Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cloudfront-origins): policy not added for custom OAI #18192

Merged
merged 7 commits into from
Dec 29, 2021
Merged

fix(cloudfront-origins): policy not added for custom OAI #18192

merged 7 commits into from
Dec 29, 2021

Conversation

smguggen
Copy link
Contributor

Closes #18185: When creating an S3Origin without including an existing Origin Access Identity, an OriginAccessIdentity is created and added to the bucket's resource policy. However, since the adding to the resource policy is inside of the if (!this.originAccessIdentity)closure, custom OAI's are not added to the bucket policy by default. Since using bucket.grantRead creates an overly permissive policy (as noted in the source code comments), adding the OAI to the bucket policy by default for both cases would create a more consistent result.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Dec 27, 2021

@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Dec 27, 2021
@smguggen smguggen mentioned this pull request Dec 27, 2021
Closed
peterwoodworth
peterwoodworth reviewed Dec 27, 2021
View reviewed changes
Copy link
Contributor

@peterwoodworth peterwoodworth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix looks good to me @smguggen, but be sure to run the integration tests! 🙂

@smguggen
Copy link
Contributor Author

smguggen commented Dec 28, 2021
edited
Loading

@peterwoodworth Yeah I just came back and saw that. I've been wracking my brain trying to figure out why integ.s3-origin is still failing and I didn't even notice there's another integration test called integ.s3-origin-oai, which is actually the one that's failing. My mistake, will fix.

@peterwoodworth peterwoodworth added the pr/do-not-merge This PR should not be merged at this time. label Dec 28, 2021
peterwoodworth
peterwoodworth approved these changes Dec 28, 2021
View reviewed changes
Copy link
Contributor

@peterwoodworth peterwoodworth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, will let @njlynch take a look before merge

@peterwoodworth peterwoodworth changed the title fix(cloudfront-origins): Add Origin Access Identity to bucket policy for custom OAI's - Closes #18185 fix(cloudfront-origins): policy not added for custom OAI Dec 28, 2021
@njlynch njlynch removed the pr/do-not-merge This PR should not be merged at this time. label Dec 29, 2021
@mergify
Copy link
Contributor

mergify bot commented Dec 29, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: ed858a3
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit c894ba1 into aws:master Dec 29, 2021
@mergify
Copy link
Contributor

mergify bot commented Dec 29, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

mnapoli added a commit to getlift/lift that referenced this pull request Jan 6, 2022
@mnapoli
Simplify server-side website infra following CDK update
e86dfa8 
aws/aws-cdk#18192 lets us use the default OAI config that deploys more restricted permissions (without us doing anything).
@mnapoli mnapoli mentioned this pull request Jan 6, 2022
Merged
mnapoli added a commit to getlift/lift that referenced this pull request Jan 6, 2022
@mnapoli
Simplify static side website infra following CDK update
ff87537 
aws/aws-cdk#18192 lets us use the default OAI config that deploys more restricted permissions (without us doing anything).
@mnapoli
Copy link
Contributor

mnapoli commented Jan 6, 2022

Thank you! ❤️ That allowed some simplifications in our CDK constructs (getlift/lift#150)

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Feb 21, 2022
@smguggen @TikiTDO
fix(cloudfront-origins): policy not added for custom OAI (aws#18192)
660dc49 
Closes [**aws#18185**](aws#18185): When creating an `S3Origin` without including an existing `Origin Access Identity`, an `OriginAccessIdentity` is created and added to the bucket's resource policy. However, since the adding to the resource policy is inside of the `if (!this.originAccessIdentity)`closure, custom OAI's are not added to the bucket policy by default. Since using `bucket.grantRead` creates an overly permissive policy (as noted in the source code comments), adding the OAI to the bucket policy by default for both cases would create a more consistent result. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterwoodworth peterwoodworth peterwoodworth approved these changes

Assignees

@njlynch njlynch

Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(cloudfront): explicit OAI for S3Origin doesn't work for cloudfront.
5 participants
@smguggen @aws-cdk-automation @mnapoli @peterwoodworth @njlynch