aws-ec2: automatic created policy for bucket already created with FlowLogDestination.toS3 conflicts with that added by CDK via bucket.enforceSSL since #18271 #18676
Description
What is the problem?
The AWS::S3::BucketPolicy added by #18271 since v2.9 conflicts with existing AWSLogDeliveryWrite20150319 policies automatically applied if the construct was created and deployed by CDK versions < v2.9.
CloudFormation does not allow to merge or adopt or overwrite existing bucket policies and it errors with 'The bucket policy already exists on bucket ...'.
If the above mentioned equivalent policy had been created by the CDK/CloudFormation then the secure transport policy could be added to it, but given the given the chance that existing deployments do have this policy, and given buckets with that policy automatically applied and dedicated to VPC Flow logs which allow the log delivery service to put logs do not benefit very directly by restricting that delivery to secureTransport is true (it's an AWS service delivering the logs), it might be best to not add this policy and reverse the changes in #18271.
Reproduction Steps
const flowLog = vpc.addFlowLog('FlowLogS3', {
destination: ec2.FlowLogDestination.toS3()
});
What did you expect to happen?
That the bucket policy construct/resource for log delivery had already been created by the CDK/CloudFormation.
What actually happened?
The bucket policy had been automatically created and it prevented the new construct/resource from being created.
CDK CLI Version
v2.9
Framework Version
No response
Node.js Version
v16.13
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response