(s3): remove warnings about Object Lock on existing buckets

[blimmer]

Describe the issue

There are a lot of warnings in the CDK documentation about enabling Object Lock on existing buckets.

It's in the README

aws-cdk/packages/aws-cdk-lib/aws-s3/README.md

Lines 720 to 723 in c979d6b

	[Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html)
	can be configured to enable a write-once-read-many model for an S3 bucket. Object Lock must be
	configured when a bucket is created; if a bucket is created without Object Lock, it cannot be
	enabled later via the CDK.

And in the in-code comments

aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

Lines 1485 to 1507 in c979d6b

	/**
	* Enable object lock on the bucket.
	*
	* Enabling object lock for existing buckets is not supported. Object lock must be
	* enabled when the bucket is created.
	*
	* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable
	*
	* @default false, unless objectLockDefaultRetention is set (then, true)
	*/
	readonly objectLockEnabled?: boolean;
	/**
	* The default retention mode and rules for S3 Object Lock.
	*
	* Default retention can be configured after a bucket is created if the bucket already
	* has object lock enabled. Enabling object lock for existing buckets is not supported.
	*
	* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable
	*
	* @default no default retention period
	*/
	readonly objectLockDefaultRetention?: ObjectLockRetention;

Links

It looks like, as of Nov 20, 2023, you can now enable this on existing buckets: https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-s3-enabling-object-lock-buckets/

[tim-finnigan]

I tried adding Object Lock on an existing bucket using CDK:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Bucket } from 'aws-cdk-lib/aws-s3';

export class CdkS3TestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    
    const bucket = new Bucket(this, 'MyBucket', {
      objectLockEnabled: false,
    });
  }
}

When I changed objectLockEnabled to true and ran cdk diff it shows:

Resources
[~] AWS::S3::Bucket MyBucket MyBucketF68F3111 replace
 └─ [~] ObjectLockEnabled (requires replacement)

Which is a limitation on the underlying CloudFormation resource:

So although S3 now supports enabling S3 Object Lock on existing buckets per that recent announcement, I'm not sure that makes this documentation inaccurate, since a new bucket gets created on cdk deploy:

...if a bucket is created without Object Lock, it cannot be enabled later via the CDK.

But I think the "Enabling object lock for existing buckets is not supported." should be changed, because you could make the update via the console or an SDK like the Python SDK (Boto3):

import boto3

s3 = boto3.client('s3')

# Enable versioning on the bucket
# (Required for S3 Object Lock)
s3.put_bucket_versioning(
    Bucket='MyBucket',
    VersioningConfiguration={
        'Status': 'Enabled'
    }
)

# Enable S3 Object Lock
s3.put_object_lock_configuration(
    Bucket='MyBucket',
    ObjectLockConfiguration={
        'ObjectLockEnabled': 'Enabled'
    }
)

[blimmer]

Thanks for testing this out for me. Admittedly, I didn't actually try it myself! I filed aws-cloudformation/cloudformation-coverage-roadmap#1929 because CloudFormation should be updated to support this.

I don't love suggesting that people mutate the bucket state outside of CDK, personally. In general, the infrastructure as code should always match the real state of the infrastructure (although, CloudFormation is terrible at that 😓).

Because of that, I'd personally be in favor of waiting on CFN support rather than suggesting that people update it themselves outside of infrastructure as code or providing a Custom Resource.

[blimmer]

Sounds like they're working on this upstream: aws-cloudformation/cloudformation-coverage-roadmap#1929 (comment)