Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race Condition between the Creation of the S3 Bucket Policy and the CloudTrail Trail #90

Closed
X-Guardian opened this issue Apr 12, 2024 · 0 comments · Fixed by #91
Closed

Race Condition between the Creation of the S3 Bucket Policy and the CloudTrail Trail #90

X-Guardian opened this issue Apr 12, 2024 · 0 comments · Fixed by #91
Labels
bug 🐛 An issue with the system

Comments

@X-Guardian
Copy link
Contributor

Describe the Bug

If this module is used with the cloudposse/terraform-aws-cloudtrail in a single stack, then the creation of the CloudTrail trail will fail with the following error:

InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket

Expected Behavior

When using the modules together, the S3 Bucket and CloudTrail trail are successfully created.

Steps to Reproduce

module "cloudtrail_s3_bucket" {
  source  = "cloudposse/cloudtrail-s3-bucket/aws"
  version = "0.26.3"

  name = "test-cloudtrail-s3-bucket-xyz"
}

module "cloudtrail" {
  source  = "cloudposse/cloudtrail/aws"
  version = "0.23.0"

  name                  = "test-cloudtrail"
  s3_bucket_name        = module.cloudtrail_s3_bucket.bucket_id
  is_multi_region_trail = false
}

Screenshots

terraform apply output:

module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0]: Creation complete after 1s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_public_access_block.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Read complete after 0s [id=1501543980]
module.cloudtrail.aws_cloudtrail.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Read complete after 0s [id=3146036384]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0]: Creation complete after 1s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0]: Creation complete after 2s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_public_access_block.default[0]: Creation complete after 2s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0]: Creation complete after 1s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [10s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Still creating... [10s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [20s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Still creating... [20s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [30s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Still creating... [30s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Creation complete after 30s [id=2024-04-12T10:18:33Z]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_ownership_controls.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_ownership_controls.default[0]: Creation complete after 0s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Creation complete after 31s [id=test-cloudtrail-s3-bucket-xyz]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0]: Creation complete after 1s [id=test-cloudtrail-s3-bucket-xyz,log-delivery-write]
╷
│ Error: creating CloudTrail Trail (test-cloudtrail): operation error CloudTrail: CreateTrail, https response error StatusCode: 400, RequestID: e09c40e5-b9a8-4988-9378-bd980eb888c8, InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: test-cloudtrail-s3-bucket-xyz

Environment

No response

Additional Context

This is happening because there is a race condition between the creation of the S3 Bucket policy and the CloudTrail trail.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
1 participant
@X-Guardian