Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(s3): cannot deploy multiple replication source buckets (under feature flag) #33360

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix(s3): cannot deploy multiple replication source buckets (under feature flag) #33360

wants to merge 8 commits into from

Conversation

badmintoncryer
Copy link
Contributor

@badmintoncryer badmintoncryer commented Feb 10, 2025
edited
Loading

Issue # (if applicable)

Closes #33355.

Reason for this change

We cannot deploy multiple source buckets for object replication due to the explicitly set replication role name.

Description of changes

Set replication role name by PhysicalName.GENERATE_IF_NEEDED.

Describe any new or updated permissions being added

None

Description of how you validated changes

Update both unit and integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team February 10, 2025 06:05
@github-actions github-actions bot added bug This issue is a bug. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Feb 10, 2025
@badmintoncryer badmintoncryer marked this pull request as ready for review February 10, 2025 06:08
@codecov Codecov
Copy link

codecov bot commented Feb 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.00%. Comparing base (70263b2) to head (0eba6a1).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #33360   +/-   ##
=======================================
  Coverage   81.00%   81.00%           
=======================================
  Files         238      238           
  Lines       14271    14271           
  Branches     2492     2492           
=======================================
  Hits        11560    11560           
  Misses       2425     2425           
  Partials      286      286
Flag Coverage Δ
suite.unit 81.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 79.92% <ø> (ø)
packages/aws-cdk-lib/core 82.16% <ø> (ø)

@badmintoncryer badmintoncryer changed the title fix(s3): cannot deploy multiple source S3 replication source bucket (under feature flag) fix(s3): cannot deploy multiple replication source buckets (under feature flag) Feb 10, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 10, 2025
@jochemd
Copy link

jochemd commented Feb 10, 2025

How does this work in a scenario where multiple stages are deployed to 1 account? So we have 2 buckets from the TEST stage being replicated and 2 buckets from the PRD stage being replicated? Will they use the same role? And what if the replication is cross-account?

I was more thinking along the lines of adding an optional replicationRole: Role property to the ReplicationRule interface and use that role if it is passed in. That gives the control to the user on when to use the same and when to use different roles. The destination bucket already allows the user to specify the role (ARN) in the addReplicationPolicy method. Or possibly refactor renderReplicationConfiguration so that the part that creates the policy for the source bucket becomes a public method to allow people to set up permissions easily when they cutomize their stack (similar to how the addReplicationPolicy method is public for the destination bucket).

BTW, https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2853 appears to be confusing the buckets: addReplicationPolicy() can be used to set permissions on the destination bucket.

@pahud pahud mentioned this pull request Feb 10, 2025
Open
1 task
@badmintoncryer
Copy link
Contributor Author

@jochemd
I'm sorry for my late reply. Thank you for your feedback!

How does this work in a scenario where multiple stages are deployed to 1 account? So we have 2 buckets from the TEST stage being replicated and 2 buckets from the PRD stage being replicated? Will they use the same role? And what if the replication is cross-account?

One replication role is generated for each source bucket, regardless of stage differences or whether cross-account access is involved.
In the case of cross-account access, an explicit role name is specified, but there are no other differences.

I was more thinking along the lines of adding an optional replicationRole: Role property to the ReplicationRule interface and use that role if it is passed in.

Since one replication role executes replication according to multiple replication rules, it seems difficult to simply add a role property to the ReplicationRule interface. However, since I think the idea itself is excellent, how about posting it as a separate issue?
For this PR, I think it's better to focus on fixing the bug where multiple source buckets cannot be defined in the first place.

BTW, https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2853 appears to be confusing the buckets: addReplicationPolicy() can be used to set permissions on the destination bucket.

Oh! I've not realized this. I'll resolve this problem in another PR.

@badmintoncryer badmintoncryer mentioned this pull request Feb 15, 2025
Merged
1 task
@badmintoncryer
Copy link
Contributor Author

@jochemd
I noticed that in the original issue you suggested making the role receivable as an argument.

From my perspective, since the current implementation is problematic, I think it would be best to first merge this PR to remove the hardcoded role name, and then create a new PR as a new feature to accept an optional replication role.

@jochemd
Copy link

jochemd commented Feb 15, 2025

Sounds good to me. Unfortunately I am not able to give an actual review or serious testing of this PR as when I try to go through the steps in the contributing guide I get errors on the linking step.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 0eba6a1
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify bot pushed a commit that referenced this pull request Feb 18, 2025
@badmintoncryer
chore(s3): update annotation phrase of addReplicationPolicy() (#33459)
8eeb8e4 
### Issue # (if applicable)

None

### Reason for this change

As mentioned in [this comment](#33360 (comment)), the annotation phrase is incorrect and may confuse users.
The `addReplicationPolicy()` function works to add a resource policy for the destination bucket, but the annotation phrase says source bucket.

### Description of changes

```diff
- For Cross-account S3 replication, ensure to set up permissions on source bucket using method addReplicationPolicy() 
+ For Cross-account S3 replication, ensure to set up permissions on destination bucket using method addReplicationPolicy() 
```

### Describe any new or updated permissions being added

None


### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
yashkh-amzn pushed a commit to yashkh-amzn/aws-cdk that referenced this pull request Feb 21, 2025
@badmintoncryer @yashkh-amzn
chore(s3): update annotation phrase of addReplicationPolicy() (aws#33459
0153069 
)

### Issue # (if applicable)

None

### Reason for this change

As mentioned in [this comment](aws#33360 (comment)), the annotation phrase is incorrect and may confuse users.
The `addReplicationPolicy()` function works to add a resource policy for the destination bucket, but the annotation phrase says source bucket.

### Description of changes

```diff
- For Cross-account S3 replication, ensure to set up permissions on source bucket using method addReplicationPolicy() 
+ For Cross-account S3 replication, ensure to set up permissions on destination bucket using method addReplicationPolicy() 
```

### Describe any new or updated permissions being added

None


### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

s3: replication only allows a single source bucket
3 participants
@badmintoncryer @jochemd @aws-cdk-automation