Revert "chore: block insecure traffic to deployment bucket" #10591
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit cc36d9b.
akshbhu
approved these changes
Jun 14, 2022
jhockett
approved these changes
Jun 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reverts #10533
Analysis:
The error "A conflicting conditional operation is currently in progress against this resource. Please try again." is thrown when the BPA (Block Public Access) policy is applied by the amplify generated CloudFormation and AWS at the same time. AWS applies the BPA policy on any S3 bucket resource immediately after its creation. This is applied asynchronously hence it may not show up consistently. As of now, we do not have a way to serialize/coordinate application of the BPA policy with AWS from Cloudformation/CDK. This needs to be researched further.
Prior errors seen in Terraform :
hashicorp/terraform-provider-aws#7628 have been resolved by explicitly retrying application of BPA using AWS SDK if the deployment errors contain the above mentioned error.
e.g. https://github.com/hashicorp/terraform-provider-aws/pull/12949/files#diff-7ea49767db8110becb01510a3562ba5f3450dc361bf8aa3622a4cc27a540a0e3R1743-R1747
has code to use AWS SDK and retry application of policy.
Mitigation:
We will revert the PR cc36d9b
Solution:
A long term solution would require us to codify the condition ( if account level BPA policy is being enforced by AWS ) and depend on that condition to complete before creating the deployment bucket policies.