chore(release): v2.143.1 (#30377)

See [CHANGELOG](https://github.com/aws/aws-cdk/pull/30377/files#diff-9e3d5c5da890b65a67bf632f93416744d5b76f6eb239e42ab714c7768429ff99)

Author: mergify[bot]

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.143.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.143.0-alpha.0...v2.143.1-alpha.0) (2024-05-30)
+
 ## [2.143.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.142.1-alpha.0...v2.143.0-alpha.0) (2024-05-23)
 
 ## [2.142.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.142.0-alpha.0...v2.142.1-alpha.0) (2024-05-17)

CHANGELOG.v2.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.143.1](https://github.com/aws/aws-cdk/compare/v2.143.0...v2.143.1) (2024-05-30)
+
+
+### Reverts
+
+* fix(ses-actions): permissions too wide for S3 action ([#30375](https://github.com/aws/aws-cdk/issues/30375)) ([6c716c6](https://github.com/aws/aws-cdk/commit/6c716c68ec2a222a1262577942ffde42002d2f44))
+
 ## [2.143.0](https://github.com/aws/aws-cdk/compare/v2.142.1...v2.143.0) (2024-05-23)
 
 

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json

@@ -86,35 +86,8 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:SourceAccount": {
+         "aws:Referer": {
           "Ref": "AWS::AccountId"
-         },
-         "aws:SourceArn": {
-          "Fn::Join": [
-           "",
-           [
-            "arn:",
-            {
-             "Ref": "AWS::Partition"
-            },
-            ":ses:",
-            {
-             "Ref": "AWS::Region"
-            },
-            ":",
-            {
-             "Ref": "AWS::AccountId"
-            },
-            ":receipt-rule-set/",
-            {
-             "Ref": "RuleSetE30C6C48"
-            },
-            ":receipt-rule/",
-            {
-             "Ref": "RuleSetFirstRule0A27C8CC"
-            }
-           ]
-          ]
          }
         }
        },
@@ -313,6 +286,7 @@
     }
    },
    "DependsOn": [
+    "BucketPolicyE9A3008A",
     "FunctionAllowSes1829904A"
    ]
   },

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json

@@ -42,12 +42,32 @@ export interface S3Props {
  * a notification to Amazon SNS.
  */
 export class S3 implements ses.IReceiptRuleAction {
-  private rule?: ses.IReceiptRule;
+
   constructor(private readonly props: S3Props) {
   }
 
   public bind(rule: ses.IReceiptRule): ses.ReceiptRuleActionConfig {
-    this.rule = rule;
+    // Allow SES to write to S3 bucket
+    // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3
+    const keyPattern = this.props.objectKeyPrefix || '';
+    const s3Statement = new iam.PolicyStatement({
+      actions: ['s3:PutObject'],
+      principals: [new iam.ServicePrincipal('ses.amazonaws.com')],
+      resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
+      conditions: {
+        StringEquals: {
+          'aws:Referer': cdk.Aws.ACCOUNT_ID,
+        },
+      },
+    });
+    this.props.bucket.addToResourcePolicy(s3Statement);
+
+    const policy = this.props.bucket.node.tryFindChild('Policy') as s3.BucketPolicy;
+    if (policy) { // The bucket could be imported
+      rule.node.addDependency(policy);
+    } else {
+      cdk.Annotations.of(rule).addWarningV2('@aws-cdk/s3:AddBucketPermissions', 'This rule is using a S3 action with an imported bucket. Ensure permission is given to SES to write to that bucket.');
+    }
 
