Aws-cdk: Depend on bucket and policy before configuring ELB logging

Created on 29 Jan 2019 · 3Comments · Source: aws/aws-cdk

I tried adding logging support to my VPC using the following:

    const alb = new Alb.ApplicationLoadBalancer(this, 'LB', {
      vpc,
      internetFacing: true
    })

    const bucket = new Bucket(this, 'Bucket', {
      encryption: BucketEncryption.KmsManaged
    })
    alb.logAccessLogs(bucket)

When running cdk deploy I got an expected warning about IAM changes and the permission looks to be correct.

+ │ ${Bucket.Arn}/* │ Allow │ s3:PutObject │ AWS:arn:${AWS::Partition}:iam::127311923021:root

It appears that there is a bug in the CF template which is not waiting on the bucket policy to finish completion before it attempts to add the logging in the VPC.

Access Denied for bucket: [BUCKET NAME]. Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 657ff61c-23dd-11e9-94e9-c57251c19c33)

I confirmed this was the case by checking the CF events in the console.

@aws-cdaws-elasticloadbalancing bug efforsmall pblocked

Source

schof

All 3 comments

I found a temporary workaround but it's not perfect since I couldn't figure out a way to add DependsOn for the BucketPolicy that is also being created.

// Temporary Hack (https://github.com/awslabs/aws-cdk/issues/1633)
const albResource = alb.node.findChild('Resource') as Alb.CfnLoadBalancer
const bucketResource = bucket.node.findChild('Resource') as cdk.Resource
albResource.addDependency(bucketResource)

It only works because the ALB takes so long to create (from scratch) that the bucket stuff is generally done in time. I tried working up a fix but I ran into some difficulties with test-region and my general unfamiliarity with the source.

schof on 29 Jan 2019

👍1

This will be much easier to fix (and much cleaner, too) once #1583 has landed. At this point we'll be able to simply register the dependency properly in the logAccesLogs method.