add unit test for oac permission levels

aws · Aug 26, 2024 · 879fc94 · 879fc94
1 parent 1de0c6a
commit 879fc94
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts
@@ -176,6 +176,8 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
 
   /**
    * Create a S3 Origin with Origin Access Identity (OAI) configured
+   * OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()`
+   * unless it is not supported in your required region (e.g. China regions).
    */
   public static withOriginAccessIdentity(bucket: IBucket, props?: S3BucketOriginWithOAIProps): cloudfront.IOrigin {
     return new class extends S3BucketOrigin {

diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts
@@ -466,6 +466,72 @@ describe('S3BucketOrigin', () => {
         });
       });
     });
+    describe('when specifying READ, WRITE, and DELETE origin access levels', () => {
+      it('should add the correct permissions to bucket policy', () => {
+        const stack = new Stack();
+        const bucket = new s3.Bucket(stack, 'MyBucket');
+        const origin = origins.S3BucketOrigin.withOriginAccessControl(bucket, {
+          originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE],
+        });
+        const distribution = new cloudfront.Distribution(stack, 'MyDistribution', {
+          defaultBehavior: { origin },
+        });
+        Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', {
+          PolicyDocument: {
+            Statement: [
+              {
+                Action: [
+                  's3:GetObject',
+                  's3:PutObject',
+                  's3:DeleteObject',
+                ],
+                Effect: 'Allow',
+                Principal: {
+                  Service: 'cloudfront.amazonaws.com',
+                },
+                Condition: {
+                  StringEquals: {
+                    'AWS:SourceArn': {
+                      'Fn::Join': [
+                        '',
+                        [
+                          'arn:',
+                          {
+                            Ref: 'AWS::Partition',
+                          },
+                          ':cloudfront::',
+                          {
+                            Ref: 'AWS::AccountId',
+                          },
+                          ':distribution/',
+                          {
+                            Ref: 'MyDistribution6271DFB5',
+                          },
+                        ],
+                      ],
+                    },
+                  },
+                },
+                Resource: {
+                  'Fn::Join': [
+                    '',
+                    [
+                      {
+                        'Fn::GetAtt': [
+                          'MyBucketF68F3FF0',
+                          'Arn',
+                        ],
+                      },
+                      '/*',
+                    ],
+                  ],
+                },
+              },
+            ],
+          },
+        });
+      })
+    })
   });
 
   describe('withOriginAccessIdentity', () => {