Open ghferrari opened 11 months ago
@ghferrari , this was fixed by introduction of this flag in this PR which you need to enable in cdk.json
"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
Let me know if it solves your issue.
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
@khushail Thanks for the helpful reply and reference.
I will test this feature flag and it seems likely it will workaround the problem.
However, I don't consider this workaround a fix for the problem - the CDK resource remains broken by default.
@khushail I agree with @ghferrari. The default behavior is broken, and this flag is not accurately exposed in documentation as to be a visible first solution for the issue. I had to arrive at discovery of that flag by way of this issue, and not the documentation, which I arrived at following links in other issues. Please recognize the poor DX around this one.
For me the flag is not correctly fixing the issue either. I understand why we don't want to passively change the default behaviour though. Creating a distribution with accessLog on a bucket then adding the correct policy will still yield the same ACL missing error.
Describe the bug
When providing a logging configuration for a CloudFrontWebDistribution, it is optional to specify an S3 bucket - when not specified, one will be created by default. However, the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access". This means that the default S3 bucket configuration is broken.
Expected Behavior
I expected the default S3 bucket configuration to be suitable for CloudFrontWebDistribution logs and for no error to be produced.
Current Behavior
Relying on the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access".
Reproduction Steps
Possible Solution
According to https://github.com/aws/aws-cdk/issues/25358 the S3 bucket defaults were updated in April 2023 - this may be the cause of the problem.
To resolve the problem, the default S3 bucket configuration at https://github.com/aws/aws-cdk/blob/c445b8cc6e20d17e4a536f17262646b291a0fe36/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts#L962 must be updated to enable ACL access, as required by CloudFrontWebDistribution. In my own code, I create an S3 bucket manually and specify
Additional Information/Context
No response
CDK CLI Version
2.101.0 (build cbaa50e)
Framework Version
Python package: aws-cdk-lib==2.101.0
Node.js Version
v18.18.2
OS
Debian Linux
Language
TypeScript, Python
Language Version
No response
Other information
No response