Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(race condition): Apply bucket policies to avoid race condition #224

Merged
merged 3 commits into from
Nov 29, 2023
Merged

fix(race condition): Apply bucket policies to avoid race condition #224

merged 3 commits into from
Nov 29, 2023

Conversation

mdial89f
Copy link
Contributor

Purpose

This changeset changes how bucket policies are applied to avoid an existing race condtiion.

Linked Issues to Close

None

Approach

In cloudformation, we build the bucket and the policy as separate logical items.
This means there's a brief window in time where the bucket does not have an explicitly set policy.
CMS has an active remediation appliance that often will apply a policy to the bucket before ours is applied.
While our policy covers the CMS policy and is secure, cloudformation cannot update a policy for a bucket that already has a policy.

This approach uses a custom resource. It uses teh aws sdk v3 to put the policy on the bucket. It doesn't matter if a policy already exists or not.

Assorted Notes/Considerations/Learning

This is not ideal; we should revert this when our accounts are opted out of active remediation.

benjaminpaige
benjaminpaige approved these changes Nov 29, 2023
View reviewed changes
Copy link
Collaborator

@benjaminpaige benjaminpaige left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

100% yes

@mdial89f mdial89f merged commit a3ae1f8 into master Nov 29, 2023
13 checks passed
mdial89f added a commit that referenced this pull request Nov 29, 2023
@mdial89f
fix(race condition): Apply bucket policies to avoid race condition (#224
4a2191d 
) (#230)

* Apply bucket policies in a different way, to temporarily get around cms active remediation race conditions

* Add a force override

* Make it clear that these are custom resources
@mdial89f mdial89f deleted the bucketfix branch November 29, 2023 19:38
@github-actions GitHub Actions
Copy link
Contributor

🎉 This PR is included in version 1.5.0-val.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaminpaige benjaminpaige benjaminpaige approved these changes

Assignees
No one assigned
Labels
released on @val
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdial89f @benjaminpaige