239,6 +239,10 @@ describe('tests', () => {
     const stack = new cdk.Stack(app, undefined, { env: { region: 'us-east-1' } });
     const vpc = new ec2.Vpc(stack, 'Stack');
     const bucket = s3.Bucket.fromBucketName(stack, 'ImportedAccessLoggingBucket', 'imported-bucket');
+    // Imported buckets have `autoCreatePolicy` disabled by default
+    bucket.policy = new s3.BucketPolicy(stack, 'ImportedAccessLoggingBucketPolicy', {
+      bucket,
+    });
     const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc });
 
     // WHEN
@@ -325,7 +329,7 @@ describe('tests', () => {
 
     // verify the NLB depends on the bucket policy
     Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::LoadBalancer', {
-      DependsOn: ['ImportedAccessLoggingBucketPolicy832A536F'],
+      DependsOn: ['ImportedAccessLoggingBucketPolicy97AE3371'],
     });
   });