Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudTrail missing DependsOn and /* , cdk deploy fails Incorrect S3 bucket policy is detected for bucket #1172

Closed
ygoodmn opened this issue Nov 14, 2018 · 2 comments · Fixed by #1268
Closed

CloudTrail missing DependsOn and /* , cdk deploy fails Incorrect S3 bucket policy is detected for bucket #1172

ygoodmn opened this issue Nov 14, 2018 · 2 comments · Fixed by #1268
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.

Comments

@ygoodmn
Copy link

ygoodmn commented Nov 14, 2018
edited by eladb
Loading

Steps to recreate:

CDK version 0.17.0 Typescript

const isMultiregion: boolean = false;
        new cloudtrail.CloudTrail(this, 'CloudTrail',{
            isMultiRegionTrail : isMultiregion,
        });

Produces template: (was unable to get Yaml in Preview, sorry)

Resources:
  CloudTrailS310CD22F2:
    Type: AWS::S3::Bucket
  CloudTrailS3PolicyEA49A03E:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: CloudTrailS310CD22F2
      PolicyDocument:
        Statement:
          - Action: s3:GetBucketAcl
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::GetAtt:
                - CloudTrailS310CD22F2
                - Arn
          - Action: s3:PutObject
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::Join:
                - ""
                - - Fn::GetAtt:
                      - CloudTrailS310CD22F2
                      - Arn
                  - //AWSLogs/
                  - Ref: AWS::AccountId
        Version: "2012-10-17"
  CloudTrailA62D711D:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName:
        Ref: CloudTrailS310CD22F2
      EnableLogFileValidation: true
      EventSelectors:
        []
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: false
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: "@aws-cdk/aws-cloudtrail=0.17.0,@aws-cdk/aws-cloudwatch=0.17.0,@aws-cdk\
        /aws-codepipeline-api=0.17.0,@aws-cdk/aws-events=0.17.0,@aws-cdk/aws-ia\
        m=0.17.0,@aws-cdk/aws-kms=0.17.0,@aws-cdk/aws-logs=0.17.0,@aws-cdk/aws-\
        s3=0.17.0,@aws-cdk/aws-s3-notifications=0.17.0,@aws-cdk/cdk=0.17.0,@aws\
        -cdk/cx-api=0.17.0,cdk=0.1.0"

run cdk deploy:
Get

C:\Users\\smsAdminStack\cdk>cdk deploy
CloudTrail: deploying...
CloudTrail: creating CloudFormation changeset...
 0/5 | 16:07:25 | CREATE_IN_PROGRESS   | AWS::S3::Bucket        | CloudTrail/S3 (CloudTrailS310CD22F2)
 0/5 | 16:07:26 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata     | CDKMetadata
 0/5 | 16:07:26 | CREATE_IN_PROGRESS   | AWS::S3::Bucket        | CloudTrail/S3 (CloudTrailS310CD22F2) Resource creation Initiated
 0/5 | 16:07:28 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata     | CDKMetadata Resource creation Initiated
 1/5 | 16:07:28 | CREATE_COMPLETE      | AWS::CDK::Metadata     | CDKMetadata 
 2/5 | 16:07:47 | CREATE_COMPLETE      | AWS::S3::Bucket        | CloudTrail/S3 (CloudTrailS310CD22F2) 
 2/5 | 16:07:48 | CREATE_IN_PROGRESS   | AWS::CloudTrail::Trail | CloudTrail (CloudTrailA62D711D)
 2/5 | 16:07:49 | CREATE_IN_PROGRESS   | AWS::S3::BucketPolicy  | CloudTrail/S3/Policy (CloudTrailS3PolicyEA49A03E)
 3/5 | 16:07:49 | CREATE_FAILED        | AWS::CloudTrail::Trail | CloudTrail (CloudTrailA62D711D) Incorrect S3 bucket policy is detected for bucket: cloudtrail-cloudtrails310cd22f2-18sviepxu2b7u (Service: AWSCloudTrail; Status Code: 400; Error Cod
e: InsufficientS3BucketPolicyException; Request ID: bde49b36-171e-470b-9a41-8d1bb869f984)
        new CloudTrail (C:\Users\\smsAdminStack\cdk\node_modules\@aws-cdk\aws-cloudtrail\lib\index.js:84:23)
        \_ new CloudTrailStack (C:\Users\\smsAdminStack\cdk\bin\cloudTrailStack.js:14:9)
        \_ Object.<anonymous> (C:\Users\\smsAdminStack\cdk\bin\cdk.js:14:1)
        \_ Module._compile (module.js:653:30)
        \_ Object.Module._extensions..js (module.js:664:10)
        \_ Module.load (module.js:566:32)
        \_ tryModuleLoad (module.js:506:12)
        \_ Function.Module._load (module.js:498:3)
        \_ Function.Module.runMain (module.js:694:10)
        \_ startup (bootstrap_node.js:204:16)
        \_ bootstrap_node.js:625:3
 4/5 | 16:07:50 | CREATE_FAILED        | AWS::S3::BucketPolicy  | CloudTrail/S3/Policy (CloudTrailS3PolicyEA49A03E) Resource creation cancelled
        new BucketPolicy (C:\Users\\\smsAdminStack\cdk\node_modules\@aws-cdk\aws-s3\lib\bucket-policy.js:21:9)
        \_ Bucket.addToResourcePolicy (C:\Users\\\smsAdminStack\cdk\node_modules\@aws-cdk\aws-s3\lib\bucket.js:79:27)
        \_ new CloudTrail (C:\Users\\\smsAdminStack\cdk\node_modules\@aws-cdk\aws-cloudtrail\lib\index.js:55:18)
        \_ new CloudTrailStack (C:\Users\\\smsAdminStack\cdk\bin\cloudTrailStack.js:14:9)
        \_ Object.<anonymous> (C:\Users\\\smsAdminStack\cdk\bin\cdk.js:14:1)
        \_ Module._compile (module.js:653:30)
        \_ Object.Module._extensions..js (module.js:664:10)
        \_ Module.load (module.js:566:32)
        \_ tryModuleLoad (module.js:506:12)
        \_ Function.Module._load (module.js:498:3)
        \_ Function.Module.runMain (module.js:694:10)
        \_ startup (bootstrap_node.js:204:16)
        \_ bootstrap_node.js:625:3
 4/5 | 16:07:51 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | CloudTrail The following resource(s) failed to create: [CloudTrailA62D711D, CloudTrailS3PolicyEA49A03E]. . Rollback requested by user.
 5/5 | 16:08:20 | DELETE_COMPLETE      | AWS::CloudTrail::Trail | CloudTrail (CloudTrailA62D711D) 
 5/5 | 16:08:20 | DELETE_IN_PROGRESS   | AWS::CDK::Metadata     | CDKMetadata
 5/5 | 16:08:20 | DELETE_IN_PROGRESS   | AWS::S3::BucketPolicy  | CloudTrail/S3/Policy (CloudTrailS3PolicyEA49A03E)
 6/5 | 16:08:21 | DELETE_COMPLETE      | AWS::S3::BucketPolicy  | CloudTrail/S3/Policy (CloudTrailS3PolicyEA49A03E) 
 7/5 | 16:08:22 | DELETE_COMPLETE      | AWS::CDK::Metadata     | CDKMetadata 
 7/5 | 16:08:22 | DELETE_IN_PROGRESS   | AWS::S3::Bucket        | CloudTrail/S3 (CloudTrailS310CD22F2)
 8/5 | 16:08:24 | DELETE_COMPLETE      | AWS::S3::Bucket        | CloudTrail/S3 (CloudTrailS310CD22F2) 
 9/5 | 16:08:24 | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack | CloudTrail 

 ❌  CloudTrail failed: Error: The stack named CloudTrail failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
The stack named CloudTrail failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
@ygoodmn
Copy link
Author

ygoodmn commented Nov 14, 2018
edited by eladb
Loading

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html

Shows the following : Trying to understand is the "/*" missing or extra "/" or something else

BucketPolicy: 
      Type: AWS::S3::BucketPolicy
      Properties: 
        Bucket: 
          Ref: S3Bucket
        PolicyDocument: 
          Version: "2012-10-17"
          Statement: 
            - 
              Sid: "AWSCloudTrailAclCheck"
              Effect: "Allow"
              Principal: 
                Service: "cloudtrail.amazonaws.com"
              Action: "s3:GetBucketAcl"
              Resource: 
                !Sub |-
                  arn:aws:s3:::${S3Bucket}
            - 
              Sid: "AWSCloudTrailWrite"
              Effect: "Allow"
              Principal: 
                Service: "cloudtrail.amazonaws.com"
              Action: "s3:PutObject"
              Resource:
                !Sub |-
                  arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
              Condition: 
                StringEquals:
                  s3:x-amz-acl: "bucket-owner-full-control"

@ygoodmn
Copy link
Author

ygoodmn commented Nov 14, 2018
edited by eladb
Loading

After some testing I think it is the DependsOn is missing:

As manual deploy of the below worked

Resources:
  CloudTrailS310CD22F2:
    Type: AWS::S3::Bucket
  CloudTrailS3PolicyEA49A03E:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: CloudTrailS310CD22F2
      PolicyDocument:
        Statement:
          - Action: s3:GetBucketAcl
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource: !Sub arn:aws:s3:::${CloudTrailS310CD22F2}
          - Action: s3:PutObject
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource: !Sub arn:aws:s3:::${CloudTrailS310CD22F2}/AWSLogs/${AWS::AccountId}/*
        Version: "2012-10-17"
  CloudTrailA62D711D:
    DependsOn:
    - CloudTrailS3PolicyEA49A03E
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName:
        Ref: CloudTrailS310CD22F2
      EnableLogFileValidation: true
      EventSelectors:
        []
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: false
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: "@aws-cdk/aws-cloudtrail=0.17.0,@aws-cdk/aws-cloudwatch=0.17.0,@aws-cdk\
        /aws-codepipeline-api=0.17.0,@aws-cdk/aws-events=0.17.0,@aws-cdk/aws-ia\
        m=0.17.0,@aws-cdk/aws-kms=0.17.0,@aws-cdk/aws-logs=0.17.0,@aws-cdk/aws-\
        s3=0.17.0,@aws-cdk/aws-s3-notifications=0.17.0,@aws-cdk/cdk=0.17.0,@aws\
        -cdk/cx-api=0.17.0,cdk=0.1.0"

@ygoodmn ygoodmn changed the title CloudTrail , cdk deploy fails Incorrect S3 bucket policy is detected for bucket CloudTrail missing DependsOn and /* , cdk deploy fails Incorrect S3 bucket policy is detected for bucket Nov 14, 2018
@rix0rrr rix0rrr added bug This issue is a bug. @aws-cdk/aws-cloudtrail Related to AWS CloudTrail labels Nov 19, 2018
@randomvariable randomvariable mentioned this issue Dec 1, 2018
Merged
8 tasks
rix0rrr pushed a commit that referenced this issue Dec 3, 2018
@randomvariable @rix0rrr
fix(aws-cloudtrail): correct S3 bucket policy and dependency chain (#…
0de2da8 
…1268)

Fixes #1172
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-cloudtrail): correct S3 bucket policy and dependency chain
2 participants
@rix0rrr @ygoodmn