Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make bucket encryption optional for bootstrap #8724

Closed
2 tasks
ConradMearns opened this issue Jun 24, 2020 · 3 comments · Fixed by #9886
Closed
2 tasks

Make bucket encryption optional for bootstrap #8724

ConradMearns opened this issue Jun 24, 2020 · 3 comments · Fixed by #9886
Assignees
@shivlaks
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@ConradMearns
Copy link

As a developer operating in a federated AWS space, I need to be able to bootstrap the CDK without it attempting to set s3:SetBucketEncryption properties.

Use Case

When attempting to run cdk bootstrap, cdk bootstrap --without-public-access-block-configuration, cdk bootstrap --public-access-block-configuration true or cdk bootstrap --public-access-block-configuration false, the creation of the StagingBucket fails with the error API: s3:SetBucketEncryption Access Denied - I am using credentials with CDK admin privileges, but I suspect it fails because my organization has revoked the ability to modify this property on all buckets.

Proposed Solution

Similarly to #5028 , we need a way to defer encryption to the defaults set by the organization.

cdk bootstrap --skip "s3:SetBucketEncryption"

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@ConradMearns ConradMearns added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 24, 2020
@SomayaB SomayaB added @aws-cdk/aws-s3 Related to Amazon S3 package/tools Related to AWS CDK Tools or CLI labels Jun 25, 2020
@shivlaks
Copy link
Contributor

@ConradMearns There was a bug in disabling the public-access-block-configuration implementation.

just wanted to confirm whether the fix shipped in #8755 would work for your use case or whether the entire property needs to be omitted. From the sounds of it, it seems like it might, but I haven't quite tested that yet myself.

@ConradMearns
Copy link
Author

I got around the issue by cloning aws-cdk and removing

aws-cdk/packages/aws-cdk/lib/api/bootstrap/legacy-template.ts

Lines 19 to 26 in d2ae4bc

BucketEncryption: {
ServerSideEncryptionConfiguration: [{
ServerSideEncryptionByDefault: {
SSEAlgorithm: 'aws:kms',
KMSMasterKeyID: params.kmsKeyId,
},
}],
},

It doesn't look like this has a toggle available yet, and nothing in #8755 :(

After more research within my org, it turns out that our admins have SCP's that force encryption everywhere, and they have banned all of us sub-admins from making any changes to those policies, so it's definitely worth having a flag to skip this config.

@shivlaks
Copy link
Contributor

@ConradMearns thanks for the quick response. seems like this is certainly a feature request as there's currently no path forward for you without having to muck around with the template

so the entire BucketEncryption key is problematic and not just properties within it.

@shivlaks shivlaks added the effort/medium Medium work item – several days of effort label Jun 26, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Jun 29, 2020
@rix0rrr rix0rrr mentioned this issue Aug 21, 2020
Merged
@shivlaks shivlaks added the p1 label Aug 31, 2020
@mergify mergify bot closed this as completed in #9886 Aug 31, 2020
mergify bot pushed a commit that referenced this issue Aug 31, 2020
@rix0rrr
feat(bootstrap): customizable bootstrap template (#9886)
2596ef7 
There are many requests for customization of the built-in bootstrapping
template. Rather than implementing each and every request, it's more
productive to allow users to help themselves.

This change introduces two new flags to `cdk bootstrap`:

* `cdk bootstrap --show-template`: prints the current template to
  stdout, which people can pipe to a file.
* `cdk bootstrap --template FILE`: reads the template from a file
  instead of using the built-in template.

This can be used to arbitrarily customize the bootstrapping template
for use in any organization.

I know that the documentation changes in this PR are pretty light,
but really a Developer Guide topic should be written on bootstrapping,
which is next on my TODO list.

Resolves #9256, resolves #8724, resolves #3684, resolves #1528, necessary for #9681.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@alimeerutech alimeerutech mentioned this issue Jul 20, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivlaks shivlaks

Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(bootstrap): customizable bootstrap template aws/aws-cdk
3 participants
@ConradMearns @SomayaB @shivlaks