feat: new ICfn<Resource>

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integration-test-fixtures/s3-assert.ts

@@ -10,7 +10,7 @@ export interface S3AssertProps {
   /**
    * The s3 bucket to query.
    */
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
 
   /**
    * The object key.
@@ -31,15 +31,14 @@ export interface S3AssertProps {
  * Code is written in Python because why not.
  */
 export class S3Assert extends Construct {
-
   constructor(scope: Construct, id: string, props: S3AssertProps) {
     super(scope, id);
 
     new CustomResource(this, 'Resource', {
       serviceToken: S3AssertProvider.getOrCreate(this),
       resourceType: 'Custom::S3Assert',
       properties: {
-        BucketName: props.bucket.bucketName,
+        BucketName: props.bucket.attrBucketName,
         ObjectKey: props.objectKey,
         ExpectedContent: props.expectedContent,
       },

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts

@@ -12,7 +12,7 @@ interface S3FileProps {
   /**
    * The bucket in which the file will be created.
    */
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
 
   /**
    * The object key.
@@ -46,7 +46,7 @@ export class S3File extends Construct {
       serviceToken: S3FileProvider.getOrCreate(this),
       resourceType: 'Custom::S3File',
       properties: {
-        [api.PROP_BUCKET_NAME]: props.bucket.bucketName,
+        [api.PROP_BUCKET_NAME]: props.bucket.attrBucketName,
         [api.PROP_CONTENTS]: props.contents,
         [api.PROP_OBJECT_KEY]: props.objectKey,
         [api.PROP_PUBLIC]: props.public,

packages/@aws-cdk/aws-appconfig-alpha/lib/configuration.ts

@@ -916,9 +916,9 @@ export abstract class ConfigurationSource {
    * @param objectKey The path to the configuration
    * @param key The KMS Key that the bucket is encrypted with
    */
-  public static fromBucket(bucket: s3.IBucket, objectKey: string, key?: kms.IKey): ConfigurationSource {
+  public static fromBucket(bucket: s3.ICfnBucket, objectKey: string, key?: kms.IKey): ConfigurationSource {
     return {
-      locationUri: bucket.s3UrlForObject(objectKey),
+      locationUri: s3.Bucket.fromCfnBucket(bucket).s3UrlForObject(objectKey),
       type: ConfigurationSourceType.S3,
       key,
     };

packages/@aws-cdk/aws-appconfig-alpha/lib/extension.ts

@@ -92,8 +92,8 @@ export class SqsDestination implements IEventDestination {
   public readonly type: SourceType;
   public readonly policyDocument?: iam.PolicyDocument;
 
-  constructor(queue: sqs.IQueue) {
-    this.extensionUri = queue.queueArn;
+  constructor(queue: sqs.ICfnQueue) {
+    this.extensionUri = queue.attrArn;
     this.type = SourceType.SQS;
     const policy = new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
@@ -114,8 +114,8 @@ export class SnsDestination implements IEventDestination {
   public readonly type: SourceType;
   public readonly policyDocument?: iam.PolicyDocument;
 
-  constructor(topic: sns.ITopic) {
-    this.extensionUri = topic.topicArn;
+  constructor(topic: sns.ICfnTopic) {
+    this.extensionUri = topic.attrTopicArn;
     this.type = SourceType.SNS;
     const policy = new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,

packages/@aws-cdk/aws-codestar-alpha/lib/github-repository.ts

@@ -41,7 +41,7 @@ export interface GitHubRepositoryProps {
   /**
    * The name of the Amazon S3 bucket that contains the ZIP file with the content to be committed to the new repository
    */
-  readonly contentsBucket: s3.IBucket;
+  readonly contentsBucket: s3.ICfnBucket;
 
