-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Circular dependency on s3 notification to a destination when both destination and s3 are encrypted by same CMK #3067
Comments
Is it still failing with 0.35? |
I am not sure if this is failing with 0.35, I tried with 0.34 and it is failing |
I'm actually not sure - @r00t-ankit , can you try upgrading to Thanks, |
I just ran into this as well. So not solved yet.
|
I am also facing the similar issue when using the same KMS keys along with s3 notification service. This is very old thread and still open. Anybody has any solutions how to solve this or any alternative mechanism? |
We are facing the same issue: There is no circular problem without encryption, but with encryption we cannot deploy. |
+1 Adding KMS encryption to the destination source introduces the error. |
Have tried using the trust account option for the key?
https://docs.aws.amazon.com/cdk/api/latest/docs/aws-kms-readme.html#key-policies
…On Thu, Apr 22, 2021 at 10:40 AM nikevp ***@***.***> wrote:
I am also facing the similar issue when using the same KMS keys along with
s3 notification service. This is very old thread and still open. Anybody
has any solutions how to solve this or any alternative mechanism?
+1
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3067 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFCFWAD3FP24XYZJVHZLH3TKBNQVANCNFSM4H3NIJ5A>
.
|
You mean using Facing exactly the same issue. I could only fix this by using a different key for S3 ad for SQS. |
BTW, I'm on |
Same issue here, using 1.117.0. Feel free to reach out if you need more info to reproduce. Thanks |
Didn't work for me. Mind sharing your sample code? |
Still happening for me w/ CDK v2.49.0. |
This did not end up working for me either, two different keys, one for s3, another for SQS, still getting the cyclical dependency error. |
Yes, this is enabled by default in CDK v2: #18446 |
I can synthesize on the latest version using the code posted in the original issue - can someone please provide reproduction steps along with code? Thanks |
Thank you for taking a look into this @peterwoodworth. The
|
Whoops 🤦🏻 My mistake. Thought we check for that at synth This is happening because when you add an object created notification, you create a policy on the key which references the bucket in a condition. The bucket already depends on the key, so, the circular dependency is created. Using the reproduction code from the OP, this is the exact statement on the KeyPolicy which gets rendered: {
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"testankagbucketC0AC8B68",
"Arn"
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Resource": "*"
}, You can add this line of code to alter the Condition if you know in advance what the bucket arn will be: Alternatively, a second way to achieve this is to use an AwsCustomResource at the end of stack creation to make the PutKeyPolicy API call. You'll need to configure permissions for this call to be authorized (probably with an escape hatch to override the KeyPolicy), but I would expect this to eliminate the circular dependency. |
Amazing, thank you @peterwoodworth, adding this works:
|
Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.
I'm submitting a ...
What is the current behavior?
If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
Exception:
Circular dependency between resources: [TestConstructCDKTest25F6C8B9, TestConstructTestQueuePolicy8D6FDA03, TestConstructtestankagbucket1D7F9833, TestConstructtestankagbucketNotifications6A969D21, TestConstructTestQueue9EDE46FC]
s3 notification should be created to sqs without circular dependency exception
What is the motivation / use case for changing the behavior or adding this feature?
This is a bug
Please tell us about your environment:
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)
CDK 0.32 is working fine but when upgrading to CDK 0.33 we had to introduce a SqsDestination and thats when we start seeing this issue
The text was updated successfully, but these errors were encountered: