Describe the bug
Situation:
- Create two (2)
Bucket constructs in a Stack
- Create two (2)
BucketPolicy constructs in the same Stack
- Identify one of the buckets as an "access logging" bucket for the other bucket.
Result:
- three (3)
AWS::S3::BucketPolicy CloudFormation resources are synthesized
- all three wind up getting created when the
Stack is deployed
- two of the three point to the same AWS S3 bucket
- net result is that the "last"
BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
- The resulting
BucketPolicy does not match what is defined in the CDK application.
Expected Behavior
Expected Behavior is either:
- a) only the explicitly indicated
BucketPolicy is created
- b) the implicitly created
BucketPolicy and the explicitly created BucketPolicy is what is synthesized/deployed
- c) an error is indicated that the explicit
BucketPolicy would NOT be appropriate if it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)
Current Behavior
Result:
- three (3)
AWS::S3::BucketPolicy CloudFormation resources are synthesized
- all three wind up getting created when the
Stack is deployed
- two of the three point to the same AWS S3 bucket
- net result is that the "last"
BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
- The resulting
BucketPolicy does not match what is defined in the CDK application.
Reproduction Steps
See above.
Possible Solution
Suggested Behavior:
- c) an error is indicated that the explicit
BucketPolicy is NOT appropriate since it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)
Or a recommendation to use .addToResourcePolicy() rather than creating explicit BucketPolicy constructs.
Additional Information/Context
Sample code can be provided on request.
CDK CLI Version
2.141.0
Framework Version
aws-cdk-lib@2.138.0
Node.js Version
v20.12.2
OS
MacOS
Language
TypeScript
Language Version
typescript@5.3.3
Other information
No response
Describe the bug
Situation:
Bucketconstructs in aStackBucketPolicyconstructs in the sameStackResult:
AWS::S3::BucketPolicyCloudFormation resources are synthesizedStackis deployedBucketPolicy(not the UNION of theBucketPolicyconstructs) "wins"BucketPolicydoes not match what is defined in the CDK application.Expected Behavior
Expected Behavior is either:
BucketPolicyis createdBucketPolicyand the explicitly createdBucketPolicyis what is synthesized/deployedBucketPolicywould NOT be appropriate if it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)Current Behavior
Result:
AWS::S3::BucketPolicyCloudFormation resources are synthesizedStackis deployedBucketPolicy(not the UNION of theBucketPolicyconstructs) "wins"BucketPolicydoes not match what is defined in the CDK application.Reproduction Steps
See above.
Possible Solution
Suggested Behavior:
BucketPolicyis NOT appropriate since it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)Or a recommendation to use
.addToResourcePolicy()rather than creating explicitBucketPolicyconstructs.Additional Information/Context
Sample code can be provided on request.
CDK CLI Version
2.141.0
Framework Version
aws-cdk-lib@2.138.0
Node.js Version
v20.12.2
OS
MacOS
Language
TypeScript
Language Version
typescript@5.3.3
Other information
No response