   /**
    * The S3 object key or file name for the ZIP file
@@ -97,7 +97,7 @@ export class GitHubRepository extends cdk.Resource implements IGitHubRepository
       repositoryAccessToken: props.accessToken.unsafeUnwrap(), // Safe usage
       code: {
         s3: {
-          bucket: props.contentsBucket.bucketName,
+          bucket: props.contentsBucket.attrBucketName,
           key: props.contentsKey,
           objectVersion: props.contentsS3Version,
         },

packages/@aws-cdk/aws-gamelift-alpha/lib/build.ts

@@ -185,7 +185,7 @@ export class Build extends BuildBase {
   /**
    * Create a new Build from s3 content
    */
-  static fromBucket(scope: Construct, id: string, bucket: s3.IBucket, key: string, objectVersion?: string) {
+  static fromBucket(scope: Construct, id: string, bucket: s3.ICfnBucket, key: string, objectVersion?: string) {
     return new Build(scope, id, {
       content: Content.fromBucket(bucket, key, objectVersion),
     });

packages/@aws-cdk/aws-gamelift-alpha/lib/content.ts

@@ -15,7 +15,7 @@ export abstract class Content {
    * @param key The object key
    * @param objectVersion Optional S3 ob ject version
    */
-  public static fromBucket(bucket: s3.IBucket, key: string, objectVersion?: string): S3Content {
+  public static fromBucket(bucket: s3.ICfnBucket, key: string, objectVersion?: string): S3Content {
     return new S3Content(bucket, key, objectVersion);
   }
 
@@ -48,9 +48,9 @@ export interface ContentConfig {
  * Game content from an S3 archive.
  */
 export class S3Content extends Content {
-  constructor(private readonly bucket: s3.IBucket, private key: string, private objectVersion?: string) {
+  constructor(private readonly bucket: s3.ICfnBucket, private key: string, private objectVersion?: string) {
     super();
-    if (!bucket.bucketName) {
+    if (!bucket.attrBucketName) {
       throw new Error('bucketName is undefined for the provided bucket');
     }
   }
@@ -59,13 +59,13 @@ export class S3Content extends Content {
     // Adding permission to access specific content
     role.addToPrincipalPolicy(new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
-      resources: [this.bucket.arnForObjects(this.key)],
+      resources: [s3.Bucket.fromCfnBucket(this.bucket).arnForObjects(this.key)],
       actions: ['s3:GetObject', 's3:GetObjectVersion'],
     }));
 
     return {
       s3Location: {
-        bucketName: this.bucket.bucketName,
+        bucketName: this.bucket.attrBucketName,
         objectKey: this.key,
         objectVersion: this.objectVersion,
       },

packages/@aws-cdk/aws-gamelift-alpha/lib/script.ts

@@ -119,7 +119,7 @@ export class Script extends ScriptBase {
   /**
    * Create a new realtime server script from s3 content
    */
-  static fromBucket(scope: Construct, id: string, bucket: s3.IBucket, key: string, objectVersion?: string) {
+  static fromBucket(scope: Construct, id: string, bucket: s3.ICfnBucket, key: string, objectVersion?: string) {
     return new Script(scope, id, {
       content: Content.fromBucket(bucket, key, objectVersion),
     });

packages/@aws-cdk/aws-glue-alpha/lib/code.ts

@@ -10,13 +10,12 @@ import * as constructs from 'constructs';
  * Represents a Glue Job's Code assets (an asset can be a scripts, a jar, a python file or any other file).
  */
 export abstract class Code {
-
   /**
    * Job code as an S3 object.
    * @param bucket The S3 bucket
    * @param key The object key
    */
-  public static fromBucket(bucket: s3.IBucket, key: string): S3Code {
+  public static fromBucket(bucket: s3.ICfnBucket, key: string): S3Code {
     return new S3Code(bucket, key);
   }
 
@@ -39,15 +38,18 @@ export abstract class Code {
  * Glue job Code from an S3 bucket.
  */
 export class S3Code extends Code {
-  constructor(private readonly bucket: s3.IBucket, private readonly key: string) {
+  private readonly bucket: s3.IBucket;
+  constructor(bucket: s3.ICfnBucket, private readonly key: string) {
     super();
+
+    this.bucket = s3.Bucket.fromCfnBucket(bucket);
   }
 
   public bind(_scope: constructs.Construct, grantable: iam.IGrantable): CodeConfig {
     this.bucket.grantRead(grantable, this.key);
     return {
       s3Location: {
-        bucketName: this.bucket.bucketName,
+        bucketName: this.bucket.attrBucketName,
         objectKey: this.key,
       },
     };

packages/@aws-cdk/aws-glue-alpha/lib/job.ts

@@ -379,14 +379,14 @@ export interface SparkUIProps {
   /**
    * Enable Spark UI.
    */
-  readonly enabled: boolean
+  readonly enabled: boolean;
 
