How to copy files from github actions to s3 bucket with s3.BlockPublicAccess.BLOCK_ALL enabled because it's needed for origin access control.

[McSwan]

I make a bucket

  const bucket = new s3.Bucket(this, 'michaelreviewbucket', {
    // Easy bucket destroy.
    removalPolicy: cdk.RemovalPolicy.DESTROY,
    autoDeleteObjects: true,
    bucketName: "michaelreview" + VERSION + ".dev.rebuild.roames.com",
    
    objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
    // blockPublicAccess:  new s3.BlockPublicAccess({ blockPublicPolicy: false, blockPublicAcls: false, ignorePublicAcls: false, restrictPublicBuckets: false }),
    // Must be set to Block_All to allow for OAC.
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Leave off so we can copy web page in there.
    // Do NOT ADD THESE IN. They will make the bucket generate an endpoint and prevent creation of oac (origin access control)
    // https://stackoverflow.com/questions/74320942/unable-to-configure-cloudfront-distribution-with-s3-origin-and-origin-access-con
    // websiteIndexDocument: 'index.html',
    // websiteErrorDocument : 'index.html'

  });

BLOCK_ALL must be enabled to allow for origin access control later on.

But it means in github actions, I can't copy the web page onto the s3 bucket.

 - name: Open Id DEV env setup
            uses: aws-actions/configure-aws-credentials@v1
            with:
              role-to-assume: ${{ vars.OIDC_ROLE }} 
              role-session-name: samplerolesession
              aws-region: ap-southeast-2

          - name: Copy Files 
            run: |
                aws s3 sync ./build/WebGL s3://${{ github.event.inputs.domain }}.dev.rebuild.roames.com/ --delete --acl public-read
                aws s3 sync ./build/WebGL s3://${{ github.event.inputs.domain }}.dev.rebuild.roames.com/ --acl public-read --exclude "*" --include "*.unityweb" --content-encoding gzip --acl public-read
            # env:

Also I don't know how to set
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
on an s3 bucket if it isn't done in the creation.
ie How do I do: bucket.blockPublicAccess = s3.BlockPublicAccess.BLOCK_ALL;

-later on in the cdk script. Maybe I could copy the files on the s3 bucket, then set the bucket to block_all. Although this is a inferior solution as I want to reguarly update the s3 bucket with a new web page.

Full script for reference.

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { CfnOutput, aws_s3 as s3 } from 'aws-cdk-lib';
import { CreateCNameRecord, CreateCertificateFromHostedZone, CreateCustomDomain, GetHostedZoneFromName } from './domain';
import { CloudFrontDistribution } from './domain/CloudFrontDistribution';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
//import { DomainName } from 'aws-cdk-lib/aws-apigateway/lib/domain-name';
import { BasePathMapping, DomainName } from "aws-cdk-lib/aws-apigateway";
import * as route53 from 'aws-cdk-lib/aws-route53';
import * as targets from 'aws-cdk-lib/aws-route53-targets';
import * as iam from 'aws-cdk-lib/aws-iam';

const VERSION:string = "15"

export class CdkreviewStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, {
        ...props,
        stackName: "michaelreviewstack" + VERSION,
        synthesizer: new cdk.DefaultStackSynthesizer({
        qualifier: "michaelr" + VERSION
      })
    });

  // todo add username to bucketName?
  const bucket = new s3.Bucket(this, 'michaelreviewbucket', {
    // Easy bucket destroy.
    removalPolicy: cdk.RemovalPolicy.DESTROY,
    autoDeleteObjects: true,
    bucketName: "michaelreview" + VERSION + ".dev.rebuild.roames.com",
    
    objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
    // blockPublicAccess:  new s3.BlockPublicAccess({ blockPublicPolicy: false, blockPublicAcls: false, ignorePublicAcls: false, restrictPublicBuckets: false }),
    // Must be set to Block_All to allow for OAC.
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Leave off so we can copy web page in there.
    // Do NOT ADD THESE IN. They will make the bucket generate an endpoint and prevent creation of oac (origin access control)
    // https://stackoverflow.com/questions/74320942/unable-to-configure-cloudfront-distribution-with-s3-origin-and-origin-access-con
    // websiteIndexDocument: 'index.html',
    // websiteErrorDocument : 'index.html'

  });



  const oac = new cloudfront.CfnOriginAccessControl(this, 'OAC' + VERSION, {
    originAccessControlConfig: {
      name: 'OAC' + VERSION,
      originAccessControlOriginType: 's3',
      signingBehavior: 'always',
      signingProtocol: 'sigv4',
      description: 'Made from cdk'
    },
  })

  const hostedZoneName = "dev.rebuild.roames.com";
  const recordName = "michael" + VERSION;
  const hostedZone = GetHostedZoneFromName(this, id, hostedZoneName);
  
  // create a cname record in route53 for custom domain
  const certificate = CreateCertificateFromHostedZone(this, id, hostedZone, recordName);

  const cloudFrontWebDistribution = new cloudfront.CloudFrontWebDistribution(this, 'CDN', {
      viewerCertificate: {
        aliases: [`${recordName}.${hostedZoneName}`], //'your-domain.com'
        props: {
          acmCertificateArn: certificate.certificateArn, // certificateArn, // optional
          sslSupportMethod: 'sni-only',
          minimumProtocolVersion: 'TLSv1.1_2016'
          // All `props` options here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.CfnDistribution.ViewerCertificateProperty.html
        }
      },
    originConfigs: [
      {
        s3OriginSource: {
          s3BucketSource: bucket,
        },
        behaviors: [
          {
            isDefaultBehavior: true,
            allowedMethods: cloudfront.CloudFrontAllowedMethods.GET_HEAD,
            compress: true,
            cachedMethods: cloudfront.CloudFrontAllowedCachedMethods.GET_HEAD,
            viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
            minTtl: cdk.Duration.seconds(0),
            maxTtl: cdk.Duration.seconds(86400),
            defaultTtl: cdk.Duration.seconds(3600),
          },
        ],
      },
    ],
  })

  const cfnDistribution = cloudFrontWebDistribution.node.defaultChild as cloudfront.CfnDistribution
  cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', oac.getAtt('Id'))

  //const myCustomPolicy = new iam.PolicyDocument({
    const myCustomPolicy = 
      new iam.PolicyStatement({
        sid: "AllowCloudFrontServicePrincipal",
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal("cloudfront.amazonaws.com")], // AccountRootPrincipal()
        actions:["s3:Get*"],
        resources:[ bucket.bucketArn + "/*" ],
        conditions: { StringEquals: {
          // AWS:SourceArn": "arn:aws:cloudfront::413396116602:distribution/EV1GRXHVSMV7N"
          // todo replace account number
          "AWS:SourceArn":  "arn:aws:cloudfront::" + this.account + ":distribution/" + cloudFrontWebDistribution.distributionId //'codebuild.amazonaws.com'
          //"AWS:SourceArn":  "arn:aws:cloudfront::550162838255:distribution/" + cloudFrontWebDistribution.distributionId //'codebuild.amazonaws.com'
        }
      }
    });
  
  bucket.addToResourcePolicy(myCustomPolicy);

  new route53.ARecord(this, 'AliasRecord', {
    zone: hostedZone,
    recordName: `${recordName}.${hostedZoneName}`,
    target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(cloudFrontWebDistribution)),
  });

  const domain = new DomainName(this, `id-domainname-${id}`, {
    domainName: `${recordName}.${hostedZoneName}`,
    certificate: certificate
  });
      
  
    //const outputExportName = `${id}-reviewDomainUrl${props?.stackName}`;
    // const outputExportName = `${id}-reviewDomainUrl${recordName}`;
    // new CfnOutput(this, `id-output-domain-${id}`, {
    //   value: `Record Name: ${domain.domainName}, Value: ${domain.domainNameAliasDomainName}`,
    //   exportName: outputExportName,
    //   description: `Hosted Zone: ${hostedZoneName}`
    // });


  }
}