S3BucketOrigin.withOriginAccessControl: support for cross-stack (bucket and distribution in separate stacks)

[Huink7]

Describe the feature

Issue#21771 recently implemented an L2 construct solution for OAC, which is fantastic! However, for my use case it creates a cyclical dependency between our CloudFront Stack distribution Resource.Ref and a separate stack's bucket Resource.RegionalDomainName, where withOriginAccessIdentity does not.

Is it possible to allow buckets created outside of the CloudFront Distribution stack to work with the updated L2 as it does for the OAI implementation https://github.com/aws/aws-cdk/blob/v2.158.0/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts#L228?

I did double check that moving the bucket to the same stack resolved the cyclical dependency error, but that resolution will not work for our use case.

Use Case

Unfortunately I am unable to link my code source as its a private emu.
Bucket is created in Stack A
Distribution is created in Stack B referencing bucket from Stack A.

Use case currently works with S3Origin, as well as the updated S3BucketOrigin.withOriginAccessIdentity.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.158.0

Environment details (OS name and version, etc.)

Mac OS Sonoma 14.6.1

[ashishdhingra]

@Huink7 Good afternoon. Could you please share the minimal reproducible code to reproduce the issue? I'm unsure if I understand your issue correctly, does adding dependency on Stack A which creates the bucket while creating Stack B (e.g. stackB.addDependency(stackA) works for your use case? The below code works for me:

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';

const app = new cdk.App();

class StackA extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bucket = new Bucket(this, 'testbucket', {
      bucketName: 'testbucket-issue31462',
      removalPolicy: cdk.RemovalPolicy.DESTROY // For testing purposes.
    });

    new cdk.CfnOutput(this, 's3Bucket', {
      value: bucket.bucketArn,
      exportName: 'bucketArn'
    });
  }
}

class StackB extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bucketArn = cdk.Fn.importValue('bucketArn');
    const bucket = Bucket.fromBucketArn(this, 'S3bucket', bucketArn);
    const origin = origins.S3BucketOrigin.withOriginAccessControl(bucket, {
      originAccessControl: new cloudfront.S3OriginAccessControl(this, 'MyOac'),
      originAccessLevels: [cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.READ],
      originPath: '/pathA',
      connectionTimeout: cdk.Duration.seconds(10),
      connectionAttempts: 2,
      customHeaders: { headerA: 'headerAValue' },
      originShieldRegion: process.env.CDK_DEFAULT_REGION, // 'us-east-2',
      originShieldEnabled: true,
      originId: 'originIdA',
    });

    new cloudfront.Distribution(this, 'MyDistributionA', {
      defaultBehavior: { origin: origin },
    });
  }
}

const stackA = new StackA(app, 'StackA');
const stackB = new StackB(app, 'StackB');
stackB.addDependency(stackA);

Thanks,
Ashish

[Huink7]

Unfortunately I am not allowed to share the code I am working with. The comments here https://github.com/aws/aws-cdk/blob/v2.158.0/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts#L228 do a pretty good job of describing (what I thought was) the issue. The readme for S3BucketOrigin.withOriginAccessControl says that its plug and play from S3Origin, but it runs into the cyclical dependency error below when I replace the deprecated S3Origin.

Error: 'dev/Stack-Primary' depends on 'dev/Stack-CloudFront' (dev/Stack-Primary -> dev/Stack-CloudFront/distribution/Resource.Ref). Adding this dependency (dev/Stack-CloudFront -> dev/Stack-Primary/static-error-pages/Resource.RegionalDomainName) would create a cyclic reference.

using S3BucketOrigin.withOriginAccessIdentity works as expected.
Because it seems to already have the dependency on the other stack, using addDependency(StackA) produced an identical result

[ashishdhingra]

Unfortunately I am not allowed to share the code I am working with. The comments here https://github.com/aws/aws-cdk/blob/v2.158.0/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts#L228 do a pretty good job of describing (what I thought was) the issue. The readme for S3BucketOrigin.withOriginAccessControl says that its plug and play from S3Origin, but it runs into the cyclical dependency error below when I replace the deprecated S3Origin.

Error: 'dev/Stack-Primary' depends on 'dev/Stack-CloudFront' (dev/Stack-Primary -> dev/Stack-CloudFront/distribution/Resource.Ref). Adding this dependency (dev/Stack-CloudFront -> dev/Stack-Primary/static-error-pages/Resource.RegionalDomainName) would create a cyclic reference.

using S3BucketOrigin.withOriginAccessIdentity works as expected. Because it seems to already have the dependency on the other stack, using addDependency(StackA) produced an identical result

@Huink7 Good morning. I'm unsure if it's feasible to reproduce the issue without the minimal reproducible code. Your scenario appears to be setting up OAC with imported S3 buckets since it is defined in a different stack. Kindly confirm. Based on Setting up OAC with imported S3 buckets, you will need to update the S3 bucket policy manually to allow the OAC to access the S3 origin since CDK apps cannot modify the configuration of imported buckets.

Thanks,
Ashish

[pahud]

export class S3BucketStack extends cdk.Stack {
  public readonly bucket: s3.Bucket;
  public readonly oac: cloudfront.S3OriginAccessControl;

  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create the S3 bucket
    this.bucket = new s3.Bucket(this, 'Bucket');

  }
}


export interface CloudFrontStackProps extends StackProps {
  bucket: s3.IBucket;
}
// CloudFront Distribution Stack
export class CloudFrontStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props: CloudFrontStackProps) {
    super(scope, id, props);

    // Create the Origin Access Control (OAC)
    const originAccessControl = new cloudfront.S3OriginAccessControl(this, 'MyOAC', {
      signing: cloudfront.Signing.SIGV4_NO_OVERRIDE
    });

    // Get the S3 bucket and OAC from the S3 Bucket stack
    const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(props.bucket, {
      originAccessControl,
    });

    // Create the CloudFront distribution
    new cloudfront.Distribution(this, 'Distribution', {
      defaultBehavior: {
        origin: s3Origin
      }
    });
  }
}

app.ts

const app = new cdk.App();

const bucketStack = new S3BucketStack(app, 'bucket-stack');
new CloudFrontStack(app, 'cloudfront-stack', {
  bucket: bucketStack.bucket,
});

Error: 'bucket-stack' depends on 'cloudfront-stack' (bucket-stack -> cloudfront-stack/Distribution/Resource.Ref). Adding this dependency (cloudfront-stack -> bucket-stack/Bucket/Resource.RegionalDomainName) would create a cyclic reference.
at CloudFrontStack._addAssemblyDependency

Reproducible. Obviously bucket stack requires the distribution ID to update the bucket policy while cloudfront stack requires the RegionalDomainName from bucket stack.

At this moment the bucket and distribution have to be in the same stack but we should support different stack as well. This is arguable a p1 but I am making it a p2 tentatively. We'll bring this up to the team for discussion.