     // Allow SES to use KMS master key
     // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-kms
@@ -79,41 +99,4 @@ export class S3 implements ses.IReceiptRuleAction {
       },
     };
   }
-
-  /**
-   * Generate and apply the receipt rule action statement
-   *
-   * @param ruleSet The rule set the rule is being added to
-   * @internal
-   */
-  public _applyPolicyStatement(receiptRuleSet: ses.IReceiptRuleSet): void {
-    if (!this.rule) {
-      throw new Error('Cannot apply policy statement before binding the action to a receipt rule');
-    }
-
-    // Allow SES to write to S3 bucket
-    // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3
-    const keyPattern = this.props.objectKeyPrefix || '';
-    const s3Statement = new iam.PolicyStatement({
-      actions: ['s3:PutObject'],
-      principals: [new iam.ServicePrincipal('ses.amazonaws.com')],
-      resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
-      conditions: {
-        StringEquals: {
-          'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
-          'aws:SourceArn': cdk.Arn.format({
-            partition: cdk.Aws.PARTITION,
-            service: 'ses',
-            region: cdk.Aws.REGION,
-            account: cdk.Aws.ACCOUNT_ID,
-            resource: [
-              `receipt-rule-set/${receiptRuleSet.receiptRuleSetName}`,
-              `receipt-rule/${this.rule.receiptRuleName}`,
-            ].join(':'),
-          }),
-        },
-      },
-    });
-    this.props.bucket.addToResourcePolicy(s3Statement);
-  }
 }

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json

@@ -190,26 +190,9 @@ test('add s3 action', () => {
           Action: 's3:PutObject',
           Condition: {
             StringEquals: {
-              'aws:SourceAccount': {
+              'aws:Referer': {
                 Ref: 'AWS::AccountId',
               },
-              'aws:SourceArn': {
-                'Fn::Join': [
-                  '',
-                  [
-                    'arn:',
-                    { Ref: 'AWS::Partition' },
-                    ':ses:',
-                    { Ref: 'AWS::Region' },
-                    ':',
-                    { Ref: 'AWS::AccountId' },
-                    ':receipt-rule-set/',
-                    { Ref: 'RuleSetE30C6C48' },
-                    ':receipt-rule/',
-                    { Ref: 'RuleSetRule0B1D6BCA' },
-                  ],
-                ],
-              },
             },
           },
           Effect: 'Allow',

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json

@@ -1,5 +1,4 @@
 import { IReceiptRule } from './receipt-rule';
-import { IReceiptRuleSet } from './receipt-rule-set';
 
 /**
  * An abstract action for a receipt rule.
@@ -10,13 +9,6 @@ export interface IReceiptRuleAction {
    */
   bind(receiptRule: IReceiptRule): ReceiptRuleActionConfig;
 
-  /**
-   * Generate and apply the receipt rule action statement
-   *
-   * @param ruleSet The rule set the rule is being added to
-   * @internal
-   */
-  _applyPolicyStatement?(ruleSet: IReceiptRuleSet): void;
 }
 
 /**

packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts

@@ -112,10 +112,7 @@ export class ReceiptRule extends Resource implements IReceiptRule {
   }
 
   public readonly receiptRuleName: string;
-
-  private readonly ruleSet: IReceiptRuleSet;
-  private readonly actions: IReceiptRuleAction[] = [];
-  private readonly actionProperties: CfnReceiptRule.ActionProperty[] = [];
+  private readonly actions = new Array<CfnReceiptRule.ActionProperty>();
 
   constructor(scope: Construct, id: string, props: ReceiptRuleProps) {
     super(scope, id, {
@@ -136,7 +133,6 @@ export class ReceiptRule extends Resource implements IReceiptRule {
     });
 
     this.receiptRuleName = resource.ref;
-    this.ruleSet = props.ruleSet;
 
     for (const action of props.actions || []) {
       this.addAction(action);
@@ -147,20 +143,15 @@ export class ReceiptRule extends Resource implements IReceiptRule {
    * Adds an action to this receipt rule.
    */
   public addAction(action: IReceiptRuleAction) {
-    this.actions.push(action);
-    this.actionProperties.push(action.bind(this));
+    this.actions.push(action.bind(this));
   }
 
   private renderActions() {
-    if (this.actionProperties.length === 0) {
+    if (this.actions.length === 0) {
       return undefined;
     }
 
-    for (const action of this.actions) {
-      action._applyPolicyStatement?.(this.ruleSet);
-    }
-
-    return this.actionProperties;
+    return this.actions;
   }
 }
 

packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts

@@ -1,4 +1,4 @@
 {
-  "version": "2.143.0",
-  "alphaVersion": "2.143.0-alpha.0"
+  "version": "2.143.1",
+  "alphaVersion": "2.143.1-alpha.0"
 }