Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update note on downtime during migration #31307

Merged
merged 2 commits into from
Sep 4, 2024

Conversation

gracelu0
Copy link
Contributor

@gracelu0 gracelu0 commented Sep 3, 2024

update note on downtime, 2-step deployment should not cause any downtime

@aws-cdk-automation aws-cdk-automation requested a review from a team September 3, 2024 20:40
@github-actions github-actions bot added the p2 label Sep 3, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 3, 2024
@@ -494,7 +494,8 @@ The following changes will take place:
No, following the migration steps does not cause any replacement of the existing `AWS::CloudFront::Distribution`, `AWS::S3::Bucket` nor `AWS::S3::BucketPolicy` resources. It will modify the bucket policy, create a `AWS::CloudFront::OriginAccessControl` resource, and delete the existing `AWS::CloudFront::CloudFrontOriginAccessIdentity`.

**Will migrating from OAI to OAC have any availability implications for my application?**
While the above steps follow the order recommended by CloudFront, updates to CloudFront distributions and S3 bucket policies can take some time to propagate globally. Bucket configuration updates are eventually consistent. As such, you should be aware there is a possibility of downtime.

Migrating from OAI to OAC following the steps above (requires a 2-step deployment) should not cause any downtime. However, if you decide to skip Step 1 and migrate to OAC in a single deployment, you should be aware there is a possibility of downtime.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Migrating from OAI to OAC following the steps above (requires a 2-step deployment) should not cause any downtime. However, if you decide to skip Step 1 and migrate to OAC in a single deployment, you should be aware there is a possibility of downtime.
Updates to Bucket Policies are eventually consistent, therefore, removing OAI permissions and adding OAC in the same CloudFormation stack deployment is not recommended as it may introduce downtime where CloudFront loses access to the Bucket. Following the steps above will lower this risk ask the Bucket Policy is updated to have both OAI and OAC permissions, then in a subsequent deployment, the OAI permissions are removed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the suggestion is more nuanced - updated the answer :)

@gracelu0 gracelu0 merged commit 9377b09 into aws:gracelu0/s3-oac-l2 Sep 4, 2024
7 checks passed
Copy link

github-actions bot commented Sep 4, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants