feat(aws-s3-deployment): deployment permission update

Author: amandladev

packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts

@@ -400,9 +400,13 @@ export class BucketDeployment extends Construct {
 
     this.sources = props.sources.map((source: ISource) => source.bind(this, { handlerRole: this.handlerRole }));
 
-    this.destinationBucket.grantReadWrite(handler);
+    const objectPattern = props.destinationKeyPrefix
+      ? `${this.normalizePrefix(props.destinationKeyPrefix)}*`
+      : '*';
+
+    this.destinationBucket.grantReadWrite(handler, objectPattern);
     if (props.accessControl) {
-      this.destinationBucket.grantPutAcl(handler);
+      this.destinationBucket.grantPutAcl(handler, objectPattern);
     }
     if (props.distribution) {
       handler.addToRolePolicy(new iam.PolicyStatement({
@@ -645,6 +649,15 @@ export class BucketDeployment extends Construct {
     const uuid = `BucketDeploymentEFS-VPC-${fileSystemProps.vpc.node.addr}`;
     return stack.node.tryFindChild(uuid) as efs.FileSystem ?? new efs.FileSystem(scope, uuid, fileSystemProps);
   }
+  /**
+   * Normalize the prefix for S3 object keys.
+   * @param prefix prefix string
+   * @returns normalized prefix string
+   */
+  normalizePrefix(prefix?: string): string {
+    if (!prefix) return '';
+    return prefix.replace(/^\/+/, '').replace(/\/+$/, '') + '/';
+  }
 }
 
 export interface DeployTimeSubstitutedFileProps {

packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts

@@ -1765,3 +1765,40 @@ test('outputObjectKeys default value is true', () => {
     OutputObjectKeys: true,
   });
 });
+
+test.each([
+  ['my-prefix', '/my-prefix/*'],
+  ['my-prefix/', '/my-prefix/*'],
+  ['/my-prefix', '/my-prefix/*'],
+  ['/my-prefix/', '/my-prefix/*'],
+  [undefined, '/*'],
+])('lambda execution role gets permissions with destinationKeyPrefix "%s"', (prefix, expectedSuffix) => {
+  const stack = new cdk.Stack();
+  const bucket = new s3.Bucket(stack, 'Dest');
+  new s3deploy.BucketDeployment(stack, 'Deploy', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
+    destinationBucket: bucket,
+    destinationKeyPrefix: prefix,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: Match.objectLike({
+      Statement: Match.arrayWith([
+        Match.objectLike({
+          Resource: Match.arrayWith([
+            { 'Fn::GetAtt': ['DestC383B82A', 'Arn'] },
+            {
+              'Fn::Join': [
+                '',
+                [
+                  { 'Fn::GetAtt': ['DestC383B82A', 'Arn'] },
+                  expectedSuffix,
+                ],
+              ],
+            },
+          ]),
+        }),
+      ]),
+    }),
+  });
+});