@aws-cdk: S3 buckets block stack deletion #26874

miles-po · 2023-08-24T19:41:11Z

Describe the bug

On stack deletion, buckets with RemovalPolicy.DESTROY often fail to delete due to continued writes to it, such as from zombie CloudFront distribution logging (the CloudFront distribution no longer exists in the console, but log data continues to populate the bucket rapidly).

This appears to be a resource accounting bug within AWS and not CDK-specific, but through the use of a DENY policy, CDK's existing auto-delete should be able to mitigate.

Expected Behavior

On stack deletion, the S3 buckets with RemovalPolicy.DESTROY should always be deleted.

Current Behavior

On stack deletion, the S3 buckets with RemovalPolicy.DESTROY often cannot be deleted after emptying due to a race condition with external writers, thereby blocking overall stack deletion.

Reproduction Steps

Errant behavior is non-deterministic.

Using the AWS CloudFrontToS3 construct (@aws-solutions-constructs/aws-cloudfront-s3), deploy a stack.
Delete the stack.

Possible Solution

The auto-delete lambda should add a policy to the target buckets to deny further PutObject calls prior to emptying the bucket.

Additional Information/Context

Defunct CloudFront distributions intermittently continue writing (often for more than 24 hours) to its log buckets even though the CloudFront distributions no longer appear in the AWS console, in the CLI, or in the stack resources. The zombie distributions have been observed to continue writing large numbers of small objects for days.

CDK CLI Version

2.93.0 (build 724bd01)

Framework Version

No response

Node.js Version

v18.17.1

OS

Amazon Linux 3.0 (ARM64)

Language

Typescript

Language Version

5.1.6

Other information

No response

The text was updated successfully, but these errors were encountered:

peterwoodworth · 2023-08-24T21:21:50Z

Thanks a bunch for the PR with your possible solution and report of the bug @miles-po, we'll try to review this when we can 🙂

…up (#26875) Adds a DENY policy for S3:PutObject on buckets to be auto-deleted to prevent a race condition on emptying with external bucket writers. As a new contributor, the requirements for integration testing were unclear to me. I have tested the policy on my own buckets and included unit tests, but am willing to work toward code compliance with assistance. Closes #26874. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2023-09-28T10:25:31Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

miles-po added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 24, 2023

github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Aug 24, 2023

miles-po mentioned this issue Aug 24, 2023

fix(s3): bucket deletion fails if object creation races against cleanup #26875

Merged

peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 24, 2023

github-actions bot mentioned this issue Sep 1, 2023

Monthly PRs metrics report #26964

Closed

mergify bot closed this as completed in #26875 Sep 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

@aws-cdk: S3 buckets block stack deletion #26874

@aws-cdk: S3 buckets block stack deletion #26874

miles-po commented Aug 24, 2023

peterwoodworth commented Aug 24, 2023

github-actions bot commented Sep 28, 2023