fix(s3): updating blockPublicAccess to enable default true settings (…

…under feature flag)
aws · Feb 27, 2025 · 087488a · 087488a
1 parent 340c231
commit 087488a
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 8 deletions.
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-access.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-access.ts
@@ -1,8 +1,13 @@
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { App, Stack } from 'aws-cdk-lib';
 import { BlockPublicAccess, Bucket } from 'aws-cdk-lib/aws-s3';
+import { S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE } from 'aws-cdk-lib/cx-api';
 
-const app = new App();
+const app = new App({
+  context: {
+    [S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE]: true,
+  },
+});
 
 const stack = new Stack(app, 'aws-cdk-s3-bucket-block-access');
 

diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
@@ -90,7 +90,7 @@ Flags come in three types:
 | [@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections](#aws-cdkaws-iamoidcrejectunauthorizedconnections) | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | 2.177.0 | (fix) |
 | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | 2.178.0 | (config) |
 | [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) |
-| [@aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue](#aws-cdkaws-s3blockpublicaccessoptionautotrue) | When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined. | V2NEXT | (fix) |
+| [@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue](#aws-cdkaws-s3blockpublicaccessoptionautotrue) | When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined. | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -169,7 +169,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
     "@aws-cdk/core:enableAdditionalMetadataCollection": true,
     "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
-    "@aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue": true
+    "@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue": true
   }
 }
 ```
@@ -1707,7 +1707,7 @@ This solves an issue where a circular dependency could occur if adding lambda to
 | 2.180.0 | `false` | `true` |
 
 
-### @aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue
+### @aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue
 
 *When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined.* (fix)
 

diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md
@@ -629,7 +629,7 @@ _cdk.json_
 }
 ```
 
-* `@aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue`
+* `@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue`
 
 When BlockPublicAccess is not set at all, s3's default behavior will be to set all options to true in aws console. 
 The previous behavior in cdk before this feature was; if only some of the BlockPublicAccessOptions were set (not all 4), then the ones undefined would default to false.
@@ -641,7 +641,7 @@ _cdk.json_
 ```json
 {
   "context": {
-    "@aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue": true
+    "@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue": true
   }
 }
 ```
diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts
@@ -124,7 +124,7 @@ export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@
 export const IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS = '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections';
 export const ENABLE_ADDITIONAL_METADATA_COLLECTION = '@aws-cdk/core:enableAdditionalMetadataCollection';
 export const LAMBDA_CREATE_NEW_POLICIES_WITH_ADDTOROLEPOLICY = '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy';
-export const S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE = '@aws-cdk/aws-s3BlockPublicAccessOptionAutoTrue';
+export const S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE = '@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue';
 
 export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////

diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json
@@ -65,5 +65,6 @@
   "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
   "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
   "@aws-cdk/core:enableAdditionalMetadataCollection": true,
-  "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true
+  "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
+  "@aws-cdk/aws-s3:blockPublicAccessOptionAutoTrue": true
 }