Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cdk-lib/aws-s3): Too many BucketPolicy resources defined when defining/attaching BucketPolicy constructs to Buckets #30148

Open
climbertjh2 opened this issue May 10, 2024 · 0 comments
Open

(aws-cdk-lib/aws-s3): Too many BucketPolicy resources defined when defining/attaching BucketPolicy constructs to Buckets #30148

climbertjh2 opened this issue May 10, 2024 · 0 comments
Assignees
@khushail
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. needs-reproduction This issue needs reproduction.

Comments

@climbertjh2
Copy link

Describe the bug

Situation:

  • Create two (2) Bucket constructs in a Stack
  • Create two (2) BucketPolicy constructs in the same Stack
  • Identify one of the buckets as an "access logging" bucket for the other bucket.

Result:

  • three (3) AWS::S3::BucketPolicy CloudFormation resources are synthesized
  • all three wind up getting created when the Stack is deployed
  • two of the three point to the same AWS S3 bucket
  • net result is that the "last" BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
  • The resulting BucketPolicy does not match what is defined in the CDK application.

Expected Behavior

Expected Behavior is either:

  • a) only the explicitly indicated BucketPolicy is created
  • b) the implicitly created BucketPolicy and the explicitly created BucketPolicy is what is synthesized/deployed
  • c) an error is indicated that the explicit BucketPolicy would NOT be appropriate if it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)

Current Behavior

Result:

  • three (3) AWS::S3::BucketPolicy CloudFormation resources are synthesized
  • all three wind up getting created when the Stack is deployed
  • two of the three point to the same AWS S3 bucket
  • net result is that the "last" BucketPolicy (not the UNION of the BucketPolicy constructs) "wins"
  • The resulting BucketPolicy does not match what is defined in the CDK application.

Reproduction Steps

See above.

Possible Solution

Suggested Behavior:

  • c) an error is indicated that the explicit BucketPolicy is NOT appropriate since it lacks the necessary permissions (in this case, allowing the AWS logging service to be able to write to the identified access logging bucket)

Or a recommendation to use .addToResourcePolicy() rather than creating explicit BucketPolicy constructs.

Additional Information/Context

Sample code can be provided on request.

CDK CLI Version

2.141.0

Framework Version

aws-cdk-lib@2.138.0

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

typescript@5.3.3

Other information

No response
@climbertjh2 climbertjh2 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 10, 2024
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label May 10, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels May 10, 2024
@khushail khushail self-assigned this May 10, 2024
This was referenced May 13, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khushail khushail

Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@climbertjh2 @khushail