(aws-cdk-lib/aws-s3): Too many BucketPolicy resources defined when defining/attaching BucketPolicy constructs to Buckets

[climbertjh2]

Describe the bug

Situation:

• Create two (2) Bucket constructs in a Stack
• Create two (2) BucketPolicy constructs in the same Stack
• Identify one of the buckets as an "access logging" bucket for the other bucket.

Result:

• three (3) AWS::S3::BucketPolicy CloudFormation resources are synthesized
• all three wind up getting created when the Stack is deployed
• two of the three point to the same AWS S3 bucket
• net result is that the "last" BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
• The resulting BucketPolicy does not match what is defined in the CDK application.

Expected Behavior

Expected Behavior is either:

• a) only the explicitly indicated BucketPolicy is created
• b) the implicitly created BucketPolicy and the explicitly created BucketPolicy is what is synthesized/deployed
• c) an error is indicated that the explicit BucketPolicy would NOT be appropriate if it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)

Current Behavior

Result:

• three (3) AWS::S3::BucketPolicy CloudFormation resources are synthesized
• all three wind up getting created when the Stack is deployed
• two of the three point to the same AWS S3 bucket
• net result is that the "last" BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
• The resulting BucketPolicy does not match what is defined in the CDK application.

Reproduction Steps

See above.

Possible Solution

Suggested Behavior:

• c) an error is indicated that the explicit BucketPolicy is NOT appropriate since it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)

Or a recommendation to use .addToResourcePolicy() rather than creating explicit BucketPolicy constructs.

Additional Information/Context

Sample code can be provided on request.

CDK CLI Version

2.141.0

Framework Version

aws-cdk-lib@2.138.0

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

typescript@5.3.3

Other information

No response

[khushail]

Hi @climbertjh2 , Thanks for reaching out. Could you please provide the minimum sample code for repro of this issue ?

[github-actions[bot]]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.