search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.55k stars 3.87k forks source link

aws_cloudfront: default S3 bucket for logging does not enable ACL access #27571

Open ghferrari opened 11 months ago

ghferrari commented 11 months ago

Describe the bug

When providing a logging configuration for a CloudFrontWebDistribution, it is optional to specify an S3 bucket - when not specified, one will be created by default. However, the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access". This means that the default S3 bucket configuration is broken.

Expected Behavior

I expected the default S3 bucket configuration to be suitable for CloudFrontWebDistribution logs and for no error to be produced.

Current Behavior

Relying on the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access".

Reproduction Steps

source_s3_bucket = s3.Bucket(...)

cloudfront.CloudFrontWebDistribution(
    self, "CloudFront",
    origin_configs=[
        cloudfront.SourceConfiguration(
            s3_origin_source=cloudfront.S3OriginConfig(
                s3_bucket_source=source_s3_bucket
            ),
            behaviors=[cloudfront.Behavior(is_default_behavior=True)]
        )
    ],
    viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
    enabled=True,
    logging_config=cloudfront.LoggingConfiguration(
        # no bucket specified so cdk will create one by default
        include_cookies=False,
    ),
)

Possible Solution

According to https://github.com/aws/aws-cdk/issues/25358 the S3 bucket defaults were updated in April 2023 - this may be the cause of the problem.

To resolve the problem, the default S3 bucket configuration at https://github.com/aws/aws-cdk/blob/c445b8cc6e20d17e4a536f17262646b291a0fe36/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts#L962 must be updated to enable ACL access, as required by CloudFrontWebDistribution. In my own code, I create an S3 bucket manually and specify

cloudfront_logs_bucket = s3.Bucket(
    self, "LogsBucket",
    access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE,
    ....
)

Additional Information/Context

No response

CDK CLI Version

2.101.0 (build cbaa50e)

Framework Version

Python package: aws-cdk-lib==2.101.0

Node.js Version

v18.18.2

OS

Debian Linux

Language

TypeScript, Python

Language Version

No response

Other information

No response

khushail commented 11 months ago

@ghferrari , this was fixed by introduction of this flag in this PR which you need to enable in cdk.json

"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,

Let me know if it solves your issue.

github-actions[bot] commented 11 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

ghferrari commented 11 months ago

@khushail Thanks for the helpful reply and reference.

I will test this feature flag and it seems likely it will workaround the problem.

However, I don't consider this workaround a fix for the problem - the CDK resource remains broken by default.

shellscape commented 8 months ago

@khushail I agree with @ghferrari. The default behavior is broken, and this flag is not accurately exposed in documentation as to be a visible first solution for the issue. I had to arrive at discovery of that flag by way of this issue, and not the documentation, which I arrived at following links in other issues. Please recognize the poor DX around this one.

abaschen commented 5 months ago

For me the flag is not correctly fixing the issue either. I understand why we don't want to passively change the default behaviour though. Creating a distribution with accessLog on a bucket then adding the correct policy will still yield the same ACL missing error.