-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(ec2): Cannot deploy VPC flow log with other resources that requires bucket policies #18985
(ec2): Cannot deploy VPC flow log with other resources that requires bucket policies #18985
Comments
This also relates to #18816 |
This issue still exists due to lack of the explicit dependency of VPC flow log on bucket's policy |
Is there any update on this issue? @corymhall |
This PR #20765 append a new feature flag . |
For those still having this issue make sure the |
|
@MrArnoldPalmer Hi, I confirmed this issues still exists even on CDK 2.62.2. This is because currently VPC service tries to create a bucket policy before CFn creates one when flow log is enabled. To avoid this behavior, we must make sure that CFn creates a bucket policy before enabling vpc flow log. We need to set the explicit dependency between edit) I'll submit a PR for this. |
confirmed @tmokmss is correct, this issue has not been resolved yet |
…es bucket policies (#23889) Closes #18985. The problem is described on the issue. In short, when we enable VPC Flow log, it tries to create a bucket policy for the target S3 bucket. That's why a deployment fails if there is a bucket policy defined in a CFn template and the policy is created AFTER a flow log is enabled, which cannot replace the existing policy created by the flow log. To avoid the error, this PR adds explicit dependencies for a VPC flow log resource: * dependency 1: Flow log must be created after a corresponding bucket policy is created by CFn * dependency 2: Flow log must be deleted before a corresponding `autoDeleteObjects` custom resource removed (i.e. deleting all the objects in the bucket). Dependency 2 is actually not related to the original issue, but I'd like to add this because I saw the error relating this on the integration tests. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This issue is still not resolved for me on CDK v2.144 |
What is the problem?
Hi team, I found a somewhat confusing behavior about S3 bucket and VPC flow log as I wrote below.
I've already found a workaround and it is not critical. Could you take a look when you get a chance?
Reproduction Steps
Define stack by the below code and run
npx cdk deploy Stack
.Note that to make sure a bucket policy resource to be created,
autoDeleteObjects: true
is used here.But actually any resources that creates bucket policy will also be affected by this behavior, such as ALB access logging.
What did you expect to happen?
deployment successes.
What actually happened?
The below error happens during CFn deployment.
CDK CLI Version
2.62.2
Framework Version
2.62.2
Node.js Version
16.13.1
OS
macOS
Language
Typescript
Language Version
No response
Other information
CFn FlowLog resource seems to implicitly create bucket policy if it doesn't exist on the target S3 bucket.
If there is another bucket policy definition in the CFn template and the vpc flow log resource is processed earlier than it, CFn fails to create the policy due to the error above.
As a workaround, you can explicitly set a dependency to make sure vpc flow log to be created after CFn creates the bucket policy resource.
If CDK automatically added this dependency, it would help a lot.
The text was updated successfully, but these errors were encountered: