fix for Log Archive Bucket Resource Policies being overwritten (#921)

* fix for logarchive bucket updates

* prettier

Author: rjjaegeraws

src/lib/custom-resources/cdk-s3-update-logarchive-bucket-policy/cdk/index.ts

@@ -26,6 +26,7 @@ export interface LogArchiveReadAccessProps {
   aesLogBucket: s3.IBucket;
   removalPolicy?: cdk.RemovalPolicy;
   acceleratorPrefix: string;
+  forceUpdate?: boolean;
 }
 
 /**
@@ -54,6 +55,12 @@ export class S3UpdateLogArchivePolicy extends cdk.Construct {
       aesLogBucketName: this.props.aesLogBucket.bucketName,
     };
 
+    const forceUpdate = this.props.forceUpdate ?? true;
+    if (forceUpdate) {
+      // Add a dummy value that is a random number to update the resource every time
+      handlerProperties.forceUpdate = Math.round(Math.random() * 1000000);
+    }
+
     this.resource = new cdk.CustomResource(this, 'Resource', {
       resourceType,
       serviceToken: this.lambdaFunction.functionArn,

src/lib/custom-resources/cdk-s3-update-logarchive-bucket-policy/runtime/src/index.ts

@@ -28,6 +28,7 @@ export interface HandlerProperties {
   logBucketKmsKeyArn: string | undefined;
   aesLogBucketArn: string;
   aesLogBucketName: string;
+  forceUpdate?: number;
 }
 
 export const handler = errorHandler(onEvent);
@@ -215,7 +216,14 @@ async function onCreate(event: CloudFormationCustomResourceCreateEvent) {
 
 async function onUpdate(event: CloudFormationCustomResourceUpdateEvent) {
   const props = getPropertiesFromEvent(event);
-  await createOrUpdateBucketPolicy(props);
+
+  if (props.forceUpdate !== undefined) {
+    console.log('onUpdate forceUpdate true');
+    await createOrUpdateBucketPolicy(props);
+  } else {
+    console.log('onUpdate skipped');
+  }
+
   return { physicalResourceId: event.PhysicalResourceId };
 }