Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(servicecatalog): product stack asset bucket with forced encryption #26303

Conversation

wolanlu
Copy link
Contributor

@wolanlu wolanlu commented Jul 10, 2023

Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied).

Expected Behavior
I would expect that assets will be encrypted when the asset bucket has encryption enabled.

Current Behavior
Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings.

Possible Solution
This PR is a possible solution in which user would provide additional property serverSideEncryption along with encryption key serverSideEncryptionAwsKmsKeyId which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach.

Closes #26302.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

wolanlu added 3 commits July 5, 2023 14:04
~/apg/aws-cdk/packages/aws-cdk-lib/aws-servicecatalog/test/product-stack.test.ts
 - Warning:(25, 5) Comma expression
 - Warning:(184, 5) Comma expression
~/apg/aws-cdk/packages/aws-cdk-lib/aws-servicecatalog/lib/private/product-stack-synthesizer.ts
 - Warning:(55, 11) Local variable 'physicalName' is redundant
@gitpod-io
Copy link

gitpod-io bot commented Jul 10, 2023

@github-actions github-actions bot added bug This issue is a bug. p2 labels Jul 10, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team July 10, 2023 09:54
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Jul 10, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@wolanlu wolanlu changed the title Bugfix/product stack asset bucket with forced encryption Bugfix(aws-servicecatalog): product stack asset bucket with forced encryption Jul 10, 2023
@wolanlu wolanlu changed the title Bugfix(aws-servicecatalog): product stack asset bucket with forced encryption fix(aws-servicecatalog): product stack asset bucket with forced encryption Jul 10, 2023
@wolanlu wolanlu changed the title fix(aws-servicecatalog): product stack asset bucket with forced encryption fix(servicecatalog): product stack asset bucket with forced encryption Jul 10, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review July 10, 2023 10:02

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 10, 2023
@colifran colifran self-assigned this Jul 10, 2023
mrgrain
mrgrain previously approved these changes Jul 11, 2023
@mergify
Copy link
Contributor

mergify bot commented Jul 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot dismissed mrgrain’s stale review July 11, 2023 11:26

Pull request has been modified.

@wolanlu
Copy link
Contributor Author

wolanlu commented Jul 11, 2023

@Mergifyio refresh

@mergify
Copy link
Contributor

mergify bot commented Jul 11, 2023

refresh

✅ Pull request refreshed

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: e5ab1cc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jul 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit cb5bef5 into aws:main Jul 11, 2023
@wolanlu wolanlu deleted the bugfix/product-stack-asset-bucket-with-forced-encryption branch July 11, 2023 15:59
bmoffatt pushed a commit to bmoffatt/aws-cdk that referenced this pull request Jul 29, 2023
aws#26303)

Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied).

Expected Behavior
I would expect that assets will be encrypted when the asset bucket has encryption enabled.

Current Behavior
Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings.

Possible Solution
This PR is a possible solution in which user would provide additional property `serverSideEncryption` along with encryption key `serverSideEncryptionAwsKmsKeyId` which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach.

Closes aws#26302.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-servicecatalog: ProductStack fails with assetBucket that requires encryption
4 participants