   /**
    * The bucket where the Glue job stores the logs.
    *
    * @default - a new bucket will be created.
    */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * The path inside the bucket (objects prefix) where the Glue job stores the logs.
@@ -818,7 +818,7 @@ export class Job extends JobBase {
     }
 
     this.validatePrefix(props.prefix);
-    const bucket = props.bucket ?? new s3.Bucket(this, 'SparkUIBucket');
+    const bucket = props.bucket ? s3.Bucket.fromCfnBucket(props.bucket) : new s3.Bucket(this, 'SparkUIBucket');
     bucket.grantReadWrite(role, this.cleanPrefixForGrant(props.prefix));
     const args = {
       '--enable-spark-ui': 'true',

packages/@aws-cdk/aws-glue-alpha/lib/s3-table.ts

@@ -36,16 +36,16 @@ export enum TableEncryption {
    *
    * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
    */
-  CLIENT_SIDE_KMS = 'CSE-KMS'
+  CLIENT_SIDE_KMS = 'CSE-KMS',
 }
 
 export interface S3TableProps extends TableBaseProps {
   /**
  * S3 bucket in which to store data.
  *
- * @default one is created for you
+ * @default - one is created for you
  */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * S3 prefix under which table objects are stored.
@@ -71,7 +71,7 @@ export interface S3TableProps extends TableBaseProps {
    *
    * The `encryption` property must be `SSE-KMS` or `CSE-KMS`.
    *
-   * @default key is managed by KMS.
+   * @default - key is managed by KMS.
    */
   readonly encryptionKey?: kms.IKey;
 }
@@ -250,7 +250,7 @@ const encryptionMappings = {
 
 // create the bucket to store a table's data depending on the `encryption` and `encryptionKey` properties.
 function createBucket(table: S3Table, props: S3TableProps) {
-  let bucket = props.bucket;
+  let bucket = props.bucket ? s3.Bucket.fromCfnBucket(props.bucket) : undefined;
 
   if (bucket && (props.encryption !== undefined && props.encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
     throw new Error('you can not specify encryption settings if you also provide a bucket');

packages/@aws-cdk/aws-iot-actions-alpha/lib/s3-put-object-action.ts

@@ -40,7 +40,7 @@ export class S3PutObjectAction implements iot.IAction {
    * @param bucket The Amazon S3 bucket to which to write data.
    * @param props Optional properties to not use default
    */
-  constructor(private readonly bucket: s3.IBucket, props: S3PutObjectActionProps = {}) {
+  constructor(private readonly bucket: s3.ICfnBucket, props: S3PutObjectActionProps = {}) {
     this.accessControl = props.accessControl;
     this.key = props.key;
     this.role = props.role;
@@ -53,13 +53,13 @@ export class S3PutObjectAction implements iot.IAction {
     const role = this.role ?? singletonActionRole(rule);
     role.addToPrincipalPolicy(new iam.PolicyStatement({
       actions: ['s3:PutObject'],
-      resources: [this.bucket.arnForObjects('*')],
+      resources: [s3.Bucket.fromCfnBucket(this.bucket).arnForObjects('*')],
     }));
 
     return {
       configuration: {
         s3: {
-          bucketName: this.bucket.bucketName,
+          bucketName: this.bucket.attrBucketName,
           cannedAcl: this.accessControl && toKebabCase(this.accessControl.toString()),
           key: this.key ?? '${topic()}/${timestamp()}',
           roleArn: role.roleArn,

packages/@aws-cdk/aws-iot-actions-alpha/lib/sns-topic-action.ts

@@ -48,12 +48,13 @@ export class SnsTopicAction implements iot.IAction {
    * @param topic The Amazon SNS topic to publish data on. Must not be a FIFO topic.
    * @param props Properties to configure the action.
    */
-  constructor(topic: sns.ITopic, props: SnsTopicActionProps = {}) {
-    if (topic.fifo) {
+  constructor(topic: sns.ICfnTopic, props: SnsTopicActionProps = {}) {
+    this.topic = sns.Topic.fromCfnTopic(topic);
+
+    if (this.topic.fifo) {
       throw Error('IoT Rule actions cannot be used with FIFO SNS Topics, please pass a non-FIFO Topic instead');
     }
 
-    this.topic = topic;
     this.role = props.role;
     this.messageFormat = props.messageFormat;
   }

packages/@aws-cdk/aws-iot-actions-alpha/lib/sqs-queue-action.ts

@@ -13,22 +13,22 @@ export interface SqsQueueActionProps extends CommonActionProps {
    *
    * @default false
    */
-  readonly useBase64?: boolean
+  readonly useBase64?: boolean;
 }
 
