Aws-cdk: Wrong path in CloudFront invalidation on S3 BucketDeployment

Created on 24 Sep 2019 · 8Comments · Source: aws/aws-cdk

I'm using a S3BucketDeployment construct with a CloudFront distribution to deploy static content to a S3 bucket and, on deployment, invalidate items in the CF caches

new s3deploy.BucketDeployment(this, "DeployWebsite", {
      sources: [
        s3deploy.Source.asset(webAppRoot)
      ],
      destinationKeyPrefix: "web/",
      destinationBucket: bucket,
      distribution: cdn,
      retainOnDelete: false
    });

The origin in the CF distribution also specifies /web as its originPath. Upon deployment a new invalidation is created for the distribution, however the path for the objects to be invalidated is set to /web/*. Invalidation paths should be relative to the distribution, not to the origin (as per docs).

Reproduction Steps

The code causing the issue is here - https://github.com/dstroppa/aws-modern-application-workshop/blob/2f02430c5036517d34aeadda8e8bea9ffd7507ee/module-1/cdk/lib/web-application-stack.ts#L57

Error Log

N/A

Environment

CLI Version : 1.9.0
Framework Version: 1.9.0
OS : Linux
Language : Typescript

Other

This is :bug: Bug Report

@aws-cdaws-s3-deployment bug efformedium p2

Source

dstroppa

Most helpful comment

Thanks for looking into this @NGL321. Looks like the changes for #3878 affect CallerReference, but not distributionPaths.

dstroppa on 7 Oct 2019

👍2

All 8 comments

The offending line: https://github.com/aws/aws-cdk/blob/2ce4a877b8ee799cc65cc495a8ac9a4435649794/packages/%40aws-cdk/aws-s3-deployment/lambda/src/index.py#L49

nmussy on 25 Sep 2019

Hi @dstroppa,

Sorry to hear you are having trouble. This is certainly something we will look into addressing. Is it possible its related to #3878? I know some changes were made to distributionPaths in response to that issue.

NGL321 on 4 Oct 2019

Thanks for looking into this @NGL321. Looks like the changes for #3878 affect CallerReference, but not distributionPaths.

dstroppa on 7 Oct 2019

👍2

Just to make sure I understand, in the above example, the invalidation path should have been /* instead of /web/*?

eladb on 8 Nov 2019

@dstroppa there's a property called distributionPaths in BucketDeployment that lets you control the distribution paths. IIUC, if you modify your code to this:

new s3deploy.BucketDeployment(this, "DeployWebsite", {
  sources: [
    s3deploy.Source.asset(webAppRoot)
  ],
  destinationKeyPrefix: "web/",
  destinationBucket: bucket,
  distribution: cdn,
  distributionPaths: [ '*' ],
  retainOnDelete: false
});

You should be fine.

Check you check and let us know if this solves your issue?

eladb on 8 Nov 2019

Using '*' in distributionPaths results in an error:

9/10 | 11:50:11 AM | CREATE_FAILED | Custom::CDKBucketDeployment | DeployWebsite/CustomResource/Default (DeployWebsiteCustomResourceD116527B) Failed to create resource. An error occurred (InvalidArgument) when calling the CreateInvalidation operation: Your request contains one or more invalid invalidation paths.
new CustomResource (/home/ec2-user/environment/workshop/cdk/node_modules/@aws-cdk/aws-cloudformation/lib/custom-resource.ts:163:21)
_ new BucketDeployment (/home/ec2-user/environment/workshop/cdk/node_modules/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts:192:5)
_ new WebApplicationStack (/home/ec2-user/environment/workshop/cdk/lib/web-application-stack.ts:57:5)
_ Object. (/home/ec2-user/environment/workshop/cdk/bin/cdk.ts:7:1)
_ Module._compile (internal/modules/cjs/loader.js:778:30)
_ Module.m._compile (/home/ec2-user/environment/workshop/cdk/node_modules/ts-node/src/index.ts:530:23)
_ Module._extensions..js (internal/modules/cjs/loader.js:789:10)
_ Object.require.extensions.(anonymous function) [as .ts] (/home/ec2-user/environment/workshop/cdk/node_modules/ts-node/src/index.ts:533:12)
_ Module.load (internal/modules/cjs/loader.js:653:32)
_ tryModuleLoad (internal/modules/cjs/loader.js:593:12)
_ Function.Module._load (internal/modules/cjs/loader.js:585:3)
_ Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
_ main (/home/ec2-user/environment/workshop/cdk/node_modules/ts-node/src/bin.ts:212:14)
_ Object. (/home/ec2-user/environment/workshop/cdk/node_modules/ts-node/src/bin.ts:470:3)
_ Module._compile (internal/modules/cjs/loader.js:778:30)
_ Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
_ Module.load (internal/modules/cjs/loader.js:653:32)
_ tryModuleLoad (internal/modules/cjs/loader.js:593:12)
_ Function.Module._load (internal/modules/cjs/loader.js:585:3)
_ Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
_ findNodeScript.then.existing (/home/ec2-user/.nvm/versions/node/v10.16.3/lib/node_modules/npm/node_modules/libnpx/index.js:268:14)

However, changing it to /index.html works just fine. If the above is the expected behavior I'm happy for this issue to be closed.

dstroppa on 12 Nov 2019

It would be great to get clarification on this because the example in https://github.com/aws-samples/aws-cdk-examples/blob/master/typescript/static-site/static-site.ts#L82 doesn't invalidate any cache.

Edit: Seems like using distributionPaths: ['/*'] works as expected. Everything in my bucket was cache invalidated.

kennethaasan on 17 Apr 2020

One fun bit of using distributionPaths: ['*'] on a stack update when the initial deployment wasn't done with invalidations is the delete failures:

 14/13 | 20:38:51 | DELETE_FAILED        | AWS::CloudFormation::CustomResource             | StreamsDeployment/CustomResource/Default (StreamsDeploymentCustomResourceBF37C72A) Failed to delete resource. An error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:sts::228438115886:assumed-role/NearProd-CustomCDKBucketDeployment8693BB64968944B6-85LN13MD6WJD/NearProd-CustomCDKBucketDeployment8693BB64968944B6-YGGQ2EGMBZBS is not authorized to perform: cloudfront:CreateInvalidation on resource: arn:aws:cloudfront::228438115886:distribution/E1N12WGKOIVSN8
        new CustomResource (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/@aws-cdk/aws-cloudformation/lib/custom-resource.ts:163:21)
        \_ new BucketDeployment (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts:190:5)
        \_ new MetricscdkStack (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/lib/metricscdk-stack.ts:282:35)
        \_ Object.<anonymous> (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/bin/metricscdk.ts:9:16)
        \_ Module._compile (internal/modules/cjs/loader.js:955:30)
        \_ Module.m._compile (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/ts-node/src/index.ts:836:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:991:10)
        \_ Object.require.extensions.<computed> [as .ts] (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/ts-node/src/index.ts:839:12)
        \_ Module.load (internal/modules/cjs/loader.js:811:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:723:14)
        \_ Function.Module.runMain (internal/modules/cjs/loader.js:1043:10)
        \_ main (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/ts-node/src/bin.ts:226:14)
        \_ Object.<anonymous> (/Users/taylorzr/Amazon-connect-monitoring/cdk-resources/node_modules/ts-node/src/bin.ts:485:3)
        \_ Module._compile (internal/modules/cjs/loader.js:955:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:991:10)
        \_ Module.load (internal/modules/cjs/loader.js:811:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:723:14)
        \_ Function.Module.runMain (internal/modules/cjs/loader.js:1043:10)
        \_ /usr/local/lib/node_modules/npm/node_modules/libnpx/index.js:268:14