fix(s3): resolve synthesis error in BucketPolicy.fromCfnBucketPolicy() (#35633)

9pace · web-flow · commit d9085cc851a4 · 2025-10-02T18:12:07.000Z
### Issue # (if applicable) Closes [#34322](#34322) ### Reason for this change Fixes synthesis error: 'Supplied properties not correct for CfnBucketPolicyProps: policyDocument: required but missing' ### Description of changes - Fix synthesis error where duplicate CfnBucketPolicy was created without policyDocument - Ensure PolicyDocument is properly passed from original CfnBucketPolicy to constructor - Maintains existing behavior while fixing synthesis bug ### Description of how you validated changes - Add test to verify synthesis works and duplicate resources are created as expected ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket-policy.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket-policy.ts
@@ -19,6 +19,13 @@ export interface BucketPolicyProps {
    * @default - RemovalPolicy.DESTROY.
    */
   readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * Policy document to apply to the bucket.
+   *
+   * @default - A new empty PolicyDocument will be created.
+   */
+  readonly document?: PolicyDocument;
 }
 
 /**
@@ -83,10 +90,9 @@ export class BucketPolicy extends Resource implements IBucketPolicyRef {
       bucket = Bucket.fromBucketName(cfnBucketPolicy, '@FromCfnBucket', cfnBucketPolicy.bucket);
     }
 
-    const ret = new class extends BucketPolicy {
-      public readonly document = PolicyDocument.fromJson(cfnBucketPolicy.policyDocument);
-    }(cfnBucketPolicy, id, {
+    const ret = new BucketPolicy(cfnBucketPolicy, id, {
       bucket,
+      document: PolicyDocument.fromJson(cfnBucketPolicy.policyDocument),
     });
 
     // mark the Bucket as having this Policy
@@ -101,7 +107,7 @@ export class BucketPolicy extends Resource implements IBucketPolicyRef {
    * For more information, see Access Policy Language Overview in the Amazon
    * Simple Storage Service Developer Guide.
    */
-  public readonly document = new PolicyDocument();
+  public readonly document: PolicyDocument;
 
   /** The Bucket this Policy applies to. */
   public readonly bucket: IBucket;
@@ -114,6 +120,7 @@ export class BucketPolicy extends Resource implements IBucketPolicyRef {
     addConstructMetadata(this, props);
 
     this.bucket = props.bucket;
+    this.document = props.document ?? new PolicyDocument();
 
     this.resource = new CfnBucketPolicy(this, 'Resource', {
       bucket: this.bucket.bucketName,
diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket-policy.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket-policy.test.ts
@@ -129,27 +129,29 @@ describe('bucket policy', () => {
   });
 
   test('fails if bucket policy has no actions', () => {
-    const app = new App();
-    const stack = new Stack(app, 'my-stack');
+    const stack = new Stack();
     const myBucket = new s3.Bucket(stack, 'MyBucket');
     myBucket.addToResourcePolicy(new PolicyStatement({
       resources: [myBucket.bucketArn],
       principals: [new AnyPrincipal()],
     }));
 
-    expect(() => app.synth()).toThrow(/A PolicyStatement must specify at least one \'action\' or \'notAction\'/);
+    expect(() => {
+      Template.fromStack(stack).toJSON();
+    }).toThrow(/A PolicyStatement must specify at least one \'action\' or \'notAction\'/);
   });
 
   test('fails if bucket policy has no IAM principals', () => {
-    const app = new App();
-    const stack = new Stack(app, 'my-stack');
+    const stack = new Stack();
     const myBucket = new s3.Bucket(stack, 'MyBucket');
     myBucket.addToResourcePolicy(new PolicyStatement({
       resources: [myBucket.bucketArn],
       actions: ['s3:GetObject*'],
     }));
 
-    expect(() => app.synth()).toThrow(/A PolicyStatement used in a resource-based policy must specify at least one IAM principal/);
+    expect(() => {
+      Template.fromStack(stack).toJSON();
+    }).toThrow(/A PolicyStatement used in a resource-based policy must specify at least one IAM principal/);
   });
 
   describe('fromCfnBucketPolicy()', () => {
@@ -176,6 +178,39 @@ describe('bucket policy', () => {
       expect(bucketPolicy.bucket.bucketName).toBe('hardcoded-name');
     });
 
+    test('should synthesize without errors and create duplicate cfn resource', () => {
+      const testStack = new Stack();
+      const cfnBucketPolicy = new s3.CfnBucketPolicy(testStack, 'TestBucketPolicy', {
+        policyDocument: {
+          'Statement': [
+            {
+              'Action': 's3:*',
+              'Effect': 'Deny',
+              'Principal': {
+                'AWS': '*',
+              },
+              'Resource': '*',
+            },
+          ],
+          'Version': '2012-10-17',
+        },
+        bucket: 'test-bucket',
+      });
+
+      s3.BucketPolicy.fromCfnBucketPolicy(cfnBucketPolicy);
+
+      // Verify that two CfnBucketPolicy resources are created
+      const template = Template.fromStack(testStack);
+      const bucketPolicies = template.findResources('AWS::S3::BucketPolicy');
+      expect(Object.keys(bucketPolicies)).toHaveLength(2);
+
+      // Both should have valid policy documents
+      Object.values(bucketPolicies).forEach((policy: any) => {
+        expect(policy.Properties.PolicyDocument).toBeDefined();
+        expect(policy.Properties.PolicyDocument.Statement).toBeDefined();
+      });
+    });
+
     function bucketPolicyForBucketNamed(name: string): CfnBucketPolicy {
       return new s3.CfnBucketPolicy(stack, `CfnBucketPolicy-${name}`, {
         policyDocument: {
