Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Fixed Bucket Policy chain dependency with Public Access Block #227

Merged
merged 4 commits into from
Apr 28, 2023
Merged

fix: Fixed Bucket Policy chain dependency with Public Access Block #227

merged 4 commits into from
Apr 28, 2023

Conversation

Jean717p
Copy link
Contributor

@Jean717p Jean717p commented Apr 26, 2023
edited
Loading

Description

Following AWS update of April 2023 for S3 Bucket Public Access Block default values for resources created via api calls, buckets are now created with block all public access enabled by default.

Motivation and Context

If a bucket is created with a public read policy, it will incur in 403 Access Denied caused by block all public access enabled at bucket creation, with the previous dependency chain the bucket policy gets created before the block all public access block.

Example of public read bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadBucketPolicy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket_name/*"
        }
    ]
}

Inverting the dependency chain between aws_s3_bucket_policy.this and aws_s3_bucket_public_access_block.this will solve this issue.

Example to reproduce the issue

# https://github.com/terraform-aws-modules/terraform-aws-s3-bucket
module "s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket                               = "dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce-pr227"
  attach_policy                        = true
  attach_require_latest_tls_policy     = true
  block_public_acls                    = true
  block_public_policy                  = false # Not updated before bucket policy due to current chain dependency
  restrict_public_buckets              = false # Not updated before bucket policy due to current chain dependency
  force_destroy                        = true
  ignore_public_acls                   = true
  policy                               = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "ReadBucketPolicy",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3::dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce-pr227/*"
      }
    ]
  })
}

Obtained error

module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.aws_s3_bucket.this[0]: Creating...
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.aws_s3_bucket.this[0]: Creation complete after 3s [id=dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce-pr227]
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.data.aws_iam_policy_document.require_latest_tls[0]: Reading...
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.data.aws_iam_policy_document.require_latest_tls[0]: Read complete after 0s [id=3386508698]
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.data.aws_iam_policy_document.combined[0]: Reading...
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=3075998097]
module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.aws_s3_bucket_policy.this[0]: Creating...
╷
│ Error: Error putting S3 policy: AccessDenied: Access Denied
│       status code: 403, request id: <REDACTED>, host id: <REDACTED>
│
│   with module.s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce.aws_s3_bucket_policy.this[0],
│   on .terraform/modules/s3-dd6271fee6c7c15a5dfa2041aef5f9e6de89b5ce/main.tf line 512, in resource "aws_s3_bucket_policy" "this":
│  512: resource "aws_s3_bucket_policy" "this" {
│
╵

Breaking Changes

How Has This Been Tested?

  • I have provided at least one example in the PR to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have tested and validated these changes in aws cloud
  • I have executed pre-commit run -a on my pull request

@stefan-matic
Copy link

+1

@matheusmazzoni
Copy link

Hello Guys, when will it be merged?

@antonbabenko
Copy link
Member

Please provide the complete code snippet which reproduces the bug so that I can run it locally and experience the problem.

@Jean717p Jean717p force-pushed the fix-bucket-policy-chain-dependency branch from 343c7c8 to d286df1 Compare April 27, 2023 19:25
@Jean717p
Copy link
Contributor Author

Please provide the complete code snippet which reproduces the bug so that I can run it locally and experience the problem.

@antonbabenko
PR updated with example and error.
Best

@antonbabenko antonbabenko merged commit fa19074 into terraform-aws-modules:master Apr 28, 2023
@antonbabenko
Copy link
Member

Thank you for the PR, @Jean717p !

antonbabenko pushed a commit that referenced this pull request Apr 28, 2023
@semantic-release-bot
chore(release): version 3.10.1 [skip ci]
96226df 
### [3.10.1](v3.10.0...v3.10.1) (2023-04-28)

### Bug Fixes

* Fixed Bucket Policy chain dependency with Public Access Block ([#227](#227)) ([fa19074](fa19074))
@antonbabenko
Copy link
Member

This PR is included in version 3.10.1 🎉

@martinfarmer
Copy link

FYI - With this version, I now see a cycle error

│ Error: Cycle: module.test-basic-vpc.module.dns-query-logs-s3-bucket.module.s3_bucket.aws_s3_bucket_public_access_block.this[0], module.test-basic-vpc.module.dns-query-logs-s3-bucket.module.s3_bucket.aws_s3_bucket_policy.this[0]

it appears that the aws_s3_bucket_public_access_block and the s3_bucket.aws_s3_bucket_policy have a cyclic dependency

@Dr0p42
Copy link

Dr0p42 commented May 12, 2023

Thank you @Jean717p 👏

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@matheusmazzoni matheusmazzoni matheusmazzoni approved these changes

@stefan-matic stefan-matic stefan-matic approved these changes

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Jean717p @stefan-matic @matheusmazzoni @antonbabenko @martinfarmer @Dr0p42 @cageyv @semantic-release-bot