Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] PDKPipeline occurs error on latest CDK #264

Closed
drskur opened this issue Jan 4, 2023 · 4 comments
Closed

[BUG] PDKPipeline occurs error on latest CDK #264

drskur opened this issue Jan 4, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@drskur
Copy link
Contributor

drskur commented Jan 4, 2023
edited

Describe the bug

When turn on crossAccountKeys, it occurs following error.

SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets

Expected Behavior

no error

Current Behavior

occurs error
SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets

Reproduction Steps

    this.pipeline = new PDKPipeline(this, 'ApplicationPipeline', {
      primarySynthDirectory: 'packages/infra/cdk.out',
      repositoryName: this.node.tryGetContext('repositoryName') || 'monorepo',
      publishAssetsInParallel: false,
      crossAccountKeys: true,
      synth: {},
      sonarCodeScannerConfig: this.node.tryGetContext('sonarqubeScannerConfig'),
    });

Possible Solution

I think it changed the default behavior in the cdk.
So we can create new bucket for server access logging.

Additional Information/Context

"dependencies": {
"aws-cdk-lib": "^2.59.0",
"cdk-nag": "^2.21.51",
"constructs": "^10.1.209"
}

PDK version used

0.12.34

What languages are you seeing this issue on?

Typescript

Environment details (OS name and version, etc.)

Mac OS
@drskur drskur added the bug Something isn't working label Jan 4, 2023
@abest0
Copy link

abest0 commented Jan 4, 2023
edited

@drskur See (aws/aws-cdk#23514). The issue is with the crossAccountKeys: true, prop when PDKPipeline is initialized. This sets up the encryption on the artifacts bucket to use a KMS key.

As a workaround, set crossAccountKeys: false, and the issue will go away.

const artifactBucket = new Bucket(scope, "ArtifactsBucket", {
      enforceSSL: true,
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      encryption: props.crossAccountKeys
        ? BucketEncryption.KMS    <======== 
        : BucketEncryption.S3_MANAGED,
      encryptionKey: props.crossAccountKeys
        ? new Key(scope, "ArtifactKey", {
            enableKeyRotation: true,
            removalPolicy: RemovalPolicy.DESTROY,
          })
        : undefined,
      publicReadAccess: false,
      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
      serverAccessLogsPrefix: "access-logs",
    });

^(above lines from here)

@drskur
Copy link
Contributor Author

drskur commented Jan 5, 2023

I checked the code, But I want to deploy it cross account, Pipeline Account to Stage Account. I am not sure it will work or not when I set the crossAccountKeys to false.

@drskur
Copy link
Contributor Author

drskur commented Jan 5, 2023
edited

It looks to work on 45e9b8b.

@agdimech
Copy link
Contributor

agdimech commented Jan 5, 2023

This has been fixed in v 0.12.35

@agdimech agdimech closed this as completed Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drskur @abest0 @agdimech