 /**
  * The action to write the data from an MQTT message to an Amazon SQS queue.
  */
 export class SqsQueueAction implements iot.IAction {
   private readonly role?: iam.IRole;
-  private readonly queue: sqs.IQueue;
+  private readonly queue: sqs.ICfnQueue;
   private readonly useBase64?: boolean;
 
   /**
    * @param queue The Amazon SQS queue to which to write data.
    * @param props Optional properties to not use default
    */
-  constructor(queue: sqs.IQueue, props: SqsQueueActionProps = {}) {
+  constructor(queue: sqs.ICfnQueue, props: SqsQueueActionProps = {}) {
     this.queue = queue;
     this.role = props.role;
     this.useBase64 = props.useBase64;
@@ -41,13 +41,13 @@ export class SqsQueueAction implements iot.IAction {
     const role = this.role ?? singletonActionRole(rule);
     role.addToPrincipalPolicy(new iam.PolicyStatement({
       actions: ['sqs:SendMessage'],
-      resources: [this.queue.queueArn],
+      resources: [this.queue.attrArn],
     }));
 
     return {
       configuration: {
         sqs: {
-          queueUrl: this.queue.queueUrl,
+          queueUrl: this.queue.attrQueueUrl,
           useBase64: this.useBase64,
           roleArn: role.roleArn,
         },

packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/lib/application-code.ts

@@ -31,7 +31,7 @@ export abstract class ApplicationCode {
    * @param fileKey - a key pointing to a Flink JAR file
    * @param objectVersion - an optional version string for the provided fileKey
    */
-  public static fromBucket(bucket: s3.IBucket, fileKey: string, objectVersion?: string): ApplicationCode {
+  public static fromBucket(bucket: s3.ICfnBucket, fileKey: string, objectVersion?: string): ApplicationCode {
     return new BucketApplicationCode({
       bucket,
       fileKey,
@@ -56,13 +56,13 @@ export abstract class ApplicationCode {
 }
 
 interface BucketApplicationCodeProps {
-  readonly bucket: s3.IBucket;
+  readonly bucket: s3.ICfnBucket;
   readonly fileKey: string;
   readonly objectVersion?: string;
 }
 
 class BucketApplicationCode extends ApplicationCode {
-  public readonly bucket?: s3.IBucket;
+  public readonly bucket?: s3.ICfnBucket;
   public readonly fileKey: string;
   public readonly objectVersion?: string;
 
@@ -79,15 +79,15 @@ class BucketApplicationCode extends ApplicationCode {
         applicationCodeConfiguration: {
           codeContent: {
             s3ContentLocation: {
-              bucketArn: this.bucket!.bucketArn,
+              bucketArn: this.bucket!.attrArn,
               fileKey: this.fileKey,
               objectVersion: this.objectVersion,
             },
           },
           codeContentType: 'ZIPFILE',
         },
       },
-      bucket: this.bucket!,
+      bucket: s3.Bucket.fromCfnBucket(this.bucket!),
     };
   }
 }

packages/@aws-cdk/aws-kinesisfirehose-destinations-alpha/lib/common.ts

@@ -155,7 +155,7 @@ export interface DestinationS3BackupProps extends DestinationLoggingProps, Commo
    *
    * @default - If `mode` is set to `BackupMode.ALL` or `BackupMode.FAILED`, a bucket will be created for you.
    */
-  readonly bucket?: s3.IBucket;
+  readonly bucket?: s3.ICfnBucket;
 
   /**
    * Indicates the mode by which incoming records should be backed up to S3, if any.

packages/@aws-cdk/aws-kinesisfirehose-destinations-alpha/lib/private/helpers.ts

@@ -148,7 +148,7 @@ export function createBackupConfig(scope: Construct, role: iam.IRole, props?: De
     return undefined;
   }
 
-  const bucket = props.bucket ?? new s3.Bucket(scope, 'BackupBucket');
+  const bucket = props.bucket ? s3.Bucket.fromCfnBucket(props.bucket) : new s3.Bucket(scope, 'BackupBucket');
   const bucketGrant = bucket.grantReadWrite(role);
 
   const { loggingOptions, dependables: loggingDependables } = createLoggingOptions(scope, {