aws-solutions
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎source/infrastructure/cdk.json‎
Lines changed: 1 addition & 1 deletion b/‎source/infrastructure/cdk.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎source/infrastructure/lib/s3web/static-site.ts‎
Lines changed: 56 additions & 69 deletions b/‎source/infrastructure/lib/s3web/static-site.ts‎
Lines changed: 56 additions & 69 deletions
diff --git a/‎source/infrastructure/lib/s3web/ui-asset.ts‎
Lines changed: 1 addition & 0 deletions b/‎source/infrastructure/lib/s3web/ui-asset.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎source/infrastructure/lib/workflow/standard/standard-workflow.ts‎
Lines changed: 1 addition & 1 deletion b/‎source/infrastructure/lib/workflow/standard/standard-workflow.ts‎
Lines changed: 1 addition & 1 deletion
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.4] - 2024-01-11
+
+### Updated
+
+- AWS CDK and SDK upgrades
+- Fix an intermittent issue in AWS CloudFormation by setting explicit dependencies between resources
+
 ## [1.0.3] - 2023-12-07
 
 ### Updated
 
@@ -62,7 +62,7 @@
     "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
     "solution_id": "SO0281",
     "solution_name": "enhanced-document-understanding-on-aws",
-    "solution_version": "v1.0.3",
+    "solution_version": "v1.0.4",
     "app_namespace": "app.idp",
     "app_registry_name": "enhanced-document-understanding",
     "application_type": "AWS-Solutions",
 
@@ -19,7 +19,6 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
-import * as crypto from 'crypto';
 
 /**
  * Interface that defines properties required for the Static Website
@@ -107,7 +106,62 @@ export class StaticWebsite extends Construct {
                 defaultRootObject: 'login.html'
             }
         });
-        cloudfrontToS3.cloudFrontLoggingBucket?.node.addDependency(bucketPolicyUpdateCustomResource);
+
+        const cloudFrontLogsLoggingPrefix = 'cloudfrontlogs-logging';
+
+        const cloudFrontLoggingUpdateBucketPolicy = new cdk.CustomResource(
+            this,
+            'CloudFrontLoggingUpdateBucketPolicy',
+            {
+                resourceType: 'Custom::UpdateBucketPolicy',
+                serviceToken: props.customResourceLambdaArn,
+                properties: {
+                    Resource: 'UPDATE_BUCKET_POLICY',
+                    SOURCE_BUCKET_NAME: cloudfrontToS3.cloudFrontLoggingBucket?.bucketName,
+                    LOGGING_BUCKET_NAME: props.accessLoggingBucket.bucketName,
+                    SOURCE_PREFIX: cloudFrontLogsLoggingPrefix
+                }
+            }
+        );
+
+        cloudFrontLoggingUpdateBucketPolicy.node.addDependency(bucketPolicyForLambda);
+
+        const cfnCloudFrontLoggingBucket = cloudfrontToS3.cloudFrontLoggingBucket?.node.defaultChild as s3.CfnBucket;
+        cfnCloudFrontLoggingBucket.addPropertyOverride('LoggingConfiguration', {
+            DestinationBucketName: {
+                'Fn::Select': [
+                    0,
+                    {
+                        'Fn::Split': [
+                            '/',
+                            {
+                                'Fn::Select': [
+                                    5,
+                                    {
+                                        'Fn::Split': [
+                                            ':',
+                                            {
+                                                'Ref': 'AccessLoggingBucketArn'
+                                            }
+                                        ]
+                                    }
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            },
+            LogFilePrefix: `${cloudFrontLogsLoggingPrefix}/`
+        });
+        // disabling versioning, since it was disabled in a previous release, enabling
+        // versioning now will create a new bucket with an update from the previous version
+        cfnCloudFrontLoggingBucket.addPropertyDeletionOverride('VersioningConfiguration');
+
+        cloudfrontToS3.node.tryFindChild('CloudfrontLoggingBucketAccessLog')?.node.tryRemoveChild('Resource');
+        cloudfrontToS3.node
+            .tryFindChild('CloudfrontLoggingBucketAccessLog')
+            ?.node.tryFindChild('Policy')
+            ?.node.tryRemoveChild('Resource');
 
         const cloudfrontFunction = cloudfrontToS3.node
             .tryFindChild('SetHttpSecurityHeaders')
@@ -120,73 +174,6 @@ export class StaticWebsite extends Construct {
         );
 
