Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_s3: Bucket with removal policy = retain lose resource policy on cdk destroy #27125

Open
danilodesolesonar opened this issue Sep 13, 2023 · 1 comment
Open

aws_s3: Bucket with removal policy = retain lose resource policy on cdk destroy #27125

danilodesolesonar opened this issue Sep 13, 2023 · 1 comment
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@danilodesolesonar
Copy link

Describe the bug

Consider the following CDK app having a bucket that has enforce_ssl=True and removal_policy=Retain. On cdk destroy the bucket is retained, as expected, though the bucket resource policy is deleted.

from aws_cdk import Stack, RemovalPolicy
from constructs import Construct

from aws_cdk import aws_s3 as s3

class CdkS3BugStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        s3.Bucket(
            self,
            "RetainBucketTest",
            enforce_ssl=True,
            removal_policy=RemovalPolicy.RETAIN
        )

Expected Behavior

The bucket's resource policy is retained as well

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::cdks3bugstack-retainbuckettestef48b7bf-ms4g1j3j8dy6",
                "arn:aws:s3:::cdks3bugstack-retainbuckettestef48b7bf-ms4g1j3j8dy6/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Current Behavior

The bucket is retained, its resource policy is not.

Reproduction Steps

Deploy the abovementioned app cdk deploy
Check the bucket resource policy, should contain the policy to disable non-SSL transport
Destroy the app cdk destroy
Check the bucket is still there, the policy is gone

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.93.0 (build 724bd01)

Framework Version

No response

Node.js Version

v18.14.2

OS

Fedora 36

Language

Python

Language Version

No response

Other information

No response
@danilodesolesonar danilodesolesonar added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 13, 2023
@danilodesolesonar danilodesolesonar changed the title aws_s3: Bucket with removal policy = retain lose resource policy on cdk destroy aws_s3: Bucket with removal policy = retain lose resource policy on cdk destroy Sep 13, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2023
@khushail
Copy link
Contributor

khushail commented Sep 13, 2023
edited
Loading

Hi @danilodesolesonar ,thanks for reaching out. Referencing the Deletion policy for resources along with S3 docs, I could confirm that the bucket policy is deleted from the console when removalPolicy is set to RETAIN. I am marking this as P2.

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 13, 2023
@go-to-k go-to-k mentioned this issue Sep 14, 2023
Closed
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(s3): RETAIN removal policy does not apply to an auto created bucket policy go-to-k/aws-cdk
2 participants
@khushail @danilodesolesonar