Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-cloudfront-origins: S3BucketOrigin.withOriginAccessControl is incompatible with Bucket.autoDeleteObjects #31360

Closed
1 task
garysassano opened this issue Sep 8, 2024 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library bug This issue is a bug. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@garysassano
Copy link

garysassano commented Sep 8, 2024

Describe the bug

The S3BucketOrigin.withOriginAccessControl L2 construct, which was recently released in v2.156.0, cannot be used with a Bucket having the autoDeleteObjects prop set to true.

The S3 bucket policies interfere with eachother.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

see above

Current Behavior

see above

Reproduction Steps

see above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.156.0

Framework Version

No response

Node.js Version

20.17.0

OS

Ubuntu 22.04.3 LTS

Language

TypeScript

Language Version

No response

Other information

No response

@garysassano garysassano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 8, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Sep 8, 2024
@garysassano garysassano changed the title aws-cloudfront: S3BucketOrigin.withOriginAccessControl is incompatible with enforceSSL and autoDeleteObjects aws-cloudfront: S3BucketOrigin.withOriginAccessControl is incompatible with autoDeleteObjects Sep 8, 2024
@garysassano garysassano changed the title aws-cloudfront: S3BucketOrigin.withOriginAccessControl is incompatible with autoDeleteObjects aws-cloudfront: S3BucketOrigin.withOriginAccessControl is incompatible with Bucket.autoDeleteObjects Sep 8, 2024
@garysassano garysassano changed the title aws-cloudfront: S3BucketOrigin.withOriginAccessControl is incompatible with Bucket.autoDeleteObjects aws-cloudfront-origins: S3BucketOrigin.withOriginAccessControl is incompatible with Bucket.autoDeleteObjects Sep 8, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Sep 8, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 9, 2024
@khushail khushail self-assigned this Sep 9, 2024
@pahud
Copy link
Contributor

pahud commented Sep 10, 2024

This works for me

export class DummyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true, 
      removalPolicy: RemovalPolicy.DESTROY,
    });

    const dist = new cloudfront.Distribution(this, 'Distribution', {
      defaultBehavior: {
        origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
      },
      defaultRootObject: 'index.html',
    })

    // output the bucket name
    new CfnOutput(this, 'BucketName', { value: bucket.bucketName });
    // output the distribution URL
    new CfnOutput(this, 'DistributionUrl', { value: 'https://' + dist.domainName });
  }
}

After cdk deploy, the content of bucket policy would be

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/dummy-stack12-CustomS3AutoDeleteObjectsCustomResour-d09RGJ2caodd"
            },
            "Action": [
                "s3:DeleteObject*",
                "s3:GetBucket*",
                "s3:List*",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::dummy-stack12-bucket83908e77-rci8bxnhyrax",
                "arn:aws:s3:::dummy-stack12-bucket83908e77-rci8bxnhyrax/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dummy-stack12-bucket83908e77-rci8bxnhyrax/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/E16FNH11FRVEA0"
                }
            }
        }
    ]
}

Validatation:

% echo "<h1>Hello CDK</h1>" > index.html
% aws s3 cp index.html s3://dummy-stack12-bucket83908e77-rci8bxnhyrax/
upload: ./index.html to s3://dummy-stack12-bucket83908e77-rci8bxnhyrax/index.html
% curl -s https://d2dv9g16mguh1c.cloudfront.net
<h1>Hello CDK</h1>

Destroy with index.html in the bucket

% npx cdk destroy
Are you sure you want to delete: dummy-stack12 (y/n)? y
dummy-stack12: destroying... [1/1]

 ✅  dummy-stack12: destroyed

bucket does not exist anymore

% aws s3 ls s3://dummy-stack12-bucket83908e77-rci8bxnhyrax/

An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist

Can you share your code snippet and full error message so we can investigate your case?

@pahud pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 10, 2024
@garysassano
Copy link
Author

Thank you for the quick response. I’ve tried every possible way I could think of to reproduce the bug, but unfortunately, I wasn’t able to. I had run several tests in a sandbox VM just to try out the new construct, but I didn’t save the code. Based on what I can tell now, the error was likely caused by making multiple updates to the same stack in rapid succession. I can confirm that everything works fine when deploying new projects, and deletion always succeeds.

The only thing I could retrieve is the log from the machine, which isn’t too helpful on its own:

cdk-test: destroying... [1/1]
1:37:36 AM | DELETE_FAILED        | AWS::S3::BucketPolicy       | MyBucketPolicy0AFEFDBE
Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy. See https://repost.aws/knowledge-center/cloudformation-delete-policy-error

1:37:37 AM | DELETE_FAILED        | Custom::S3AutoDeleteObjects | MyBucketAutoDelete...omResource2C28D565
Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::533267016779:assumed-role/cdk-test-CustomS3AutoDeleteObjectsC
ustomResourcePro-8ylF6vIY3Zlz/cdk-test-CustomS3AutoDeleteObjectsCustomResourcePr-TTcCa6bftVix is not authorized to perform: s3:GetBucketTagging on resource: "arn:aws:s3
:::my-bucket-c812be60" because no identity-based policy allows the s3:GetBucketTagging action
at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:839:20)
at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:848:5
at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:4735:14)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/index.js:226:18
at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:98:20
at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:121:14
at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22 (RequestId: 56042d6a-fd26-45dc-8aa8-f45cb0d5139b)


 ❌  cdk-test: destroy failed Error: The stack named cdk-test is in a failed state. You may need to delete it from the AWS console : DELETE_FAILED (The following resource(s) failed to delete: [MyBucketPolicy0AFEFDBE, MyBucketAutoDeleteObjectsCustomResource2C28D565]. ): Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy. See https://repost.aws/knowledge-center/cloudformation-delete-policy-error, Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::533267016779:assumed-role/cdk-test-CustomS3AutoDeleteObjectsCustomResourcePro-8ylF6vIY3Zlz/cdk-test-CustomS3AutoDeleteObjectsCustomResourcePr-TTcCa6bftVix is not authorized to perform: s3:GetBucketTagging on resource: "arn:aws:s3:::my-bucket-c812be60" because no identity-based policy allows the s3:GetBucketTagging action
    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:839:20)
    at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:848:5
    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:4735:14)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/index.js:226:18
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:98:20
    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:121:14
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22 (RequestId: 56042d6a-fd26-45dc-8aa8-f45cb0d5139b)
    at destroyStack (/home/user/github/cdk-test/node_modules/.pnpm/[email protected]/node_modules/aws-cdk/lib/index.js:459:2157)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async CdkToolkit.destroy (/home/user/github/cdk-test/node_modules/.pnpm/[email protected]/node_modules/aws-cdk/lib/index.js:462:208228)
    at async exec4 (/home/user/github/cdk-test/node_modules/.pnpm/[email protected]/node_modules/aws-cdk/lib/index.js:517:54490)

The stack named cdk-test is in a failed state. You may need to delete it from the AWS console : DELETE_FAILED (The following resource(s) failed to delete: [MyBucketPolicy0AFEFDBE, MyBucketAutoDeleteObjectsCustomResource2C28D565]. ): Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy. See https://repost.aws/knowledge-center/cloudformation-delete-policy-error, Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::533267016779:assumed-role/cdk-test-CustomS3AutoDeleteObjectsCustomResourcePro-8ylF6vIY3Zlz/cdk-test-CustomS3AutoDeleteObjectsCustomResourcePr-TTcCa6bftVix is not authorized to perform: s3:GetBucketTagging on resource: "arn:aws:s3:::my-bucket-c812be60" because no identity-based policy allows the s3:GetBucketTagging action
    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:839:20)
    at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:848:5
    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:4735:14)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/index.js:226:18
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:98:20
    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:121:14
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22 (RequestId: 56042d6a-fd26-45dc-8aa8-f45cb0d5139b)
👾 Task "destroy" failed when executing "cdk destroy" (cwd: /home/user/github/cdk-test)

In conclusion, everything is working perfectly. I apologize for opening a pointless issue. I’m really happy with this new construct and will begin transitioning older projects to use it.

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 10, 2024
@khushail khushail removed their assignment Sep 10, 2024
@khushail khushail removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-reproduction This issue needs reproduction. labels Sep 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library bug This issue is a bug. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

3 participants