From 879fc9450205d505b4c9a9076aafe10fc3bf8f48 Mon Sep 17 00:00:00 2001 From: gracelu0 Date: Mon, 26 Aug 2024 11:35:02 -0700 Subject: [PATCH] add unit test for oac permission levels --- .../lib/s3-bucket-origin.ts | 2 + .../test/s3-bucket-origin.test.ts | 66 +++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts index d179da96f408f..265f8bc83c3d4 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts @@ -176,6 +176,8 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase { /** * Create a S3 Origin with Origin Access Identity (OAI) configured + * OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()` + * unless it is not supported in your required region (e.g. China regions). */ public static withOriginAccessIdentity(bucket: IBucket, props?: S3BucketOriginWithOAIProps): cloudfront.IOrigin { return new class extends S3BucketOrigin { diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts index 088ac86511b66..8ab367500bcc9 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts @@ -466,6 +466,72 @@ describe('S3BucketOrigin', () => { }); }); }); + describe('when specifying READ, WRITE, and DELETE origin access levels', () => { + it('should add the correct permissions to bucket policy', () => { + const stack = new Stack(); + const bucket = new s3.Bucket(stack, 'MyBucket'); + const origin = origins.S3BucketOrigin.withOriginAccessControl(bucket, { + originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE], + }); + const distribution = new cloudfront.Distribution(stack, 'MyDistribution', { + defaultBehavior: { origin }, + }); + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: [ + { + Action: [ + 's3:GetObject', + 's3:PutObject', + 's3:DeleteObject', + ], + Effect: 'Allow', + Principal: { + Service: 'cloudfront.amazonaws.com', + }, + Condition: { + StringEquals: { + 'AWS:SourceArn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':cloudfront::', + { + Ref: 'AWS::AccountId', + }, + ':distribution/', + { + Ref: 'MyDistribution6271DFB5', + }, + ], + ], + }, + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + 'MyBucketF68F3FF0', + 'Arn', + ], + }, + '/*', + ], + ], + }, + }, + ], + }, + }); + }) + }) }); describe('withOriginAccessIdentity', () => {