Describe the bug
Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied).
Expected Behavior
I would expect that assets will be encrypted when the asset bucket has encryption enabled.
Current Behavior
Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings.
Reproduction Steps
Create a ProductStack that includes a Lambda (to use assets). Provide as assetBucket a Bucket with SSE_KMS encryption enabled and BucketPolicy configured to deny any unencrypted PutObjects.
Possible Solution
I've created a PR with a possible solution in which user would provide additional property which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user.
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18.16.1
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response
Describe the bug
Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied).
Expected Behavior
I would expect that assets will be encrypted when the asset bucket has encryption enabled.
Current Behavior
Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings.
Reproduction Steps
Create a ProductStack that includes a Lambda (to use assets). Provide as assetBucket a Bucket with SSE_KMS encryption enabled and BucketPolicy configured to deny any unencrypted PutObjects.
Possible Solution
I've created a PR with a possible solution in which user would provide additional property which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user.
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18.16.1
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response