Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handling access denied when reading vault policy when vault has been deleted #19749

Closed
wants to merge 2 commits into from
Closed

handling access denied when reading vault policy when vault has been deleted #19749

wants to merge 2 commits into from

Conversation

dooreelko
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

It's a new issue we stumbled on but not reported.
In essence, if the backup vault is deleted outside of terraform, the update operation fails with AccessDenied error instead of ResourceNotFoundException. The cause for that is that authors of GetBackupVaultAccessPolicy API decided (allegedly) to follow some no-exposure security rule that advocates not exposing resource absence to avoid discovery of valid resource names using some kind of brute force iteration.

Output from acceptance testing:

TODO
@DrFaust92 any ideas how we can test this? The reproduction steps are:

  • create vault and a policy so that terraform has a state with resource ids
  • remove the vault without modifying the terraform state
  • perform resourceAwsBackupVaultPolicyRead
$ make testacc TESTARGS='-run=TestAccAwsBackupVaultPolicy_'

...

At this stage, the PR is not ready for merging, it's a discussion on how the issue can be tested.

@dooreelko dooreelko requested review from ewbankkit and a team as code owners June 10, 2021 09:35
@github-actions github-actions bot added size/XS Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. service/backup Issues and PRs that pertain to the backup service. labels Jun 10, 2021
@dooreelko dooreelko marked this pull request as draft June 10, 2021 12:39
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Jun 23, 2021
@ewbankkit
Copy link
Contributor

@dooreelko Thanks for the contribution 🎉 👏.
I have incorporated the changes into #19854 (you will get attribution when that PR is merged).
I added an additional acceptance test TestAccAwsBackupVaultPolicy_disappears_vault that is very similar to TestAccAwsBackupVaultPolicy_disappears but instead deletes the Backup Vault.

@ewbankkit ewbankkit closed this Jun 23, 2021
@ewbankkit ewbankkit mentioned this pull request Jun 23, 2021
Merged
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ewbankkit ewbankkit Awaiting requested review from ewbankkit

Assignees
No one assigned
Labels
service/backup Issues and PRs that pertain to the backup service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dooreelko @ewbankkit