fix(s3-deployment): doesn't work in ADC regions (#25363)

The AWS CLI that we use to run `aws s3 sync` comes with its own certificate bundle, which doesn't include the certificates used in ADC regions. Fortunately, Lambda has curated a CA bundle already, we just need to force the CLI to use it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 3, 2023 · 432af34 · 432af34
1 parent 8c0de6d
commit 432af34
Show file tree

Hide file tree

Showing 37 changed files with 224 additions and 107 deletions.
diff --git a/...ic-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.assets.json b/...ic-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.assets.json
@@ -53,15 +53,15 @@
         }
       }
     },
-    "f30f5d2688dbc7b1ebba16623b198fd11257f447cb2d01e5325ebad5bfb206d8": {
+    "700b33b613fbd899489f08c591ff8e002d433573bc48eca4a106e66109f3087f": {
       "source": {
         "path": "aws-cdk-codepipeline-elastic-beanstalk-deploy.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "f30f5d2688dbc7b1ebba16623b198fd11257f447cb2d01e5325ebad5bfb206d8.json",
+          "objectKey": "700b33b613fbd899489f08c591ff8e002d433573bc48eca4a106e66109f3087f.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.template.json b/...-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.template.json
@@ -326,6 +326,11 @@
       "Arn"
      ]
     },
+    "Environment": {
+     "Variables": {
+      "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+     }
+    },
     "Handler": "index.handler",
     "Layers": [
      {

diff --git a/...depipeline-actions/test/integ.pipeilne-elastic-beanstalk-deploy.js.snapshot/manifest.json b/...depipeline-actions/test/integ.pipeilne-elastic-beanstalk-deploy.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f30f5d2688dbc7b1ebba16623b198fd11257f447cb2d01e5325ebad5bfb206d8.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/700b33b613fbd899489f08c591ff8e002d433573bc48eca4a106e66109f3087f.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

diff --git a/...s-codepipeline-actions/test/integ.pipeilne-elastic-beanstalk-deploy.js.snapshot/tree.json b/...s-codepipeline-actions/test/integ.pipeilne-elastic-beanstalk-deploy.js.snapshot/tree.json
@@ -508,6 +508,11 @@
                         "Arn"
                       ]
                     },
+                    "environment": {
+                      "variables": {
+                        "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+                      }
+                    },
                     "handler": "index.handler",
                     "layers": [
                       {

diff --git a/...-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/aws-ecs-integ.assets.json b/...-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/aws-ecs-integ.assets.json
@@ -66,15 +66,15 @@
         }
       }
     },
-    "8aa5759f14144b0e926e1a721b0d46e3703a8858ef439535708bc694c4388650": {
+    "1a9bbcda71c448921127f084fce2798f586bec7ad012007e06ea6a63ef8cdefc": {
       "source": {
         "path": "aws-ecs-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "8aa5759f14144b0e926e1a721b0d46e3703a8858ef439535708bc694c4388650.json",
+          "objectKey": "1a9bbcda71c448921127f084fce2798f586bec7ad012007e06ea6a63ef8cdefc.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...nteg/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/aws-ecs-integ.template.json b/...nteg/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/aws-ecs-integ.template.json
@@ -1298,6 +1298,11 @@
       "Arn"
      ]
     },
+    "Environment": {
+     "Variables": {
+      "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+     }
+    },
     "Handler": "index.handler",
     "Layers": [
      {

diff --git a/...ng/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/manifest.json b/...ng/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8aa5759f14144b0e926e1a721b0d46e3703a8858ef439535708bc694c4388650.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1a9bbcda71c448921127f084fce2798f586bec7ad012007e06ea6a63ef8cdefc.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

diff --git a/...esting/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/tree.json b/...esting/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/tree.json
@@ -2092,6 +2092,11 @@
                         "Arn"
                       ]
                     },
+                    "environment": {
+                      "variables": {
+                        "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+                      }
+                    },
                     "handler": "index.handler",
                     "layers": [
                       {

diff --git a/.../test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/manifest.json b/.../test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bbd88d83102b3e32b899afe0d87246311679398907317a82708147a774e14faf.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/95bddee0ddc3585e4b7e3eb6a1676f7a96abb59a75d7d9b0631ffa6d30996d20.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

diff --git a/...test/integ.bucket-deployment-cloudfront.js.snapshot/test-bucket-deployments-1.assets.json b/...test/integ.bucket-deployment-cloudfront.js.snapshot/test-bucket-deployments-1.assets.json
@@ -53,15 +53,15 @@
         }
       }
     },
-    "bbd88d83102b3e32b899afe0d87246311679398907317a82708147a774e14faf": {
+    "95bddee0ddc3585e4b7e3eb6a1676f7a96abb59a75d7d9b0631ffa6d30996d20": {
       "source": {
         "path": "test-bucket-deployments-1.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "bbd88d83102b3e32b899afe0d87246311679398907317a82708147a774e14faf.json",
+          "objectKey": "95bddee0ddc3585e4b7e3eb6a1676f7a96abb59a75d7d9b0631ffa6d30996d20.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...st/integ.bucket-deployment-cloudfront.js.snapshot/test-bucket-deployments-1.template.json b/...st/integ.bucket-deployment-cloudfront.js.snapshot/test-bucket-deployments-1.template.json
@@ -385,6 +385,11 @@
       "Arn"
      ]
     },
+    "Environment": {
+     "Variables": {
+      "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+     }
+    },
     "Handler": "index.handler",
     "Layers": [
      {

