fix(ec2): Cannot deploy VPC flow log with other resources that requir…

…es bucket policies (#23889)

Closes #18985.

The problem is described on the issue. In short, when we enable VPC Flow log, it tries to create a bucket policy for the target S3 bucket. That's why a deployment fails if there is a bucket policy defined in a CFn template and the policy is created AFTER a flow log is enabled, which cannot replace the existing policy created by the flow log.

To avoid the error, this PR adds explicit dependencies for a VPC flow log resource:

* dependency 1: Flow log must be created after a corresponding bucket policy is created by CFn
* dependency 2: Flow log must be deleted before a corresponding `autoDeleteObjects` custom resource removed (i.e. deleting all the objects in the bucket).

Dependency 2 is actually not related to the original issue, but I'd like to add this because I saw the error relating this on the integration tests.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts

@@ -1,7 +1,7 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as logs from '@aws-cdk/aws-logs';
 import * as s3 from '@aws-cdk/aws-s3';
-import { IResource, PhysicalName, RemovalPolicy, Resource, FeatureFlags, Stack } from '@aws-cdk/core';
+import { IResource, PhysicalName, RemovalPolicy, Resource, FeatureFlags, Stack, CfnResource } from '@aws-cdk/core';
 import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import { CfnFlowLog } from './ec2.generated';
@@ -252,7 +252,6 @@ class S3Destination extends FlowLogDestination {
         encryption: s3.BucketEncryption.UNENCRYPTED,
         removalPolicy: RemovalPolicy.RETAIN,
       });
-
     } else {
       s3Bucket = this.props.s3Bucket;
     }
@@ -690,6 +689,18 @@ export class FlowLog extends FlowLogBase {
       logDestination,
     });
 
+    // VPC service implicitly tries to create a bucket policy when adding a vpc flow log.
+    // To avoid the race condition, we add an explicit dependency here.
+    if (this.bucket?.policy?.node.defaultChild instanceof CfnResource) {
+      flowLog.addDependency(this.bucket?.policy.node.defaultChild);
+    }
+
+    // we must remove a flow log configuration first before deleting objects.
+    const deleteObjects = this.bucket?.node.tryFindChild('AutoDeleteObjectsCustomResource')?.node.defaultChild;
+    if (deleteObjects instanceof CfnResource) {
+      flowLog.addDependency(deleteObjects);
+    }
+
     this.flowLogId = flowLog.ref;
     this.node.defaultChild = flowLog;
   }

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "29.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/FlowLogsTestStack.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "29.0.0",
   "files": {
     "33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c": {
       "source": {
@@ -14,15 +14,15 @@
         }
       }
     },
-    "9dcef326beebc49accefb3f0f234ec72b4de2a2aa5f1dc4ed26408fcc22c1dd7": {
+    "8161ff5519d2aef653bfa7866cd056f5a3feaccfbd55708667998493d1311898": {
       "source": {
         "path": "FlowLogsTestStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "9dcef326beebc49accefb3f0f234ec72b4de2a2aa5f1dc4ed26408fcc22c1dd7.json",
+          "objectKey": "8161ff5519d2aef653bfa7866cd056f5a3feaccfbd55708667998493d1311898.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/FlowLogsTestStack.template.json

@@ -421,7 +421,11 @@
      }
     ],
     "TrafficType": "ALL"
-   }
+   },
+   "DependsOn": [
+    "BucketAutoDeleteObjectsCustomResourceBAFD23C2",
+    "BucketPolicyE9A3008A"
+   ]
   },
   "FlowLogsCWIAMRole017AD736": {
    "Type": "AWS::IAM::Role",

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"21.0.0"}
+{"version":"29.0.0"}

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "29.0.0",
   "testCases": {
     "FlowLogs/DefaultTest": {
       "stacks": [

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "29.0.0",
   "artifacts": {
     "FlowLogsTestStack.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9dcef326beebc49accefb3f0f234ec72b4de2a2aa5f1dc4ed26408fcc22c1dd7.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8161ff5519d2aef653bfa7866cd056f5a3feaccfbd55708667998493d1311898.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-customformat.js.snapshot/tree.json

@@ -691,7 +691,7 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "@aws-cdk/aws-ec2.FlowLog",
+                  "fqn": "@aws-cdk/core.Resource",
                   "version": "0.0.0"
                 }
               }
@@ -709,6 +709,14 @@
                 "id": "IAMRole",
                 "path": "FlowLogsTestStack/FlowLogsCW/IAMRole",
                 "children": {
+                  "ImportIAMRole": {
+                    "id": "ImportIAMRole",
+                    "path": "FlowLogsTestStack/FlowLogsCW/IAMRole/ImportIAMRole",
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/core.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
                   "Resource": {
                     "id": "Resource",
                     "path": "FlowLogsTestStack/FlowLogsCW/IAMRole/Resource",
@@ -853,7 +861,7 @@
               }
             },
             "constructInfo": {
-              "fqn": "@aws-cdk/aws-ec2.FlowLog",
+              "fqn": "@aws-cdk/core.Resource",
               "version": "0.0.0"
             }
           },
@@ -1142,7 +1150,7 @@
                 "path": "FlowLogs/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.154"
+                  "version": "10.1.216"
                 }
               },
               "DeployAssert": {
@@ -1188,7 +1196,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.154"
+          "version": "10.1.216"
         }
       }
     },

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-interval.js.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "29.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {