search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

CloudFormation false positive drift bug when S3 ObjectOwnership and/or ReplicationConfiguration properties are used in the AWS::S3::Bucket resource #1106

Open ifeach opened 2 years ago

ifeach commented 2 years ago

Name of the resource

AWS::S3::Bucket

Resource Name

No response

Issue Description

CloudFormation falsely reports drift when a bucket is created with ObjectOwnership property. The actual property of the bucket shows the ObjectOwnership property set but CFN drift does not reflect this thereby causing a false positive.

A similar behavior can be seen when a bucket is created with the ReplicationConfiguration V2 (includes "Priority" and "Filter" and "DeleteMarkerReplication" parameters). CloudFormation shows a false positive as it returns the actual properties of the bucket missing some of the S3 bucket properties such as the Filters, DeleteMarkerReplication and Priority. Because of this the stack shows a drift as though these properties have been removed.

Expected Behavior

Accurately return the actual resource properties so that it matches the stack template

Observed Behavior

Inaccurate drift result

Test Cases

Create an S3 bucket with either the ReplicationConfiguration or ObjectOwnership properties or both and after stack creation, run a drift check, CFN returns a false positive

Other Details

No response

rgoltz commented 1 year ago

Hi @ifeach - We was affected by this wrong CFN drift result as well, once we set ObjectOwnership for AWS::S3::Bucket. I heard from ServiceTeam that a fix in this area had been deployed. Now our stack with S3-Buckets + ObjectOwnership are IN_SYNC.

May you can re-test on your side as well (maybe also regarding this ReplicationConfiguration - I doesn't have a stack with this setting here on my end).

dennisvang commented 1 month ago

Same issue here, also with other settings:

The aformentioned settings were confirmed using s3 console, but were not picked up by:

After removing the offending settings, deploying the change, and then adding the settings again and deploying again (using cdk), the stack is now in sync, with all expected settings.

Not sure if it matters, but, the bucket is old, created in 2017.