Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-s3): "s3: PutBucketPolicy" is added when autoDeleteObjects=True, in CDK Version 2.100 #29873

Closed
khushail opened this issue Apr 17, 2024 · 3 comments
Assignees
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@khushail
Copy link
Contributor

khushail commented Apr 17, 2024

Describe the bug

SIM Ticket - V1347352006

This PR added "s3:PutBucketPolicy" when autoDeleteObjects is set to True in CDK Version 2.100

Expected Behavior

the policy should not be added by default

Current Behavior

creating a bucket with "autoDeleteObject: true" automatically added "s3:PutBucketPolicy".

Reproduction Steps

  1. Run below code with CDK 2.99
    const bucket100 = new s3.Bucket(this, 'Bucket100', {
      versioned: true,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true
    });

This policy generated -

  "Bucket": {
    "Ref": "Bucket9970D96479"
   },
   "PolicyDocument": {
    "Statement": [
     {
      "Action": [
       "s3:DeleteObject*",
       "s3:GetBucket*",
       "s3:List*"
      ],
      "Effect": "Allow",
      "Principal": {
       "AWS": {
        "Fn::GetAtt": [
         "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
         "Arn"
        ]
       }
      },
  1. npm uninstall -g aws-cdk
  2. npm cache clean --force
  3. npm install -g aws-cdk@2.100
  4. Run above code and do 'cdk synth'
  5. Policy generated -
"Bucket": {
     "Ref": "Bucket1000EAAE573"
    },
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "s3:DeleteObject*",
        "s3:GetBucket*",
        "s3:List*",
        "s3:PutBucketPolicy"
       ],
       "Effect": "Allow",
       "Principal": {
        "AWS": {
         "Fn::GetAtt": [
          "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
          "Arn"
         ]
        }

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.100

Framework Version

No response

Node.js Version

na

OS

mac

Language

TypeScript

Language Version

No response

Other information

No response

@khushail khushail added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 17, 2024
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Apr 17, 2024
@khushail khushail added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 17, 2024
@SankyRed SankyRed self-assigned this May 6, 2024
@SankyRed
Copy link
Contributor

SankyRed commented May 8, 2024

@khushail After discussing with the team, it's clear that adding the new s3:PutBucketPolicy is not a breaking change. In fact, it'll help us tackle some problems with race conditions while we're cleaning up s3 buckets. We just need to update the documentation to let the community know about this policy.

mergify bot pushed a commit that referenced this issue May 10, 2024
…ects` (#30096)

### Issue # (if applicable)
[29873](#29873)



### Description of changes
This the documentation update to notify users that upon setting the `autoDeleteObjects` to `true` we would also add a new policy `s3:PutBucketPolicy` to handle race conditions.

### Checklist
-  [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

No branches or pull requests

4 participants