feat(s3-deployment): add support for BucketDeployment accessControl p…

…roperty
aws · Jul 25, 2021 · 1c56d62 · 1c56d62
1 parent 81cbfec
commit 1c56d62
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -93,6 +93,8 @@
       "@aws-cdk/aws-eks/yaml/**",
       "@aws-cdk/aws-events-targets/aws-sdk",
       "@aws-cdk/aws-events-targets/aws-sdk/**",
+      "@aws-cdk/aws-s3-deployment/case",
+      "@aws-cdk/aws-s3-deployment/case/**",
       "@aws-cdk/cloud-assembly-schema/jsonschema",
       "@aws-cdk/cloud-assembly-schema/jsonschema/**",
       "@aws-cdk/cloud-assembly-schema/semver",

diff --git a/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts b/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts
@@ -6,6 +6,7 @@ import * as lambda from '@aws-cdk/aws-lambda';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as cdk from '@aws-cdk/core';
 import { AwsCliLayer } from '@aws-cdk/lambda-layer-awscli';
+import { kebab as toKebabCase } from 'case';
 import { Construct } from 'constructs';
 import { ISource, SourceConfig } from './source';
 
@@ -165,6 +166,14 @@ export interface BucketDeploymentProps {
    */
   readonly serverSideEncryptionCustomerAlgorithm?: string;
 
+  /**
+   * Sets the ACL for the object when the command is performed.
+   * If you use this parameter you must have the "s3:PutObjectAcl" permission included in the list of actions for your IAM policy.
+   * @default - Not set.
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+   */
+  readonly accessControl?: s3.BucketAccessControl;
+
   /**
    * The VPC network to place the deployment lambda handler in.
    *
@@ -282,6 +291,7 @@ function mapSystemMetadata(metadata: BucketDeploymentProps) {
   if (metadata.websiteRedirectLocation) { res['website-redirect'] = metadata.websiteRedirectLocation; }
   if (metadata.serverSideEncryptionAwsKmsKeyId) { res['sse-kms-key-id'] = metadata.serverSideEncryptionAwsKmsKeyId; }
   if (metadata.serverSideEncryptionCustomerAlgorithm) { res['sse-c-copy-source'] = metadata.serverSideEncryptionCustomerAlgorithm; }
+  if (metadata.accessControl) { res.acl = toKebabCase(metadata.accessControl.toString()); }
 
   return Object.keys(res).length === 0 ? undefined : res;
 }

diff --git a/packages/@aws-cdk/aws-s3-deployment/package.json b/packages/@aws-cdk/aws-s3-deployment/package.json
@@ -96,6 +96,7 @@
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/lambda-layer-awscli": "0.0.0",
     "@aws-cdk/core": "0.0.0",
+    "case": "1.6.3",
     "constructs": "^3.3.69"
   },
   "homepage": "https://github.com/aws/aws-cdk",
@@ -110,6 +111,9 @@
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },
+  "bundledDependencies": [
+    "case"
+  ],
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"
   },

diff --git a/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts b/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts
@@ -325,6 +325,7 @@ test('system metadata is correctly transformed', () => {
     websiteRedirectLocation: 'example',
     cacheControl: [s3deploy.CacheControl.setPublic(), s3deploy.CacheControl.maxAge(cdk.Duration.hours(1))],
     expires: expiration,
+    accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
   });
 
   // THEN
@@ -340,6 +341,7 @@ test('system metadata is correctly transformed', () => {
       'expires': expiration.date.toUTCString(),
       'sse-c-copy-source': 'rot13',
       'website-redirect': 'example',
+      'acl': 'bucket-owner-full-control',
     },
   });
 });