         this.cloudFrontDistribution = cloudfrontToS3.cloudFrontWebDistribution;
-        this.cloudFrontDistribution.node
-            .tryFindChild('Origin1')
-            ?.node.tryFindChild('S3Origin')
-            ?.node.tryRemoveChild('Resource');
-
-        const originAccessControl = new cloudfront.CfnOriginAccessControl(this, 'OAC', {
-            originAccessControlConfig: {
-                name: `BucketOriginAccessControl-${cdk.Aws.REGION}`,
-                originAccessControlOriginType: 's3',
-                signingBehavior: 'always',
-                signingProtocol: 'sigv4'
-            }
-        });
-
-        // prettier-ignore
-        let l1CloudFrontDistribution = this.cloudFrontDistribution.node.defaultChild as cdk.aws_cloudfront.CfnDistribution;
-        // prettier-ignore
-        l1CloudFrontDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', originAccessControl.getAtt('Id'));
-        // prettier-ignore
-        l1CloudFrontDistribution.addPropertyOverride('DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity', '');
-
-        this.node.tryFindChild('CloudfrontLoggingBucket')?.node.tryRemoveChild('Resource');
-        this.node.tryFindChild('CloudfrontLoggingBucket')?.node.tryFindChild('Policy')?.node.tryRemoveChild('Resource');
-
-        let l1BucketPolicy = this.webS3Bucket.node.tryFindChild('Policy')?.node.defaultChild as s3.CfnBucketPolicy;
-        l1BucketPolicy.addPropertyOverride('PolicyDocument', {
-            Statement: [
-                {
-                    Action: 's3:*',
-                    Condition: {
-                        Bool: {
-                            'aws:SecureTransport': 'false'
-                        }
-                    },
-                    Effect: 'Deny',
-                    Principal: {
-                        AWS: '*'
-                    },
-                    Resource: [`${this.webS3Bucket.bucketArn}`, `${this.webS3Bucket.bucketArn}/*`]
-                },
-                {
-                    Action: 's3:GetObject',
-                    Condition: {
-                        StringEquals: {
-                            'AWS:SourceArn': {
-                                'Fn::Join': [
-                                    '',
-                                    [
-                                        'arn:',
-                                        `${cdk.Aws.PARTITION}`,
-                                        ':cloudfront::',
-                                        `${cdk.Aws.ACCOUNT_ID}`,
-                                        ':distribution/',
-                                        `${this.cloudFrontDistribution.distributionId}`
-                                    ]
-                                ]
-                            }
-                        }
-                    },
-                    Effect: 'Allow',
-                    Principal: {
-                        Service: 'cloudfront.amazonaws.com'
-                    },
-                    Resource: `${this.webS3Bucket.bucketArn}/*`
-                }
-            ]
-        });
 
         // prettier-ignore
         new cdk.CfnOutput(cdk.Stack.of(this), 'WebUrl', { // NOSONAR - Typescript construct instantiation
 
@@ -109,6 +109,7 @@ export class UIAssets extends cdk.NestedStack {
                 })
             ]
         });
+        customResourceWebsiteBucketPolicy.node.addDependency(this.staticWebsite.webS3Bucket);
         customResourceWebsiteBucketPolicy.attachToRole(customResourceRole);
 
         const ssmParameterPolicy = new iam.Policy(this, 'SSMAccessPolicy', {
 
@@ -237,7 +237,7 @@ export class StandardWorkflow extends AbstractWorkflow {
                 throw new Error('Invalid workflowType');
         }
 
-        this.map.iterator(mapIteratorState);
+        this.map.iterator(mapIteratorState); // NOSONAR -typescript:S1874 - in backlog to upgrade with a future release
         this.map.next(this.setStatusValue(WorkflowStatus.SUCCESS)).next(this.publishInferenceTask);
 
         return sfn.Chain.start(
Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,7 @@ export class UIAssets extends cdk.NestedStack {`
`109`	`109`	`})`
`110`	`110`	`]`
`111`	`111`	`});`
	`112`	`+ customResourceWebsiteBucketPolicy.node.addDependency(this.staticWebsite.webS3Bucket);`
`112`	`113`	`customResourceWebsiteBucketPolicy.attachToRole(customResourceRole);`
`113`	`114`
`114`	`115`	`const ssmParameterPolicy = new iam.Policy(this, 'SSMAccessPolicy', {`
Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@ export class StandardWorkflow extends AbstractWorkflow {`
`237`	`237`	`throw new Error('Invalid workflowType');`
`238`	`238`	`}`
`239`	`239`
`240`		`- this.map.iterator(mapIteratorState);`
	`240`	`+ this.map.iterator(mapIteratorState); // NOSONAR -typescript:S1874 - in backlog to upgrade with a future release`
`241`	`241`	`this.map.next(this.setStatusValue(WorkflowStatus.SUCCESS)).next(this.publishInferenceTask);`
`242`	`242`
`243`	`243`	`return sfn.Chain.start(`