diff --git a/...nteg/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/tree.json b/...nteg/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/tree.json
@@ -579,6 +579,11 @@
                         "Arn"
                       ]
                     },
+                    "environment": {
+                      "variables": {
+                        "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+                      }
+                    },
                     "handler": "index.handler",
                     "layers": [
                       {

diff --git a/...ent/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.assets.json b/...ent/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.assets.json
@@ -14,15 +14,15 @@
         }
       }
     },
-    "2bc265c5e0569aeb24a6349c15bd54e76e845892376515e036627ab0cc70bb64": {
+    "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd": {
       "source": {
-        "path": "asset.2bc265c5e0569aeb24a6349c15bd54e76e845892376515e036627ab0cc70bb64",
+        "path": "asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd",
         "packaging": "zip"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "2bc265c5e0569aeb24a6349c15bd54e76e845892376515e036627ab0cc70bb64.zip",
+          "objectKey": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
@@ -79,15 +79,15 @@
         }
       }
     },
-    "2961e8222a48394849f4466d2789ae256aa88adc4ccbf79feb35306b850c08dc": {
+    "6c07fbb89bbff6b2b1c4ddd3e1d445bc5b965519deab9fa8e860ccd5312df197": {
       "source": {
         "path": "TestBucketDeploymentContent.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "2961e8222a48394849f4466d2789ae256aa88adc4ccbf79feb35306b850c08dc.json",
+          "objectKey": "6c07fbb89bbff6b2b1c4ddd3e1d445bc5b965519deab9fa8e860ccd5312df197.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...t/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.template.json b/...t/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.template.json
@@ -220,14 +220,19 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "2bc265c5e0569aeb24a6349c15bd54e76e845892376515e036627ab0cc70bb64.zip"
+     "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip"
     },
     "Role": {
      "Fn::GetAtt": [
       "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265",
       "Arn"
      ]
     },
+    "Environment": {
+     "Variables": {
+      "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+     }
+    },
     "Handler": "index.handler",
     "Layers": [
      {

diff --git a/...6e845892376515e036627ab0cc70bb64/index.py → ...21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/...6e845892376515e036627ab0cc70bb64/index.py → ...21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py
@@ -22,13 +22,17 @@
 ENV_KEY_MOUNT_PATH = "MOUNT_PATH"
 ENV_KEY_SKIP_CLEANUP = "SKIP_CLEANUP"
 
+AWS_CLI_CONFIG_FILE = "/tmp/aws_cli_config"
 CUSTOM_RESOURCE_OWNER_TAG = "aws-cdk:cr-owned"
 
+os.putenv('AWS_CONFIG_FILE', AWS_CLI_CONFIG_FILE)
+
 def handler(event, context):
 
     def cfn_error(message=None):
         logger.error("| cfn_error: %s" % message)
-        cfn_send(event, context, CFN_FAILED, reason=message)
+        cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None))
+
 
     try:
         # We are not logging ResponseURL as this is a pre-signed S3 URL, and could be used to tamper
@@ -57,6 +61,7 @@ def cfn_error(message=None):
             prune               = props.get('Prune', 'true').lower() == 'true'
             exclude             = props.get('Exclude', [])
             include             = props.get('Include', [])
+            sign_content        = props.get('SignContent', 'false').lower() == 'true'
 
             # backwards compatibility - if "SourceMarkers" is not specified,
             # assume all sources have an empty market map
@@ -75,6 +80,12 @@ def cfn_error(message=None):
             cfn_error("missing request resource property %s. props: %s" % (str(e), props))
             return
 
+        # configure aws cli options after resetting back to the defaults for each request
+        if os.path.exists(AWS_CLI_CONFIG_FILE):
+                os.remove(AWS_CLI_CONFIG_FILE)
+        if sign_content:
+                aws_command("configure", "set", "default.s3.payload_signing_enabled", "true")
+
         # treat "/" as if no prefix was specified
         if dest_bucket_prefix == "/":
             dest_bucket_prefix = ""

diff --git a/...-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/manifest.json b/...-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2961e8222a48394849f4466d2789ae256aa88adc4ccbf79feb35306b850c08dc.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6c07fbb89bbff6b2b1c4ddd3e1d445bc5b965519deab9fa8e860ccd5312df197.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [