Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@aws-cdk/aws-s3: CloudFormation stack deployment fails intermittently when adding a bucket policy and EventBridge notifications #27600

Closed
ShanikaEdiriweera opened this issue Oct 19, 2023 · 5 comments · Fixed by #30053 or rwlxxvii/containers#140 · May be fixed by NOUIY/aws-solutions-constructs#102, paralus/eks-blueprints-addon#3 or NOUIY/aws-solutions-constructs#103
Closed

@aws-cdk/aws-s3: CloudFormation stack deployment fails intermittently when adding a bucket policy and EventBridge notifications #27600

ShanikaEdiriweera opened this issue Oct 19, 2023 · 5 comments · Fixed by #30053 or rwlxxvii/containers#140 · May be fixed by NOUIY/aws-solutions-constructs#102, paralus/eks-blueprints-addon#3 or NOUIY/aws-solutions-constructs#103
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. p1

Comments

@ShanikaEdiriweera
Copy link

ShanikaEdiriweera commented Oct 19, 2023
edited
Loading

Describe the bug

CloudFormation stack deployment fails intermittently when adding a bucket policy (PutBucketPolicy) and EventBridge notifications (PutBucketNotification) to a S3 bucket due to race condition.

Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (OperationAborted) when calling the PutBucketNotificationConfiguration operation: A conflicting conditional operation is currently in progress against this resource. Please try again.. See the details in CloudWatch Log Stream: 2023/10/17/[$LATEST]9f69597966xxxxa8449646270045 (RequestId: 2xx08c-74ad-4317-8a30-83xxxf2dc9)

Below is my CDK code of using S3 Bucket construct with eventBridgeEnabled: true and adding the policy after creating the bucket.

export class S3Bucket extends s3.Bucket {
  constructor(scope: Construct, id: string, props: S3BucketProperties) {
    super(scope, id, {
      ...props,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: props.encryptionKey,
      eventBridgeEnabled: true,
    });
  }
}
---------------------------------------------
this.s3Bucket = new S3Bucket(this, 'bucket', {
      encryptionKey,
    });
    this.s3Bucket.addToResourcePolicy(
      createS3BucketSSLRequestsOnlyPolicyStatement(
        this.s3Bucket.bucketArn
      )
    );

Similar issue #16811

Expected Behavior

S3 Bucket policy (PutBucketPolicy) and bucket notifications (PutBucketNotification/PutBucketNotificationConfiguration) happen without failing.

Current Behavior

Stack deployment fails intermittently

Reproduction Steps

Below is my CDK code of using S3 Bucket construct with eventBridgeEnabled: true and adding the policy after creating the bucket.

export class S3Bucket extends s3.Bucket {
  constructor(scope: Construct, id: string, props: S3BucketProperties) {
    super(scope, id, {
      ...props,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: props.encryptionKey,
      eventBridgeEnabled: true,
    });
  }
}
---------------------------------------------
this.s3Bucket = new S3Bucket(this, 'bucket', {
      encryptionKey,
    });
    this.s3Bucket.addToResourcePolicy(
      createS3BucketSSLRequestsOnlyPolicyStatement(
        this.s3Bucket.bucketArn
      )
    );

Possible Solution

(AWS Support Recommended) Implement retry with incremental back off into the custom resource code. This includes retrying operations with an exponential back off time to cater for any issues.

aws-cdk/packages/@aws-cdk/aws-s3/lib/notifications-resource/lambda/index.py

Line 26 in ecb94d7

put_bucket_notification_configuration(bucket, config)

Additional Information/Context

No response

CDK CLI Version

2.99.1

Framework Version

No response

Node.js Version

18

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response
@ShanikaEdiriweera ShanikaEdiriweera added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 19, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Oct 19, 2023
@ShanikaEdiriweera ShanikaEdiriweera changed the title s3: CloudFormation stack deployment fails intermittently when adding a bucket policy and EventBridge notifications @aws-cdk/aws-s3: CloudFormation stack deployment fails intermittently when adding a bucket policy and EventBridge notifications Oct 19, 2023
@indrora indrora added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 19, 2023
@indrora
Copy link
Contributor

indrora commented Oct 19, 2023

Thank you for your report.

@zhaoyi0113
Copy link

I am facing the same issue, is there any update on this one?

@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
@yerzhan7
Copy link
Contributor

yerzhan7 commented May 3, 2024

It looks like PutBucketPolicy and PutBucketNotification API calls are happening at the same time and causing race condition because S3 does not allow parallel bucket edits.

One workaround is to add BucketPolicy as dependency to BucketNotification custom resource. This way Bucket Policy would be created before PutBucketNotification API call is made.

For example:

yourBucket.node.findChild('Notifications').node.addDependency(yourBucket.policy!);

yerzhan7 added a commit to yerzhan7/aws-cdk that referenced this issue May 3, 2024
@yerzhan7
fix(s3): add bucket policy dependency to notification resource
206af35 
Closes aws#27600
@yerzhan7 yerzhan7 mentioned this issue May 3, 2024
Merged
1 task
@mergify mergify bot closed this as completed in #30053 May 13, 2024
@mergify mergify bot closed this as completed in 71986ff May 13, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

1 similar comment
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@tengell tengell mentioned this issue Jun 6, 2024
Closed
@NOUIY NOUIY mentioned this issue Jun 7, 2024
Open
@niravparikh05 niravparikh05 mentioned this issue Jun 13, 2024
Open
@NOUIY NOUIY mentioned this issue Jun 14, 2024
Open
@snyk-io snyk-io bot mentioned this issue Jun 20, 2024
Open
@NOUIY NOUIY mentioned this issue Jun 20, 2024
Open
@snyk-io snyk-io bot mentioned this issue Jun 21, 2024
Open
@rwlxxvii rwlxxvii mentioned this issue Jun 22, 2024
Merged
This was referenced Jun 22, 2024
Open
Open
This was referenced Jul 5, 2024
Open
Open
@NOUIY NOUIY mentioned this issue Jul 16, 2024
Open
@NOUIY NOUIY mentioned this issue Jul 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. p1
Projects
None yet
Milestone
No milestone
4 participants
@indrora @zhaoyi0113 @ShanikaEdiriweera @yerzhan7