Regression: S3 bucket policy error is now silent failure + timeout

[spiffytech]

In v0.6.8, creating an S3 bucket with a malformed policy (in this case, an invalid Resource) resulted in Error putting S3 policy: MalformedPolicy: Policy has invalid resource.

In v0.6.11, that error is not presented. Instead, Terraform times out and prints Error putting S3 policy: timeout while waiting for state to become '[success]'

The new behavior is much less clear, doesn't signal user error, and doesn't facilitate diagnosing the problem.

Sample Terraform resource:

resource "aws_s3_bucket" "uploads" {
    bucket = "uploads.example.com"
    acl = "public-read"
    policy = "${file("sample_bucket_policy.json")}"

    website {
        index_document = "index.html"
        error_document = "error.html"
    }
}

Sample policy. The important thing is the Resource doesn't match anything you control / have in your AWS account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::google.com/*"
        }
    ]
}

[catsby]

Hey @spiffytech – this should be fixed in master as of #5538 , where we patch an issue we had with retries and timeouts.

Let us know if you're still hitting this. Thanks!

[eriksw]

This is happening again in 0.9.1. My cause is slightly different, but same basic problem.

aws-provider (internal) 2017/03/30 15:56:48 [DEBUG] [aws-sdk-go] DEBUG: Request s3/PutBucketPolicy Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT /?policy= HTTP/1.1
Host: ...
User-Agent: aws-sdk-go/1.7.9 (go1.8; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.9.1
Content-Length: 302
Authorization: ...
Content-Md5: ...
X-Amz-Content-Sha256: ...
X-Amz-Date: ...
X-Amz-Security-Token: ...
Accept-Encoding: gzip

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
-----------------------------------------------------
aws-provider (internal) 2017/03/30 15:56:49 [DEBUG] [aws-sdk-go] DEBUG: Response s3/PutBucketPolicy Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 30 Mar 2017 22:56:48 GMT
Server: AmazonS3
X-Amz-Id-2: ...
X-Amz-Request-Id: ...

109
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>MalformedPolicy</Code><Message>Missing required field Principal</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
0


-----------------------------------------------------
aws-provider (internal) 2017/03/30 15:56:49 [TRACE] Waiting 4s before next try

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.