fix

widdix · Aug 18, 2023 · 0253e46 · 0253e46
1 parent 6e03523
commit 0253e46
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/state/s3.yaml b/state/s3.yaml
@@ -158,7 +158,7 @@ Conditions:
   HasLambdaFunctionFilterPrefix: !Not [!Equals [!Ref LambdaFunctionFilterPrefix, '']]
   HasBlockPublicAccess: !Not [!Or [!Condition HasPublicReadAccess, !Condition HasPublicWriteAccess]]
   HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundary, '']]
-  HasCloudFrontAccessLogWriteOrNotBlockPublicAccess: !Or [!Condition HasCloudFrontAccessLogWrite, !Not [!Condition HasBlockPublicAccess]]
+  HasBucketOwnerPreferred: !Or [!Condition HasCloudFrontAccessLogWrite, !Condition [HasS3AccessLogWrite], !Not [!Condition HasBlockPublicAccess]]
 Resources:
   Bucket: # cannot be deleted with data
     Type: 'AWS::S3::Bucket'
@@ -183,7 +183,7 @@ Resources:
         - !If [HasLambdaFunctionArn, {Event: !Ref LambdaFunctionEvent, Function: !Ref LambdaFunctionArn, Filter: !If [HasLambdaFunctionFilterPrefix, {S3Key: {Rules: [{Name: prefix, Value: !Ref LambdaFunctionFilterPrefix}]}}, !Ref 'AWS::NoValue']}, !Ref 'AWS::NoValue']
         QueueConfigurations:
         - !If [HasS3VirusScan, {Event: 's3:ObjectCreated:*', Queue: {'Fn::ImportValue': !Sub '${ParentS3VirusScanStack}-ScanQueueArn'}}, !Ref 'AWS::NoValue']
-      OwnershipControls: !If [HasCloudFrontAccessLogWriteOrNotBlockPublicAccess, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}]
+      OwnershipControls: !If [HasBucketOwnerPreferred, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}]
       PublicAccessBlockConfiguration: !If [HasBlockPublicAccess, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, {BlockPublicAcls: true, BlockPublicPolicy: false, IgnorePublicAcls: true, RestrictPublicBuckets: false}] # AWS Foundational Security Best Practices v1.0.0 S3.8
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
       BucketEncryption:

diff --git a/test/src/test/java/de/widdix/awscftemplates/state/TestS3.java b/test/src/test/java/de/widdix/awscftemplates/state/TestS3.java
@@ -71,7 +71,29 @@ public void testCloudTrailWrite() {
 
     @Test
     public void testVpcEndpointRead() {
-        this.test("VpcEndpointRead");
+        final Context context = new Context();
+        final String vpcStackName = "vpc-" + this.random8String();
+        final String vpcEndpointStackName = "vpc-endpoint-" + this.random8String();
+        final String stackName = "s3-" + this.random8String();
+        try {
+            this.createStack(context, vpcStackName, "vpc/vpc-2azs.yaml");
+            try {
+                this.createStack(context, vpcEndpointStackName, "vpc/vpc-endpoint-s3.yaml",
+                        new Parameter().withParameterKey("ParentVPCStack").withParameterValue(vpcStackName));
+                try {
+                    this.createStack(context, stackName, "state/s3.yaml",
+                            new Parameter().withParameterKey("ParentVpcEndpointStack").withParameterValue(vpcEndpointStackName),
+                            new Parameter().withParameterKey("Access").withParameterValue("VpcEndpointRead"));
+                    // TODO how can we check if this stack works?
+                } finally {
+                    this.deleteStack(context, stackName);
+                }
+            } finally {
+                this.deleteStack(context, vpcEndpointStackName);
+            }
+        } finally {
+            this.deleteStack(context, vpcStackName);
+        }
     }
 
     @Test